Many companies want to migrate their IT infrastructure to cloud platforms. However, in some cases security issues hampers such a process of migration. This is particularly true for the Critical Infrastructure (CI) domain, which represents a fundamental branch of societies. CIs enclose assets essential for the functioning of all countries' fundamental facilities such as energy, telecommunications, water supply, transport, finance, and health. Unlike other sectors, cloud technologies are still far from being widely adopted in CIs. CIs are increasingly target of terrorist cyber-attacks as demonstrated in last years (e.g. "Black Energy 3" in 2015, or "Havex" in 2014). The disclosure or manipulation of CIs sensitive data may have a devastating impact on the society at large. Hence, in order to migrate CIs to the cloud, new advanced hardening mechanisms are certainly needed.

In the context of SERECA project, we demonstrate how Intel SGX jointly with Vert.x can provide unprecedented security for a CI use case: a Water Supply Network Monitoring application (namely RiskBuster). The WSNM administration (EIPLI) is in charge of the management of seven dams in southern Italy. They want to migrate the monitoring infrastructure to the cloud, but they need guarantees regarding data condentiality and, most important, data integrity. 

In such a scenario, Vert.x and Intel SGX are a perfect and suitable combination. SERECA provide the platform able to leverage them. The WSNM is: 1) Easily deployable among the dierent dams and the cloud environment; 2) Highly scalable in front of sensors measurements peaks 3) Highly available in front of failures; 4) High performing in the process of sensors data collection, processing and provision.

From a security point of view, instead, the WSNM leverage the security features of Intel SGX, e.g, the encryption/decryption and the sealing of sensitive measurements into an enclave without leaving the CPU package. 

The reported figure shows the overall architecture of the WSNM pilot application. On the dam-side, a data collector verticle  interfaces, through a ModBus protocol, with a data logger equipment responsible for providing all the sensors data. Then, the acquired measurements are sent encrypted to the registered cloud-verticles through the Vert.x Secure Event Bus. On the cloud-side, the registered verticles  receives the data and, based on their duties, take a specic action on it. Four verticles  are implemented, which communicate among them through the Secure Event Bus. Some of these need to run security sensitive operations and, consequently, make use of Intel SGX.

risk buster arch

Enjoy a demo of the WSNM pilot application!

Action acronym: SERECA
Action full title: "Secure Enclaves for REactive Cloud Applications"
Objective: ICT-07-2014: Advanced Cloud Infrastructures and Services
Grant agreement no: 645011