idnits 2.17.1 draft-tang-iiot-architecture-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** There are 44 instances of too long lines in the document, the longest one being 54 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (8 June 2021) is 1046 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-14) exists of draft-ietf-core-coap-pubsub-09 Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Industrial Internet of Things C. Tang 3 Internet-Draft H. Wen 4 Intended status: Informational S. Ruan 5 Expires: 10 December 2021 B. Huang 6 X. Feng 7 Chongqing University 8 8 June 2021 10 Architecture Based on IPv6 and 5G for IIoT 11 draft-tang-iiot-architecture-02 13 Abstract 15 As the foundation of the current new round of industrial revolution, 16 the Industrial Internet of Things (IIoT) based on cyber-physical 17 systems (CPS) [smart-factory] has become the focus of research in 18 various countries. One of the key issues in the entire development 19 stage of IIoT is the standardization of the IIoT architecture. With 20 the development of intelligent manufacturing technology, the number 21 of IIoT devices is expected to increase sharply, and large amounts of 22 data will be generated in the industrial manufacturing process. 23 However, traditional industrial networks cannot meet the IIoT 24 requirements for high data rates, low latency, massive connections, 25 interconnection, and interoperability. Current IIoT architectures 26 also have various limitations, including those in mobility, security, 27 scalability, and communication reliability. These limitations hinder 28 the development and implementation of IIoT. As a network layer 29 protocol, IPv6 can solve the problem of IPv4 address exhaustion. 30 Meanwhile, as a high-speed, low-latency, wireless communication 31 technology, 5G has great potential in promoting IIoT. To solve the 32 aforementioned problems, this draft proposes an IIoT architecture 33 based on IPv6 and 5G. The architecture can provide high-speed, low- 34 latency communication services and possesses massive connectivity, 35 mobility, scalability, security, and other features for industrial 36 devices. It can also provide generalized, refined, flexible network 37 services for devices outside factories. Moreover, an information 38 model is defined to standardize the representation of information in 39 IIoT. The security challenges in and recommendations for IIoT are 40 also discussed. 42 Status of This Memo 44 This Internet-Draft is submitted in full conformance with the 45 provisions of BCP 78 and BCP 79. 47 Internet-Drafts are working documents of the Internet Engineering 48 Task Force (IETF). Note that other groups may also distribute 49 working documents as Internet-Drafts. The list of current Internet- 50 Drafts is at https://datatracker.ietf.org/drafts/current/. 52 Internet-Drafts are draft documents valid for a maximum of six months 53 and may be updated, replaced, or obsoleted by other documents at any 54 time. It is inappropriate to use Internet-Drafts as reference 55 material or to cite them other than as "work in progress." 57 This Internet-Draft will expire on 10 December 2021. 59 Copyright Notice 61 Copyright (c) 2021 IETF Trust and the persons identified as the 62 document authors. All rights reserved. 64 This document is subject to BCP 78 and the IETF Trust's Legal 65 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 66 license-info) in effect on the date of publication of this document. 67 Please review these documents carefully, as they describe your rights 68 and restrictions with respect to this document. Code Components 69 extracted from this document must include Simplified BSD License text 70 as described in Section 4.e of the Trust Legal Provisions and are 71 provided without warranty as described in the Simplified BSD License. 73 Table of Contents 75 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 76 2. IIoT Architecture . . . . . . . . . . . . . . . . . . . . . . 5 77 3. Factory Internal Network . . . . . . . . . . . . . . . . . . 7 78 3.1. Status and Development Trends . . . . . . . . . . . . . . 8 79 3.2. Functional View . . . . . . . . . . . . . . . . . . . . . 8 80 3.3. Network View . . . . . . . . . . . . . . . . . . . . . . 10 81 3.4. Communication Manner . . . . . . . . . . . . . . . . . . 13 82 4. Factory External Network . . . . . . . . . . . . . . . . . . 15 83 4.1. Situation . . . . . . . . . . . . . . . . . . . . . . . . 15 84 4.2. Development Trend . . . . . . . . . . . . . . . . . . . . 15 85 4.3. Enterprise Dedicated Line . . . . . . . . . . . . . . . . 16 86 4.4. Mobile Communication Network . . . . . . . . . . . . . . 18 87 5. Information Model . . . . . . . . . . . . . . . . . . . . . . 20 88 6. Security Challenges and Recommendations . . . . . . . . . . . 23 89 6.1. Sensing Security . . . . . . . . . . . . . . . . . . . . 23 90 6.2. Transport Layer Security . . . . . . . . . . . . . . . . 24 91 6.3. Application Layer Security . . . . . . . . . . . . . . . 24 92 6.4. IIoT Security Solutions . . . . . . . . . . . . . . . . . 25 93 7. Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 94 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 31 95 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 31 96 10. Informative References . . . . . . . . . . . . . . . . . . . 31 97 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 32 99 1. Introduction 101 IIoT is an industrial and application ecology formed by the 102 comprehensive and deep integration of the Internet, information 103 technology, and industrial systems, and it is a key information 104 infrastructure for the development of industrial intelligence. Its 105 essence is based on the network interconnection between machines, raw 106 materials, control systems, information systems, products, and 107 people. Intelligent control, operation optimization, and production 108 organization reform can be achieved through comprehensive in-depth 109 perception of industrial data, real-time transmission and exchange, 110 fast calculation and processing, and advanced modeling analysis. The 111 IIoT foundation is the system architecture, which pertains to the 112 interconnection and intercommunication of the entire industrial 113 system through technologies, such as the Internet of Things and the 114 Internet, to promote the full circulation and seamless integration of 115 industrial data. 117 The communication technology in the industrial network 118 interconnection architecture needs to meet the following major 119 requirements. 121 * (1) High communication rate. The increasing number of 122 manufacturing activities, such as real-time monitoring of all 123 production factors and the entire production process, and the 124 application of cloud computing, edge computing, virtual reality, 125 and augmented reality in the manufacturing industry are expected 126 to generate large amounts of manufacturing data, which need a 127 stable and fast network where data should be more than 25 Mbps 128 [iiot-5g]. 130 * (2) High coverage. The goal of IIoT is to establish "ubiquitous 131 communication." In other words, any area in a manufacturing plant 132 should achieve 100% networking coverage. However, in actual 133 factories, the current communication technology cannot meet the 134 requirements of high coverage due to the complex production 135 environment, such as electromagnetic interference and obstacles. 137 * (3) Low latency. Advanced manufacturing activities, such as 138 human-machine cooperation, machine-machine cooperation, and remote 139 real-time control, have strict requirements on communication 140 delays and generally require low delays (about 1 ms). Although 141 current wireless communication technology has made great progress 142 and the end-to-end delay is about 20-100 ms [iiot-5g], it still 143 cannot meet the urgent need for low delay in IIoT. 145 * (4) Massive connections. Owing to the interconnection of all 146 things in IIoT, the connected devices and the data generated 147 increase exponentially throughout the production process. Wired 148 communication cannot meet the requirements of massive connections 149 due to the difficulty in arranging lines, and wireless 150 communication cannot meet the said requirements due to the 151 limitation in the number of access nodes. 153 * (5) Interconnection. Many communication protocols are adopted in 154 the development of industrial networks. Fieldbus protocols 155 include PROFIBUS, Modbus, and HART. Industrial Ethernet protocols 156 include Ethernet/IP, PROFINET, and Modbus TCP, and industrial 157 wireless protocols cover WLAN, Bluetooth, and WirelessHART. The 158 interconnection and interoperability of these protocols are not 159 ideal because they use different technologies at the physical, 160 link, and application layers. This affects the expansion of IIoT 161 to some extent. 163 The main work of the proposed architecture is introduced as follows. 165 An industrial network interconnection architecture based on IPv6 and 166 5G communication technology is designed by combining actual scenarios 167 of factory intelligent manufacturing and the requirements of IIoT for 168 communication technology. The architecture can provide high-speed, 169 high-reliability, low-latency communication services, including 170 factory internal and external networks. The factory internal network 171 provides massive connection, mobility, device registration and 172 discovery, and security for industrial production-related devices. 