How to connect MQTT through a data diode to a cloud broker

No access to YouTube? Click here to view locally

Summary

  1. Download and install Cogent DataHub software on two computers—one inside the data diode, and one outside.
  2. On the computer outside the data diode, configure the DataHub instance to act as a tunnelling Master.
  3. On the computer inside the data diode, configure the DataHub Smart MQTT Broker and connect the MQTT device to it.
  4. Configure that same DataHub to act as a tunnelling Slave, and connect it through the data diode to the DataHub outside, which is acting as the tunnelling Master.
  5. Configure the DataHub on the outside to act as an MQTT Client, and connect it to the cloud broker.

For more details and options, see the documentation.

DataHub products used: DataHub Smart MQTT Broker, Tunnel/Mirror, DataHub IoT Gateway

Transcript

  1. How to connect MQTT through a data diode to a cloud broker, using a tunnel from inside the data diode to the cloud broker outside. A data diode protects the data source from all incoming data and external attacks.
  2. First download and install Cogent DataHub software on two computers.
  3. One DataHub instance should be installed on a computer inside the data diode to connect to the device. The other should be installed on a computer outside the data diode to connect to the cloud broker.
  4. We will start with the DataHub instance outside the data diode by configuring it as a tunnel Master.
  5. On the computer outside the data diode, start the DataHub, and from the Properties window,, select the Tunnel/Mirror option. Make sure “Accept plain-text connections” is configured for port 4502. That port must be opened on this computer to make the connection, but no firewall ports need to be open on the computer inside the data diode. Click Apply.
  6. In the Properties window select Security and then click the Configure button.
  7. Under Users, click the Add button to add a Built-In User.
  8. Enter a username and password.
  9. Uncheck the “Require TOTP Authentication” box because this is a non-interactive connection. Then click OK.
  10. In the Roles, check the “All Data Full Access” box. Then click OK. The outside DataHub instance is now configured as the tunnel Master.
  11. Next we will connect the MQTT device to the DataHub instance running on the computer inside the data diode. Switch to that computer.
  12. On the computer inside the data diode, start the DataHub, and from the Properties window, select the MQTT Broker. Ensure the “Enable MQTT Broker” option is checked, and that “Listen for connections on port 1883” is enabled.
  13. In Message Content, select “Interpret messages as JSON data point values” and the Simple message format. Then click the Edit button.
  14. In the Configure Parser dialog window, delete all values in the Per-Point Format entry field.
  15. Type {value}. This will assign the entire content of each MQTT message to be the value of a DataHub point. See the documentation for other options.
  16. Click OK to close this window.
  17. Back in the main configuration, in Options, make sure “Require authentication” and “Use per-topic permissions” are not selected. This will simplify your security requirements for now. See the documentation for enabling security later on. You can keep “Mark data as Not Connected” selected.
  18. Leave all the other options at the default settings, and click Apply.
  19. Connect your device to your DataHub MQTT Broker. We are using an MQTT demo program to simulate a device.
  20. In our simulator, we create an MQTT topic name as a two-part string separated by a slash, like “Device1/Msg1”. The first part of the string is for the DataHub domain and the second part is the point name. Your device may use a different naming convention.
  21. Publish a test message to the DataHub MQTT Broker.
  22. Back in your DataHub instance, click View Data to see your data in the Data Browser. The device is now connected.
  23. Now we will configure the tunnel connection through the data diode.
  24. Still on the inside computer, select the Tunnel/Mirror option. Make sure the “Act as a tunnel/mirror slave” option is checked, because this DataHub instance is the tunnel slave. Then click the Add Master button to add a tunnel master.
  25. Enter the IP address or computer name for the Primary Host, the tunnel Master, which is the computer outside the data diode where the other DataHub instance is running. For details about connecting through your data diode, consult your hardware supplier.
  26. Enter the first part of your MQTT topic name for the Local data domain, as well as for the Remote data domain.
  27. Enter the username and password for the networked user that you created on the Master.
  28. For the Data Flow Direction, choose “Write-only” to just send data out of the data diode.
  29. When the connection is initiated, when it first starts, you want to override the cloud broker values with the device values. So choose the “Override the Master’s values” option.
  30. When the connection is lost, you want to mark the data quality for all points over there on the Master as “Not Connected”. So choose that option.
  31. Check the “Run in data diode mode” option to enable data diode support. If you don’t have a hardware data diode, this mode enables software emulation. Click OK and Apply.
  32. Now switch back to the computer outside the data diode.
  33. On the DataHub instance outside the data diode, click View Data to see the data, coming across the tunnel from the device. The data is now updating here.
  34. For the final step, we will connect the DataHub MQTT Client to the cloud broker.
  35. Still on the computer outside the data diode, in the DataHub Properties window, select the MQTT Client feature.  Check the “Enable MQTT client connections” option, because this DataHub instance will be acting as an MQTT client to the cloud broker. Then click the Add button to configure an MQTT client connection.
  36. In the Connect to MQTT Broker configuration window we will configure standard MQTT. For Azure IoT Hub, Google IoT, AWS IoT Core, or Sparkplug connections, please see the documentation.
  37. Create a label for this connection. Then enter the host name or IP address for your MQTT cloud broker. Leave the other connection options at the default settings for now.
  38. Select the points whose data you wish to push to the MQTT broker.
  39. You can add a prefix segment to every topic to help identify this connection on the MQTT broker. Leave all the other options at the default settings, and click OK.
  40. Back in the MQTT Client Configuration, you will see the configured connection. Click Apply, and the Status should change to Running.
  41. In an MQTT client, connect to the cloud broker. You should be able to access the MQTT message.
  42. Now you are connected. Data from the MQTT device behind the data diode is being sent to the MQTT broker on the cloud. No data of any kind gets sent back, protecting the OT network from external attacks.

Background

An MQTT client cannot connect through a data diode because MQTT requires two-way data flow just to send data. Before MQTT data can traverse a data diode, it must be received by a broker and converted to a unidirectional protocol. Outside the diode, the data then gets converted back to MQTT.

A typical scenario for MQTT is to connect a device to a cloud server.  If that device is behind a data diode, it can be connected to a DataHub Smart MQTT Broker, which uses the Tunnel/Mirror feature to pass the data through the diode. At that point a second DataHub instance receives the data, and acting as an MQTT client, sends the data to an MQTT broker running on the cloud.

Skkynet provides Cogent DataHub secure-by-design software and services to let you acquire, aggregate, monitor, control visualize, and network live process data in-plant or over insecure external networks, making it ideal for OT to IT and cloud connections.  You can isolate control networks from cyber attacks and integrate industrial data under a unified namespace, all without compromising the plant.

Cogent DataHub products wheel diagram