RTI Connext DDS Secure: A Deep Dive into Advanced IoT Security

RTI Connext DDS Secure is rapidly becoming the most sought‑after security solution in the DDS ecosystem. Even though the product is still in beta, customers are already planning to ship it in production environments. Below we answer the most frequently asked questions to give you a clear understanding of what makes this solution stand out.

The new DDS Security standard defines a comprehensive security architecture and model. The beta version was adopted by the OMG in March, and RTI chairs the finalization committee. We are the first vendor with full support for the standard, and we expect to bring it to general availability next year. Other DDS vendors are following, but none currently offer a product that implements the standard.

DDS Security is distinctive for several reasons:

• Comprehensive coverage – The specification addresses authentication, access control, confidentiality, integrity, non‑repudiation, and logging.
• Plug‑in architecture – It defines a set of standard plug‑in components and an interoperable wire protocol, while still allowing customers to implement custom algorithms.
• Topic‑level protection – Security is enforced on individual DDS topics rather than on nodes or connections, giving fine‑grained control that is ideal for Industrial Internet of Things (IIoT) networks.

Unlike many security models that lock down protocols or nodes, DDS Security protects the data flow itself. This approach aligns naturally with IIoT use cases where devices communicate directly with one another and with cloud services.

Example Use Case

Consider a simplified power‑grid monitoring system:

• PMU – A phase‑measurement unit that publishes sensor state.
• CBM – Condition‑based maintenance analytics that reads state and publishes alarms.
• Control – Reads state and writes control set‑points.
• Operator – Can read all topics and write set‑points.

In DDS, this system is expressed as data flows between topics. To secure it with Connext DDS Secure, you provide a configuration file like this:

PMU: State(w)
CBM: State(r); Alarms(w)
Control: State(r), SetPoint(w)
Operator: *(r), Setpoint(w)

The configuration states that PMU can only write the State topic, Control can only read State and write SetPoint, CBM can read State and write Alarms, and the Operator has full read access and can write SetPoint. Connext DDS Secure enforces these constraints directly on the data stream, making the security model intuitive for IIoT systems.

One of the biggest advantages is that the solution requires no changes to your application code. You simply configure the plug‑ins and deploy; the middleware handles the rest.

While no security solution can claim absolute safety, DDS Security complements protection with detection. DDS is a software “DataBus” that allows real‑time monitoring. In partnership with PNNL, we implemented a retrofit security test for the power grid: a secure DDS line replaced an old DNP3 link, and we leveraged Lua scripts to analyze data‑bus traffic and detect anomalies such as compromised nodes or man‑in‑the‑middle attacks.

Built a Secure Industrial Control System with Connext DDS

By combining the robust protection of the DDS Security standard with real‑time detection through the DataBus, you can achieve a layered defense strategy that is both effective and easy to implement.

The product is currently in early‑access release and is already undergoing rigorous testing. One extensive test activity is the USS SECURE cybersecurity test bed, a collaboration that includes the National Security Agency, Department of Defense Information Assurance Range Quantico, Combat Systems Direction Activity Dam Neck, NSWCDD, NSWC Carderock/Philadelphia, Office of Naval Research, Johns Hopkins University Applied Physics Lab, and Real Time Innovations Inc. This test bed evaluates the best combination of cyber‑defense technologies to secure a naval combatant without compromising real‑time deadline performance.

We are proud of Connext DDS Secure’s performance in these demanding environments and believe it will set a new benchmark for IoT security. The product will be generally available next year. For more information, contact your local RTI representative.