173 The factory external network provides generalized, refined, flexible 174 network services for devices outside the factory. An information 175 model is defined to standardize the representation of information in 176 IIoT. The current security challenges in IIoT are presented, and 177 security recommendations are provided. 179 2. IIoT Architecture 181 In the IIoT architecture, the network is the foundation; it provides 182 infrastructure for the comprehensive interconnection of people, 183 machines, and things and promotes the full flow and seamless 184 integration of various industrial data. The industrial Internet 185 network connection involves different technical fields with multiple 186 elements and subjects inside and outside the factory and covers a 187 large scope of influence and many optional technologies. Various 188 network connection technologies are available in the industrial 189 field. These technologies are designed for specific scenarios in the 190 industrial field and play a crucial role in specific scenarios. 191 However, in terms of data interoperability and seamless integration, 192 they often cannot meet the growing demands of IIoT. 194 The overall goal of IIoT network connection is to enhance the 195 interconnection and intercommunication between systems, unlock data 196 from isolated systems and networks, and make data achieve a high 197 value for applications within and across industries. 199 This chapter proposes an industrial network system architecture based 200 on the transformation of the factory IP network, which has two major 201 networks (factory internal and external networks), as shown in 202 Figure 1. 204 The factory internal network is used to connect various elements in 205 the factory, including people (e.g., production staff, designers, and 206 external people), machines (e.g., devices and office equipment), 207 materials (e.g., raw materials, work in progress, and finished 208 products), and the environment (e.g., instruments and monitoring 209 devices). The factory internal network is interconnected with 210 enterprise data centers and application servers to support business 211 applications in the factory. 213 The factory external network is used to connect smart factories, 214 branches, upstream and downstream collaborative enterprises, 215 industrial cloud data centers, smart products, and users. The data 216 center/application server in the smart factory is interconnected with 217 the industrial cloud data center outside the factory through the 218 factory external network. Branches/collaborative enterprises, users, 219 and smart products are also connected to the industrial cloud data 220 center or enterprise data center through the factory external 221 network. The data intercommunication in IIoT realizes the seamless 222 transfer of data and information among various elements and systems 223 so that heterogeneous systems can "understand" each other at the data 224 level, thereby realizing data interoperability and information 225 integration. IIoT requires breaking information islands, realizing 226 cross-system data intercommunication, and fusion analysis. 228 Therefore, on the one hand, the factory external network needs to 229 support the aggregation of the underlying data generated by various 230 factory elements and factory products to the data center; on the 231 other hand, it must provide upper-layer applications with access 232 interfaces to heterogeneous system data to support the rapid 233 development and deployment of industrial applications. 235 _______________________ __________________ ________ 236 |Upstream and | |Industrial | | | 237 |downstream companies | |Cloud Platform | | User | 238 |_______________________| |__________________| |________| 239 \ | / 240 \ | / 241 \ ___________________________|_____________/_____ 242 { } 243 { Factory external network } 244 { (Internet/mobile network/private network) } 245 { } 246 {_______________________________________________} 247 / | \ 248 / | \ 249 _________/_____________|___________\_______________ 250 { _______ _______ _______ _______ _______ } 251 { | MES | | SCM | | ERP | | CRM | | APP | } 252 { |_______| |_______| |_______| |_______| |_______| } 253 +--{ } 254 | { Factory internal cloud platform } 255 | {___________________________________________________} 256 | / \ 257 | / \ 258 | _______/_____ ______\______ 259 | | Monitor | | Controll | 260 | | System | | System | 261 | |_____________| |_____________| 262 | _____|__________________________|_______ 263 | | | | | 264 | ___|__ ___|__ ___|__ ___|__ 265 +----|Device|---|Device|--------|Device|------|Device| 266 |______| |______| |______| |______| 268 Figure 1: IIoT architecture 270 Architecture advantages: 272 * (1) High communication rate. The factory network adopts 273 industrial PON and 5G technology, which can realize high-speed 274 data transmission. 276 * (2) Low communication delay. The Ethernet-based TSN network [tsn] 277 and 5G wireless network can realize low-latency communication and 278 ensure real-time industrial production. 280 * (3) Massive connections. IPv6 [I-D.ietf-6lowpan-usecases] can 281 assign an IP address to each industrial IoT device, and the 5G 282 network supports the wireless access of numerous IIoT devices. 284 * (4) Scalability. When a new industrial device joins the network, 285 it can register with the edge server. The name and IP address of 286 the device are registered. When another industrial device has 287 data and service requirements for the new industrial device, the 288 new industrial device can be found on the edge server to access 289 data or services. 291 * (5) Mobility. After a device moves in multiple networks, it 292 registers with the edge server again and obtains a new address 293 from the edge server to perform subsequent communication. 295 * (6) Localization of computing and storage. Edge computing 296 technology is used to perform computing or data storage services 297 in edge servers close to industrial sites [edge-computing]. 299 * (7) Support multiple communication protocols. The OPC UA 300 protocol, support TCP, WebSocket, HTTP, and other transmission 301 protocols are used. These protocols can realize device-to-device 302 communication; support UDP broadcast, MQTT, AMQP, and other 303 protocols; and realize Pub/Sub communication 304 [I-D.ietf-core-coap-pubsub]. 306 * (8) Cloudization of network services outside the factory. On the 307 basis of cloud computing and enterprise-dedicated line technology, 308 the enterprise business system is deployed to the cloud to 309 facilitate external services. It can also provide segmented 310 services for different scenarios, such as public and private 311 clouds. Network virtualization technology is used to improve the 312 flexibility of network services so that the factory external 313 network can quickly open and adjust services according to 314 enterprise requirements. 316 3. Factory Internal Network 317 3.1. Status and Development Trends 319 In an IIoT factory, on the one hand, the digitization of the factory 320 requires that the digitization of many existing business processes be 321 carried by the corresponding network. On the other hand, a large 322 number of new networked devices (e.g., AGVs, robots, and mobile 323 handheld devices) and new business processes (e.g., performance 324 management, predictive maintenance, and personnel/material 325 positioning) have been introduced. The introduction of new devices 326 and business processes creates new demands on the network. As a 327 result, the two traditional networks (production and office networks) 328 in the factory become multiple networks, which correspondingly cause 329 changes in the network architecture in the factory. 331 To break information islands and improve operational efficiency, 332 companies deploy business systems that were originally deployed on 333 various servers, such as MES, PLM, ERP, SCM, and CRM, to the data 334 center/cloud platform in the factory. The data generated by each 335 networked device and business process must be able to be aggregated 336 in the data center/cloud platform in real time for joint analysis and 337 rapid decision-making. Changes in business system deployment also 338 cause changes in the network architecture. 340 The IIoT demand for flexible manufacturing and personalized 341 customization requires the production domain to be flexibly 342 reconfigured according to requirements, and intelligent machines may 343 be adjusted and migrated between different production domains. This 344 procedure requires the network architecture in the factory to be able 345 to adapt to the needs of fast networking and flexible adjustment. 347 The factory internal network proposed in this chapter can be 348 understood from two aspects: functional and network views. 350 3.2. Functional View 352 According to the specific functions of the system and devices and the 353 location of the network, the factory internal network can be divided 354 into device, control, and factory management layers, as shown in 355 Figure 2. 