In This Topic

User Authentication
Transport Layer Security (TLS)
Role-Based Access Control (RBAC) and Access Control Lists (ACLs)
Best Practices for Secure Sparkplug Deployments

Due to the critical nature of industrial data and operations Sparkplug components support, security is a fundamental aspect of Sparkplug implementations to protect data, ensure authenticity, and manage authorization. The security is not guaranteed by the software itself. It is only achieved through a coordinated effort which also includes proper deployment, configuration, and maintenance.

User Authentication

Sparkplug supports user authentication primarily through the underlying MQTT broker mechanisms. The broker can authenticate users via a combination of client IDs, usernames and passwords, or certificate-based authentication. Certificates offer a robust method by securely verifying clients using public key infrastructure (PKI). Authentication modes commonly supported include:

None (no authentication)
Username and password
Certificate and password-certificate combinations

Parameters involved in authentication include specifying the username, password, client certificate, and root CA certificate to verify against.

Without further precautions (such as using TLS, or secure WebSocket), the username/password authentication in MQTT can be relatively easily eavesdropped on by an attacker, and the authentication data can be stolen.

Transport Layer Security (TLS)

Sparkplug can leverage TLS to secure MQTT data channels. TLS provides encryption of data in transit, preventing unauthorized interception or tampering. Key points regarding TLS usage in Sparkplug include:

Encrypting all MQTT messages exchanged between clients and brokers.
Authenticating brokers to clients using server-side certificates ensuring clients connect to legitimate brokers.
Optionally authenticating clients to brokers via client certificates for mutual TLS (mTLS).
Supporting CA certificates to validate server certificates.
Configurations often include settings to accept or reject self-signed certificates depending on security requirements.

Role-Based Access Control (RBAC) and Access Control Lists (ACLs)

Sparkplug authentication can be complemented with authorization controls:

RBAC defines roles assigned to users or devices limiting access only to permitted data or functions.
ACLs specify detailed permissions on which topics a user/device can publish or subscribe to in the MQTT namespace.

Best Practices for Secure Sparkplug Deployments

The proper security architecture ensures that only authorized Sparkplug-enabled devices and users can communicate securely and reliably in an IIoT network, protecting both data integrity and privacy.

Use TLS to encrypt all communications.
Use certificate-based authentication whenever possible for strong identity verification.
Enforce RBAC and ACLs to restrict data access and operations based on roles and topic-specific rules.
Carefully manage certificates and trust stores (CA certificates).

Sparkplug is a trademark of Eclipse Foundation, Inc. "MQTT" is a trademark of the OASIS Open standards consortium. Other related terms are trademarks of their respective owners. Any use of these terms on this site is for descriptive purposes only and does not imply any sponsorship, endorsement or affiliation.