357 _______ __________________ 358 | | |Factory management| 359 | |<--->| device |<-----+ Factory management layer 360 | | |__________________| | 361 | | ^ | 362 | | | | 363 | | _________v________ | 364 | |<--->| Monitor device |<-----+ Monitoring control layer 365 | | |__________________| | 366 | | ^ | 367 | Edge | | | 368 | server| | | 369 | | _________v________ | 370 | |<--->| Controll device |<-----+ On-site control layer 371 | | |__________________| | 372 | | ^ | 373 | | | | 374 | | | | 375 | | _________v________ | 376 | |<--->| Manufacturing |<-----+ Device layer 377 | | | device | 378 |_______| |__________________| 380 Figure 2: Functional View 382 (1) The device layer participates in data perception and task 383 execution in the manufacturing process. The time resolution 384 granularity can be seconds, milliseconds, and microseconds. Various 385 sensors, transmitters, actuators, RTUs, barcode scanners, RFID 386 readers, and intelligent manufacturing devices (e.g., CNC machine 387 tools, industrial robots, AGVs, and conveyor lines) run on this 388 layer. These devices are collectively referred to as field devices. 390 (2) The control layer realizes the monitoring and control of field 391 devices in the manufacturing process. The time resolution 392 granularity can be hours, minutes, seconds, and milliseconds. 393 According to different functions, this level can be further 394 subdivided into the following: 396 * (i) Monitoring control layer: With operation monitoring as the 397 main task, it has other management functions, such as advanced 398 control and fault diagnosis. The visual data acquisition and 399 monitoring system (SCADA), human-machine interface (HMI), DCS 400 operator station, real-time database server, and other components 401 run on this layer. 403 * (ii) On-site control layer: It measures and controls the 404 production process, collects process data, performs data 405 conversion and processing, outputs control signals, and realizes 406 logic control, continuous control, and batch control functions. 407 Various programmable control devices, such as PLC, DCS controller, 408 industrial computer (IPC), and other special controllers, run on 409 this layer. 411 (3) The factory management layer realizes the production management 412 of the factory and manages workflow/recipe control activities, 413 including maintenance records, detailed production scheduling, and 414 reliability assurance. The time resolution granularity can be days, 415 shifts, hours, minutes, or seconds. The manufacturing execution 416 system (MES), supply chain management (SCM), enterprise resource 417 management (ERP), and customer relationship management (CRM) run on 418 this layer. 420 To achieve IIoT scalability (after a new device joins the network, 421 other devices can access data or call-related services), this 422 architecture adopts device registration and device discovery 423 functions. 425 Device registration: When a new device is connected to the network, 426 it registers its name with the edge gateway. The format of the 427 registered name is /Service-Name/Gateway-Name/Device-Name, and the IP 428 address of the device is stored and bound with the name. 430 Device discovery: When a device needs to access data in other devices 431 or call services in other devices, it can make a query in the edge 432 gateway. It can find the IP address of a corresponding group of 433 devices based on the service name and gateway name; it can also find 434 the corresponding IP address of a certain device based on the service 435 name, gateway name, and device name. After finding the IP address, 436 the device can communicate with the corresponding device. 438 3.3. Network View 440 The factory internal network can be divided into three parts: edge 441 network, backbone network, and factory cloud platform. These parts 442 can be interconnected through industrial PON, as shown in Figure 3. 444 Given the diversification of connected production factors, the edge 445 network presents various types as follows: according to business 446 needs, the edge network can be an industrial control network, an 447 office network, a monitoring network, a positioning network, etc.; 448 according to real-time requirements, the edge network can be a real- 449 time or a non-real-time network; according to the transmission 450 medium, the edge network can be a wired or wireless network; and 451 according to the communication technology adopted, the edge network 452 can be an industrial Ethernet network, a 5G wireless network, etc. 453 The range of the edge network may be a workshop, an office building, 454 a warehouse, or others. Each edge network is composed of edge 455 servers, edge gateways, and field devices. Enterprises can 456 comprehensively consider business requirements and costs and select 457 appropriate technologies to deploy in accordance with edge networks. 459 The backbone network is used to realize interconnection between edge 460 networks, cloud platforms/data centers in the factory, and other 461 parts requiring high bandwidth and high speed. The backbone network 462 can be large or small depending on the size of the enterprise. It 463 can be a cluster of fully interconnected routers, or it can include 464 only one or two backbone routers. 466 For example, industrial, control, and monitoring devices that need 467 wired connections can be connected to switches that support 468 industrial Ethernet protocols through optical fibers. The specific 469 physical layer protocol can use industrial PON, and the data link 470 layer protocol can use the TSN protocol to form a TSN Ethernet edge 471 network. 473 Industrial, control, and monitoring devices that need wireless 474 connections can be connected to 5G base stations through 5G wireless 475 connections to form a 5G wireless edge network. 477 ___________________________________________________ 478 { _______ _______ _______ _______ _______ } 479 { | MES | | SCM | | ERP | | CRM | | APP | } 480 { |_______| |_______| |_______| |_______| |_______| } 481 { } 482 { Factory internal cloud platform } 483 {___________________________________________________} 484 | 485 | 486 ___________|____________ 487 | | 488 | Backbone network | 489 |________________________| 490 / \ 491 / \ 492 _______/_____ ______\_________ 493 | Wired edge | | Wireless edge | 494 | gateway | | gateway | 495 |_____________| |________________| 496 ____________|__________________________|_______ 497 | | | | 498 ___|___ _____|_________ ____|___ ___|_____ 499 | | | Manufacturing | |Controll| | Monitor | 500 |Product| | device | | device | | device | 501 |_______| |_______________| |________| |_________| 503 Figure 3: Network view 505 The IPv6 protocol can be used at the network layer to realize 506 communication between edge networks of different protocols and the IP 507 of industrial, control, and monitoring devices. However, the IPv4 508 protocol still has numerous devices and applications. In the 509 transition phase to the IPv6 protocol, if the number of IPv4 devices 510 and applications is large, the GI DS LITE tunnel technology solution 511 can be used. If the number of IPv4 devices and applications is 512 small, IPv4/IPv6 dual-stack technology solutions can be adopted. 514 The backbone network is used to realize interconnection between edge 515 networks and cloud platforms in the factory, and it requires high 516 bandwidth and high speed. The backbone network can be large or small 517 depending on the size of the enterprise. It can be a cluster of 518 fully interconnected routers, or it may contain only one or two 519 backbone routers. 521 The factory cloud platform can be upgraded to a TSN network on the 522 basis of the original standard Ethernet, which can meet the high 523 bandwidth and low latency requirements of industrial cloud platforms. 524 TSN also has excellent upper-layer support compatibility and can 525 support various upper-layer communication protocols. For example, 526 TSN and OPC UA can solve data intercommunication problems in a 527 factory, and OPC UA data collection and cloud services can be 528 extended to the field level. The proposed architecture can realize 529 all-around, real-time data collection and real-time operation in the 530 production environment. 532 3.4. Communication Manner 534 Relationship between functional and network views: The communication 535 between the device layer and the control layer can be realized in the 536 edge network. The factory management layer is deployed in the 537 factory cloud platform, and the backbone network is responsible for 538 the communication among device, control, and factory management 539 layers. 541 (1) Communication between devices: One-to-one communication between 542 devices uses the C/S architecture in OPC UA and supports the 543 transmission protocols of TCP, WebSocket, and HTTP. The OPC UA 544 server and client are separately deployed in the two devices. When a 545 device needs to access data or send instructions, it can use its own 546 client to initiate communication with the other device's OPC UA 547 server, as shown in Figure 4. 549 ____________ Return data ____________ 550 | _______ | Operation result | _______ | 551 | |OPC UA |--|------------------|>|OPC UA | | 552 | |Server |<-|------------------|-|Client | | 553 | |_______| | Query data | |_______| | 554 | | Send operation | | 555 | Device A | | Device B | 556 | | Return data | | 557 | _______ | Operation result | _______ | 558 | |OPC UA |<-|------------------|-|OPC UA | | 559 | |Client |--|------------------|>|Server | | 560 | |_______| | Query data | |_______| | 561 |____________| Send operation |____________| 563 Figure 4: C/S architecture in OPC UA 565 The communication between one-to-many devices uses the Pub/Sub 566 mechanism in OPC UA and supports multiple mechanisms, such as UDP 567 broadcast, MQTT, and AMQP. If multiple devices have requirements for 568 the data in one device, these multiple devices can subscribe to this 569 device. This device will publish the data to the multiple devices 570 when it collects or detects data changes, as shown in Figure 5. 572 subscribe 573 _____________ message _____________ 574 | |<-------| OPC UA | 575 | |------->| Subscriber | 576 | |publish |_____________| 577 | OPC UA |message 578 | Publisher | 579 | |subscribe 580 | | message _____________ 581 | |<-------| OPC UA | 582 | |------->| Subscriber | 583 |_____________|publish |_____________| 584 message 586 Figure 5: Pub/Sub mechanism in OPC UA 588 (2) Communication between a device and the edge server: 590 (i) The C/S mode in OPC UA, which is suitable for application 591 scenarios involving a large data volume and industrial automation 592 control, is used. For example, in machine vision product quality 593 inspection, a device uses a camera to collect machine vision pictures 594 of the product after the product is manufactured or assembled. The 595 pictures are sent to the edge server's intelligent detection 596 algorithm for analysis and processing through the OPC UA protocol. 597 Then, the edge server returns the detection result to the industrial 598 device, and the industrial device performs the next step in 599 accordance with the detection result. 601 (ii) The Pub/Sub mode in MQTT, which is suitable for communication 602 between devices with a small data volume, low bandwidth, and low 603 hardware resources and edge servers, is utilized. For example, in 604 factory temperature intelligent adjustment, the energy-saving 605 management program in the edge server needs to automatically turn on 606 or control the adjustment device according to the change in 607 temperature and humidity. The energy-saving management program in 608 the edge server can initially subscribe to the edge gateway with the 609 theme of temperature and humidity. After the sensor device in the 610 factory periodically collects temperature and humidity data, it 611 publishes relevant messages to the edge gateway with the theme of 612 temperature and humidity. Then, the edge gateway pushes the messages 613 to the energy-saving management program in the edge server and 614 realizes automatic adjustment. 616 (3) Communication between a device and the cloud server: Various 617 production management applications run on the factory cloud platform, 618 which realizes data collection, process monitoring, industrial device 619 management, quality management, production scheduling, and data 620 statistical analysis for the entire production process to achieve the 621 informatization, intelligence, and flexibility of the smart 622 manufacturing management. To realize communication between a device 623 and the cloud server, the OPC UA protocol can be utilized to deploy 624 the OPC UA server on the device and to deploy the client on the cloud 625 server so that the cloud server can read real-time production data on 626 the device and send it control instructions. Alternatively, the 627 cloud server subscribes to the device for data, and when the data are 628 ready, the device sends the data to the cloud server. The cloud 629 server sends instructions or management data to the device. 631 4. Factory External Network 633 The factory external network is designed to support various 634 activities in the entire life cycle of the industry and used to 635 connect the upstream and downstream of the enterprise, the enterprise 636 and the product, and the enterprise and the user. 638 4.1. Situation 640 The breadth and depth of the development and utilization of 641 industrialized data and information vary because of the different 642 levels of informatization development in different industries and 643 fields of industry. Thus, uneven network construction and 644 development exist outside the factory, and several industrial 645 enterprises only apply for ordinary Internet access. Islands of 646 information are still present between different areas of several 647 industrial enterprises. 649 4.2. Development Trend 651 With the development of industrial networking and intelligence, the 652 systems and applications in factories are gradually expanding 653 outward, and the industrial Internet services outside factories are 654 showing a trend of generalization, refinement, and flexibility. 656 Network services outside factories are universal. The traditional 657 network outside factories mainly facilitates the communication of 658 commercial information, and the information systems of the enterprise 659 are deployed on the network inside its factory. The network outside 660 factories has few connection objects and a single service. With the 661 development of cloud platform technology, several enterprise 662 information systems (e.g., ERP and CRM) are being externalized, and 663 an increasing number of IT software programs are being developed 664 based on cloud computing to provide services on the cloud. With the 665 development of the remote service business of industrial products and 666 devices, remote monitoring, maintenance, management, and optimization 667 of massive devices will be carried out based on the network outside 668 factories in the future. 670 With regard to refined network services outside factories, the 671 factory external network realizes the ubiquitous interconnection of 672 the entire industrial chain and the value chain. The complex and 673 diverse connection scenarios promote the refined development of 674 services. On the one hand, the connection demand of massive devices 675 has promoted the construction of mobile networks outside factories 676 and the rapid development of wide-coverage services. On the other 677 hand, enterprises need to deploy services to the cloud, which 678 promotes the refinement of dedicated line services, and they must 679 provide segmented services for different scenarios, such as 680 enterprise Internet access, business system cloud access, and public 681 and private cloud interoperability. 683 With regard to flexible network services outside factories, the 684 development of network virtualization and softwareization has 685 improved the flexibility of network services so that the network 686 outside a factory can quickly open and adjust services according to 687 enterprise requirements. The application of a large number of mobile 688 communication network technologies has improved the convenience of 689 network access. The speed of deployment provides a flexible means 690 for enterprises to achieve extensive interconnection. 692 4.3. Enterprise Dedicated Line 694 The wide-area Internet business requirements of industrial entities 695 include the following main aspects: the Internet access requirements 696 of industrial entities, the interconnection and isolation 697 requirements between industrial entities across regions, the 698 interconnection requirements of industrial networks and hybrid 699 clouds, and the differentiated requirements (QoS, security/ 700 protection, etc.) of industrial Internet for wide-area bearer 701 networks. The most widely used carrier private line services for 702 meeting these requirements mainly include MPLS VPN dedicated line and 703 OTN-based optical network dedicated line. 705 The MPLS VPN virtual private network builds an enterprise virtual 706 private network on the public MPLS network to achieve safe, fast, and 707 reliable industrialized communication between branches in different 708 cities (international and domestic). It can support multimedia 709 services that require high quality and high reliability, such as 710 office, data, voice, and images. 712 The MPLS VPN dedicated line is based on IP and high-speed label 713 forwarding technology. The distinction of service levels and quality 714 service guarantee can be realized through the setting of QoS bits. 716 The intelligent optical network based on the optical transport 717 network (OTN) is an ideal solution for large-particle broadband 718 service transmission. If the main dispatching particle of the 719 external private network of an enterprise reaches the Gb/s level, OTN 720 technology can be considered a priority for network construction. 722 With the increase in enterprise network application requirements, the 723 need of large enterprises for large-particle circuit scheduling also 724 increases. The introduction of OTN technology can realize flexible 725 large-particle circuit scheduling. Compared with MPLS VPN, OTN 726 technology can realize an end-to-end physical private network, which 727 is attractive for specific enterprises that require large bandwidth 728 (above 1 Gbps) and high data and service reliability and security. 730 In addition, emerging technologies, such as SD-WAN and CloudVPN, can 731 complement existing technologies, integrate various dedicated line 732 resources, and open the call platform through a unified capability to 733 form a transparent, integrated, shielded part of the technical 734 complexity for users. A factory's extranet solution can economically 735 meet the rapidly changing needs of enterprises for private line 736 services. 738 (1) The CloudVPN dedicated line is a new-generation enterprise 739 private line network solution that redefines enterprise 740 interconnection centered on cloud services, thus simplifying business 741 deployment to the greatest extent. CloudVPN can reduce the time for 742 opening and adjusting VPNs traditionally on a weekly or monthly basis 743 to the minute level, thereby providing convenient and flexible 744 business options and realizing enterprise interconnection on demand. 745 The CloudVPN private line solution includes the basic network device 746 layer, management control layer, collaboration layer, and user 747 interface. The operator's private line access capability is 748 encapsulated as a simple OpenAPI interface. It supports developers' 749 applications to realize enterprise private line services by directly 750 calling the interface and supports fast ordering, opening, and on- 751 demand adjustment of services, such as Internet access dedicated 752 lines. The CloudVPN dedicated line network can be opened on demand 753 in real time and elastically expanded; it also supports real-time 754 adjustment of dedicated line network bandwidth in industrial 755 environments, such as distance education, data intercommunication, 756 and video conferencing. 758 (2) SD-WAN is an extranet interconnection service formed by applying 759 new SDN technology to WAN scenarios. This type of service is used to 760 connect enterprise networks, data centers, Internet applications, and 761 cloud services in a wide geographical area. The technical features 762 of SD-WAN include the following: 764 (i) SD-WAN "cloudizes" the control capabilities of hardware networks 765 through software, thereby supporting the opening of user-perceivable 766 network capabilities. 768 (ii) The introduction of SD-WAN technology reduces the complexity and 769 technical threshold of user-side WAN operation and maintenance. 771 (iii) SD-WAN technology has a high degree of self-service capability, 772 and users can open, modify, and adjust private network 773 interconnection parameters. The core concept of SD-WAN is the users' 774 networking requirements and networking intentions, which can be 775 translated and managed through the centralized control orchestrator 776 provided by the communication service provider, thus shielding users 777 from the complexity of the underlying network technology. 779 (iv) SD-WAN supports heterogeneous networks (access can be done in 780 many different ways, including the Internet, other access methods 781 such as OTN, other dedicated lines, etc.). The access device is 782 generally on the user side, and the service differentiation point is 783 also on the user side. It helps users make flexible business 784 adjustments through its self-service interface. 786 SD-WAN has a heterogeneous network and flexible operation, but 787 because its virtual private network may be implemented based on 788 Internet access, it may cause hidden dangers in network attacks and 789 data security, and end-to-end encryption needs to be implemented 790 through encryption protocols. 792 4.4. Mobile Communication Network 794 With the development of IIoT, the industrial production process is no 795 longer limited to the factory. Industrial production is gradually 796 integrated with Internet business models, factories and products, and 797 customers through the factory external network. In certain 798 production processes, the communication demand between the factory 799 and the devices outside the factory has also increased significantly. 801 In these scenarios, mobile communication networks have been 802 increasingly used in industrial production due to their 803 characteristics of wide coverage, high speed, high network 804 reliability, and mature industrial chain, which greatly expand the 805 connotation and extension of traditional industrial networks. Mobile 806 communication networks have provided a good foundation for the 807 development of IIoT. 809 3GPP's 5G defines three types of application scenarios: enhanced 810 mobile broadband (eMBB), large-scale machine communication (mMTC), 811 and high-reliability low-latency communication (uRLLC). The eMBB 812 scenario can support the gradual emergence of high-traffic services 813 on IIoT, such as virtual factories and high-definition video remote 814 maintenance. Large-scale machine communication scenarios are mainly 815 aimed at massive field device communication. 817 The 5G network separates control and forwarding. The forwarding 818 plane focuses on the efficient routing and forwarding of business 819 data. It has the characteristics of simplicity, stability, and high 820 performance to meet the forwarding needs of massive mobile traffic in 821 the future. The control plane uses a logically centralized approach 822 to achieve unified policy control and ensure flexible traffic 823 scheduling and connection management. The centralized control plane 824 realizes the programmable control of the forwarding plane through the 825 mobile flow control interface. 827 The 5G core network supports various services with low latency, large 828 capacity, and high speed. The core network forwarding plane further 829 simplifies the sinking and moves the business storage and computing 830 capabilities from the network center down to the network edge to 831 support high traffic and low time delay business requirements, thus 832 realizing flexible and balanced traffic load scheduling. 834 Main features and advantages: The 5G network is a new type of network 835 based on the separation of control and forwarding. It improves the 836 overall access performance of the access network in complex 5G- 837 oriented scenarios, simplifies the core network structure, provides 838 flexible and efficient control forwarding functions, supports high 839 intelligence operations, opens network capabilities, and improves the 840 overall service level of the entire network. The separation of the 841 control and forwarding planes makes the network architecture flat, 842 and the gateway device can be deployed in a distributed manner, 843 thereby effectively reducing the service transmission delay. 844 Different business scenarios have diverse performance and functional 845 requirements for 5G networks. The 5G network can adapt to business 846 scenarios and provide appropriate network control functions and 847 performance guarantees for each 5G business scenario to achieve the 848 goal of on-demand networking. 850 Applicability: 5G provides a reliable, open, and on-demand network 851 for IIoT. The 5G network can efficiently support large-traffic 852 services that are gradually emerging in industrial Internet, such as 853 virtual factories and high-definition video remote maintenance. This 854 network also supports the monitoring of a large number of devices 855 inside and outside the factory, such as remote monitoring and control 856 of various devices, remote control of wireless video surveillance, 857 and remote monitoring and reporting of environmental parameters and 858 control machinery data, to meet the needs of IIoT applications. 860 5. Information Model 862 The information model is used to define information representation, 863 standardize data generated in industrial production, and facilitate 864 communication between different devices and applications. The 865 information model should clarify three levels of content: (1) define 866 objects and the data contained in the objects, (2) organize these 867 objects and data, and (3) define the data format. The information of 868 each device in the digital factory includes various parameters of the 869 device itself, runtime data, and data composition of the components 870 in the device. This information is the object to be modeled. 872 The device information model can be divided into static attribute, 873 dynamic attribute, and component assembly sets. The data in a device 874 are defined by attributes, and the collection of all information 875 contained in the device is called the attribute set. In the 876 information model, information is divided into static and dynamic. 877 Static information represents data that do not change or change 878 slowly after definition. In the device, this type of information is 879 mainly manifested as asset identification and order data (e.g., 880 material coding and processing device number). Dynamic information 881 represents data that are generated, disappear, or change in real time 882 with the production process. It is generally in the form of device 883 status data and part production process record data, such as working 884 status, part processing size, logistics information, and start and 885 completion times. In accordance with the static and dynamic nature 886 of information, attributes are divided into static and process 887 attributes. Static attributes form a static attribute set, and 888 process attributes form a process attribute set. 890 Each attribute set contains attribute data of several information 891 objects. Information objects are described by attributes, and 892 attributes are composed of attribute elements. This defines the 893 hierarchical structure of the information model, as shown in 894 Figure 6. The elements of the information model are explained from 895 small to large in Figure 6. 897 Attribute elements: These are the basic elements that make up 898 attributes or the basic units of attributes, such as attribute 899 identification, name, and data type. 901 Attribute: It pertains to the data describing the nature and 902 characteristics of an object. Each attribute consists of multiple 903 attribute elements, but not every attribute contains all attribute 904 elements. 906 Information object: It refers to the body of information in the 907 factory domain that describes a general, real, or abstract entity 908 that can be conceptualized as a whole. Examples of information 909 objects are the spindle of a machine tool, the processing route of a 910 certain part, and the receipt of a certain material. An information 911 object completes its digital definition and digital description 912 through its attributes. 914 ___________________ 915 |Device information | 916 | model | 917 |___________________| 918 | ______________________ ____________________ __________ 919 +----| Static attribute set |---| Information object |---| Attribute| 920 | |______________________| |____________________| |__________| 921 | ______________________ ____________________ __________ 922 +----|Process attribute set |---| Information object |---| Attribute| 923 | |______________________| |____________________| |__________| 924 | ______________________ ____________________ ______________________ 925 +----| Component set |---| Component |-+-| Static attribute set | 926 |______________________| |____________________| | |______________________| 927 | ______________________ 928 +-| Process attribute set| 929 | |______________________| 930 | ______________________ 931 +-| Component set | 932 |______________________| 934 Figure 6: Information model 936 Attribute set: This is a collection of a series of attributes. The 937 attribute set can be composed of sub-attribute sets or the attributes 938 of several information objects. In accordance with the static and 939 dynamic nature of information, the attribute set is divided into 940 static and process attribute sets. 942 Component: It refers to a physical or logical object, which is a 943 physical or logical part of the upper-level object, and its 944 characteristics are described by the attribute set. Components can 945 be nested, components can have their own subcomponents, and all 946 subcomponents of the same object form a component set. 948 The device information model is an expandable tree structure that 949 allows nesting between attribute sets and components. In this 950 definition, the attribute set and the component set are structural 951 elements that constitute the description of the factory information 952 model. They are not a mapping of an actual object and do not contain 953 actual content. They are only used to describe the framework and 954 level of the organization model. 956 The device information model defined above is only an abstract 957 framework. When modeling the information in an actual device and 958 developing functions based on the information model, the actual 959 device and function need to be based on the category and semantics of 960 the frame. Various information model elements are filled to form an 961 information model object with practical meaning. This process is 962 called the instantiation of the information model. The 963 implementation of the information model needs to be based on the 964 specific description method and communication mechanism to realize 965 the organization and storage of the instantiated information model. 966 This section provides an information model implementation scheme 967 based on the OPC UA protocol, as shown in Figure 7. 969 In accordance with the various information in the actual device, the 970 device information is used model to model, and the OPC UA model 971 generator is adopted to generate the corresponding XML file according 972 to the established information model. The file is placed in the 973 process model of the OPC UA server. The process model can obtain 974 real-time data on the physical device through the data access module 975 and save and update the value of the corresponding attribute in the 976 information model. 978 The information model can be displayed through the address space of 979 the OPC UA server, and the OPC UA client accesses the address space 980 of the server to obtain the data defined by the information model. 981 When the OPC UA client accesses or modifies the attribute information 982 defined in the information model to the server, the UA service 983 accesses or modifies the corresponding attribute information in the 984 process model and returns the result to the OPC UA client. 986 ____________________________________________________________________ 987 | | 988 ___________________ | _____________ _______________ ______________ | _________________ 989 | OPC UA Client | | | UA Server | | Process Model | | Data Access | | | Physical Device | 990 | |<---|--->| |<---->| |<--->| Module |<----|---->| | 991 |___________________| | |_____________| |_______________| |______________| | |_________________| 992 | | 993 | OPC UA Server | 994 |____________________________________________________________________| 996 Figure 7: Information model realization scheme based on the OPC 997 UA protocol 999 6. Security Challenges and Recommendations 1001 With the rapid development of sensor networks, cloud computing, 1002 artificial intelligence, and 5G technologies, the number of network 1003 devices in the future will increase sharply, and the corresponding 1004 market scale will be enlarged, which will cause corresponding 1005 security problems. These problems include information leakage, virus 1006 proliferation, and even the destruction of public infrastructure, 1007 such as the national grid, communication devices, and servers. 1008 Before these problems, the security of IIoT has not attracted much 1009 attention. The leakage of data collected by medical devices has 1010 aroused widespread discussions in today's Internet era. People are 1011 becoming increasingly aware of the importance of data security. With 1012 the recent extensive national-level management and control, much 1013 attention has been paid to the security of IIoT. This issue has also 1014 received attention from relevant agencies and enterprises in various 1015 countries. Regardless of life or technology, IIoT security is 1016 expected to become a problem that must be solved for future 1017 development. 1019 The current IIoT architecture is roughly based on the classic three- 1020 tier model, which is divided into sensing, transport, and 1021 application. 1023 6.1. Sensing Security 1025 The sensing layer can perform sensing and collection of data in the 1026 physical world. It uses sensors, cameras, RFID, and other smart 1027 devices to realize data collection, and it achieves secure data 1028 transmission through limited and wireless networks. Its key 1029 technologies are RFID and sensor networks. The IIoT sensing front- 1030 end is responsible for real-time detection and collection of data and 1031 uploads the data to the cloud data center for processing through the 1032 transmission network. The presenter of the sense terminal is 1033 vulnerable to various security issues, such as virus intrusion, 1034 information leakage, and tampering. Therefore, weak terminals with a 1035 limited cost and performance should be equipped with two-way 1036 authentication, encrypted transmission, and remote upgrade 1037 capabilities. Terminals with strong resource performance should have 1038 strong security capabilities, such as security certificate 1039 management, antivirus, and intrusion detection. Smart factory 1040 application scenarios have low latency requirements and fast response 1041 to services. Therefore, efficient and lightweight security 1042 algorithms must be designed to deal with security threats. For 1043 example, PRESENT block ciphers [PRESENT], DES lightweight ciphers, 1044 KATAN/KTANTAN lightweight ciphers [KATAN], and LBlock [Lblock] 1045 provide different solutions. 1047 6.2. Transport Layer Security 1049 Consistent with the security requirements of the sensing layer, the 1050 task of the transport layer is to responsibly retransfer the data of 1051 the sensing layer to the application layer for processing. The task 1052 also requires the transmission network, the communication protocol, 1053 and the network node that has been attacked (e.g., man-in-the-middle 1054 and counterfeit attacks), thereby causing node paralysis, which may 1055 further cause the leakage of communication keys and may affect the 1056 security of the entire network. The presence of many nodes and large 1057 amounts of data can easily cause network congestion and denial of 1058 service attacks, which could affect the transmission layer. Security 1059 has stringent requirements. Security issues, such as cross-network 1060 authentication, key negotiation, data confidentiality, and integrity 1061 protection of heterogeneous networks, are encountered due to the need 1062 for communication between networks with different architectures in 1063 the transport layer. Several confrontational security, homomorphic 1064 encryption, secure multi-party, and anonymization technologies are 1065 available. 1067 6.3. Application Layer Security 1069 The application layer is the highest layer of the architecture. The 1070 tasks implemented in it are numerous and complex, and the number of 1071 application categories, such as monitoring services, smart grids, 1072 industrial control, and green agriculture, differs. The application 1073 layer needs to process the data from the transport layer effectively. 1074 Given the massive data and network nodes of IIoT, huge storage and 1075 computing capabilities are required. Cloud computing technology can 1076 complete these tasks at a reduced cost. The current architecture is 1077 based on cloud computing. The processing response of business logic 1078 emphasizes the combination of IIoT and cloud computing. Therefore, 1079 cloud computing also has security issues, including platform data 1080 storage, exchange, processing, data security, and interaction issues 1081 arising from the connection of different platforms. At present, the 1082 cloud platform uses WAF, firewall, and HIDS. To a certain extent, it 1083 has played a role in data protection, but further security technical 1084 support is still required. The distributed architecture based on 1085 edge computing can share the computing burden, decrease the response 1086 time, and limit security risks to a certain area. It can reduce the 1087 security risk of the core network, so the application of edge 1088 computing presents a good opportunity. The cloud intelligent 1089 platform needs to deal with huge amounts of data. Many abnormal data 1090 and abnormal behaviors are difficult to detect and exclude. Security 1091 has a strong impact, and the use of various emerging technologies, 1092 such as data mining, machine learning, and AI, to analyze data can 1093 further detect data anomalies and improve data security. At the 1094 application level, many large enterprises have applications that 1095 collect a large amount of private data, such as health status, 1096 purchase behavior, travel routes, group contact, and value 1097 orientation, which also generate data privacy protection problems. 1098 Therefore, scholars have proposed homomorphic encryption algorithms. 1099 Blockchain also provides a new solution to this. For example, 1100 blockchain can realize anonymous sharing of IIoT devices 1101 [permissioned-blockchains]. It is widely used in IIoT because it can 1102 effectively improve the lack of the traditional centralized data 1103 storage mode for IIoT. The full nodes of the blockchain network 1104 record complete data information to jointly maintain the data 1105 security of the IIoT device and reduce the traditional cost of 1106 maintaining a centralized database for IIoT application. The tamper- 1107 proof modification of blockchain technology and the timing guarantee 1108 the security and traceability of the data of the entire network node. 1109 The use of blockchain technology can thus ensure data privacy and 1110 security. 1112 6.4. IIoT Security Solutions 1114 By combining the security issues of the IIoT architecture, this 1115 section summarizes the existing security issues and corresponding 1116 solutions, which mainly include device protection, device 1117 identification, authentication mechanisms, secure communication 1118 mechanisms, data privacy protection, anomaly detection, and intrusion 1119 detection security status. The corresponding solutions are shown in 1120 Figure 8. 1122 +---------------------------------+---------------------------------------------+ 1123 | Security problem | Solutions | 1124 +---------------------------------+---------------------------------------------+ 1125 | Device protection | Lightweight data encryption algorithm | 1126 | | | 1127 | Device identification and | RFID, blockchain | 1128 | authentication mechanism | | 1129 | | | 1130 | Secure communication mechanism | Edge computing, converged gateways, routing | 1131 | | protocols, Homomorphic encryption algorithm | 1132 | | | 1133 | Data privacy protection | Blockchain, encryption algorithm, cloud | 1134 | | computing | 1135 | | | 1136 | Anomaly detection and | Machine learning, data mining | 1137 | intrusion prevention | | 1138 +---------------------------------+---------------------------------------------+ 1140 Figure 8: Security problems and solutions 1142 7. Terms 1144 This draft uses the following terms: 1146 Cyber-physical systems (CPS) is a multi-dimensional complex system 1147 that integrates computing, network, and physical environments. 1148 Through the integrated design of computing, communication, and 1149 physical systems, industrial systems become increasingly reliable and 1150 efficient and allow for real-time collaboration. 1152 PROFIBUS is a fieldbus standard for automation technology. 1154 Modbus is a serial communication protocol that has become the 1155 industry standard for communication protocols in the industrial 1156 field. It is now a common connection method between industrial 1157 electronic devices. 1159 Highway addressable remote transducer (HART) is a communication 1160 protocol used between field intelligent instruments and control room 1161 devices. 1163 EtherNet/IP is an industrial Ethernet communication protocol that can 1164 be used in program control and other automated applications. 1166 PROFINET is an open industrial Ethernet communication protocol. 1168 Data interoperability refers to the capability to enable distributed 1169 control system devices to coordinate their work through the digital 1170 exchange of related information to achieve a common goal. 1172 Information integration refers to the integration of separate 1173 devices, functions, and information into an interconnected, unified, 1174 coordinated system through a structured integrated wiring system and 1175 computer network technology so that resources can be fully shared to 1176 realize centralized, efficient, convenient management. 1178 Factory elements include various devices that appear in every link of 1179 industrial design, production, sales, and maintenance. 1181 Industrial passive optical network (PON) is a passive optical network 1182 used in industries. It provides a comprehensive solution for the 1183 open platform of various industrial protocol conversions and the 1184 network connection in the factory to meet the requirements of various 1185 industrial scenarios and network applications of industries and 1186 enterprises. 1188 Time sensitive networking (TSN) is a low-latency, high-reliability 1189 communication protocol based on the Ethernet/wireless network. It 1190 mainly works at the physical and data link layers for vehicle 1191 communication, industrial Ethernet, and other applications that 1192 provide infrastructure. 1194 Edge computing refers to the use of an open platform that integrates 1195 network, computing, storage, and application core capabilities on the 1196 side close to the source of things or data to provide the nearest 1197 network service. 1199 OPC unified architecture (OPC UA) is a machine-to-machine network 1200 transmission protocol used by the OPC Foundation for Automation 1201 Technology. It has the following characteristics: 1203 * (1) The agreement focuses on communication for the purpose of 1204 information collection and control, which is used in industrial 1205 devices in the system. 1207 * (2) Open source standard: The standard can be obtained for free, 1208 and the related device does not face licensing fees and other 1209 restrictions. 1211 * (3) Cross-platform: No restrictions are imposed on operating 1212 systems or programming languages. 1214 * (4) Service-oriented architecture (SOA). 1216 * (5) Robust information security features. 1218 * (6) Integrated information model. In information integration, by 1219 using the advantages of OPC UA service-oriented architecture, 1220 manufacturers and organizations can model their complex 1221 information in the OPC UA namespace. 1223 WebSocket is a network transmission protocol that can carry out full- 1224 duplex communication on a single TCP connection and is located in the 1225 application layer of the OSI model. 1227 UDP broadcast uses the UDP protocol to send messages to every host in 1228 the same broadcast network. 1230 Message queuing telemetry transport (MQTT) is a message protocol 1231 based on the publish/subscribe (Pub-Sub) paradigm under the ISO 1232 standard and can be regarded as a "bridge for information 1233 transmission." It works on the TCP/IP protocol suite. It is a Pub- 1234 Sub message protocol designed for remote devices with low hardware 1235 performance and poor network conditions. For this reason, it needs 1236 message middleware, such as HTTP, to solve the current heavy 1237 workload. 1239 Advanced message queuing protocol (AMQP) is an open application layer 1240 protocol for message middleware. Its design goal is to sort and 1241 route messages (including point-to-point and Pub-Sub), maintain 1242 reliability, and ensure safety. 1244 Pub-Sub is a message paradigm. The sender of the message (called the 1245 publisher) does not send the message directly to the specific 1246 receiver (called the subscriber). Instead, messages are divided into 1247 different categories and published without knowing which subscribers 1248 exist. Similarly, subscribers can express interest in one or more 1249 categories and only receive messages of interest without knowing 1250 which publishers exist. 1252 Enterprise private lines have the characteristics of direct 1253 connection, and compared with ordinary access services, they possess 1254 higher speed, higher reliability, and better services. 1256 Network virtualization is the process of combining hardware and 1257 software network resources and functions into a single software-based 1258 management entity (virtual network). 1260 Automatic guided vehicle (AGV) is a type of wheeled mobile robot that 1261 moves along wires, markers, or magnetic strips on the floor or 1262 through visual or laser navigation. It is commonly used in 1263 industrial production to transport goods in workshops and warehouses. 1265 Manufacturing execution system (MES) is a set of production 1266 information management systems for the executive level of the 1267 manufacturing enterprise workshop. 1269 Product lifecycle management (PLM) is a complete, open, interoperable 1270 set of application programs in the entire process of product 1271 management, and it covers the product life cycle from product birth 1272 to death. 1274 Enterprise resource planning (ERP) is a large-scale, modular, 1275 integrated, process-oriented system that integrates internal 1276 financial accounting, manufacturing, purchase, sales, and inventory 1277 information flows within the enterprise to quickly provide decision- 1278 making information and improve the company's operational performance 1279 and rapid response capabilities. 1281 Supply chain management (SCM) is the management of material 1282 (product), information, and capital flows. SCM is an important 1283 component of enterprise operation management. 1285 Customer relationship management (CRM) is a management system for the 1286 relationship between an enterprise and existing and potential 1287 customers. 1289 Flexible manufacturing is an engineering manufacturing system that 1290 allows flexible and automated production due to predictable or 1291 unpredictable changes in the industry. 1293 A transmitter is an instrument that converts non-standard electrical 1294 signals into standard electrical signals. 1296 A remote terminal unit (RTU) is an electronic device controlled by a 1297 microprocessor and used as an interface of the device. It introduces 1298 data into a distributed control system or a data acquisition and 1299 monitoring system (SCADA) and transmits remote measurement data to 1300 the main system. It also uses the data of the main monitoring system 1301 to control the connected device. 1303 RFID is a wireless communication technology that can identify 1304 specific targets and read and write related data through radio 1305 signals without requiring mechanical or optical contact between the 1306 identification system and specific targets. 1308 The conveyor line is an intelligent conveying system that uses PLC 1309 control technology through the system's automatic identification 1310 function and transmission system. The production material is 1311 conveyed with the best path and the highest speed. 1313 The programmable logic controller (PLC) is a digital logic controller 1314 with a microprocessor for automation control. 1316 The distributed control system (DCS) is a computerized control system 1317 used in factories. Generally, it entails several control loops, and 1318 autonomous controllers are scattered in the system without the 1319 monitoring by a central operator. 1321 Gateway Initiated Dual-Stack Lite (GI DS-LITE) is an IPv4-in-IPv6 1322 tunnel proxy technology that can realize IPv6 communication without 1323 modifying the terminal. 1325 Homomorphic encryption is an encryption method that allows people to 1326 perform specific algebraic operations on ciphertext, and the result 1327 obtained is still encrypted. The result obtained by decrypting it is 1328 the same as performing the same operation on the plaintext. The 1329 result is the same. 1331 The theory of secure multi-party computing focuses on collaborative 1332 computing between participants and the protection of private 1333 information. Its characteristics include input privacy, calculation 1334 accuracy, and decentralization. 1336 * (1) Input privacy: When all parties are involved in collaborative 1337 computing, the privacy data of all parties are protected, with 1338 focus on the privacy and security of each party; that is, in the 1339 process of secure multi-party computing, it is necessary to ensure 1340 that the private input of each party is independent and that any 1341 local data will not be disclosed at any time when computing. 1343 * (2) Calculation accuracy: For a certain agreed calculation task, 1344 the parties involved in the multi-party calculation perform 1345 collaborative calculations through the agreed MPC protocol. After 1346 the calculation is completed, all parties receive correct data 1347 feedback. 1349 * (3) Decentralization: In traditional distributed computing, the 1350 central node coordinates the computing process of each user and 1351 collects the input information of each user. In secure multi- 1352 party computing, all participants have equal status, and no 1353 privileged participant or third party exists. A decentralized 1354 computing model is provided. 1356 Anonymization technology can realize the anonymity of personal 1357 information records, and identifying specific "natural persons" 1358 becomes impossible. 1360 Web application firewall (WAF) is a product that provides protection 1361 for web applications by implementing a series of security policies 1362 for HTTP/HTTPS. 1364 The host-based intrusion detection system (HIDS) is an intrusion 1365 detection system that can monitor and analyze the internal computing 1366 system and network packets in its network interface, similar to the 1367 operation mode of a network-based intrusion detection system. 1369 8. IANA Considerations 1371 This document does not require any actions by IANA. 1373 9. Acknowledgments 1375 We thank all the contributors and reviewers and are deeply grateful 1376 for the valuable comments offered by the chairpersons to improve this 1377 draft. 1379 10. Informative References 1381 [smart-factory] 1382 Chen, B., Wan, J., and S. Lei, "Smart factory of industry 1383 4.0: key technologies, application case, and challenges", 1384 2017. 1386 [iiot-5g] Cheng, J., Li, D., and W. Chen, "Industrial IoT in 5G 1387 environment towards smart manufacturing", 2018. 1389 [tsn] DetNet Data Plane: IP over IEEE 802.1 Time Sensitive 1390 Networking, detnet., "https://tools.ietf.org/html/draft- 1391 ietf-detnet-ip-over-tsn-03", 2020. 1393 [I-D.ietf-6lowpan-usecases] 1394 Design and Application Spaces for 6LoWPANs, ipv6., 1395 "https://tools.ietf.org/html/draft-ietf-6lowpan-usecases- 1396 10", 2012. 1398 [edge-computing] 1399 Mach, P. and Z. Becvar, "Mobile edge computing: a survey 1400 on architecture and computation offloading", 2017. 1402 [I-D.ietf-core-coap-pubsub] 1403 Publish-Subscribe Broker for the Constrained Application 1404 Protocol, pubsub., "https://tools.ietf.org/html/draft- 1405 ietf-core-coap-pubsub-09", 2020. 1407 [PRESENT] Bogdanov, A., Knudsen, L., and G. Leander, "PRESENT: An 1408 Ultra-Lightweight Block Cipher. Cryptographic Hardware and 1409 Embedded Systems", 2007. 1411 [KATAN] Canniere, C. and O. Dunkelman, "KATAN and KTANTAN -- A 1412 Family of Small and Efficient Hardware-Oriented Block 1413 Ciphers", 2009. 1415 [Lblock] Wu, W. and Lei. Zhang, "Lblock: a lightweight block 1416 cipher", 2011. 1418 [permissioned-blockchains] 1419 Hardjono, T., "Cloud-Based Commissioning of Constrained 1420 Devices using Permissioned Blockchains", 2016. 1422 Authors' Addresses 1424 Chaowei Tang 1425 Chongqing University 1426 No. 174 Shazheng Street, Shapingba District 1427 Chongqing 1428 400044 1429 China 1431 Email: cwtang@cqu.edu.cn 1433 Haotian Wen 1434 Chongqing University 1435 No. 174 Shazheng Street, Shapingba District 1436 Chongqing 1437 400044 1438 China 1440 Email: wenhaotianrye@foxmail.com 1442 Shuai Ruan 1443 Chongqing University 1444 No. 174 Shazheng Street, Shapingba District 1445 Chongqing 1446 400044 1447 China 1449 Email: rs@cqu.edu.cn 1450 Baojin Huang 1451 Chongqing University 1452 No. 174 Shazheng Street, Shapingba District 1453 Chongqing 1454 400044 1455 China 1457 Email: baojin-huang@foxmail.com 1459 Xinxin Feng 1460 Chongqing University 1461 No. 174 Shazheng Street, Shapingba District 1462 Chongqing 1463 400044 1464 China 1466 Email: xxfeng@cqu.edu.cn