As we previously reported, we have added features to the Nexto Xpress solution, our latest line of compact PLCs, capable of further increasing the level of connectivity of the products, which were already born IoT ready. In the last few months, we have made several features available, such as support for the MQTT protocol, the expansion of inputs and outputs via CAN interface, the new model XP340 and, recently, support for the IEC 60870-5-104 Server protocol. Now, to increase security when using MQTT, the NX3003, NX3004, NX3005 CPUs and Nexto Xpress PLCs that support the protocol now feature TLS 1.2 communication.
What is the TLS protocol
TLS (Transport Layer Security) is a protocol that provides a secure communication channel between a client and a server. In short, it is a cryptographic protocol that uses a handshake mechanism to negotiate various parameters and create a secure connection between two peers. After the handshake is complete, an encrypted communication is established between these peers and no attacker can access any part of the communication. TLS servers provide an X509 certificate (usually issued by a trusted authority), which clients use to verify the identity of the server.
Why use TLS with MQTT
Encryption is necessary to communicate securely over the internet: if your data is not encrypted, anyone can examine your packages and read confidential information. Imagine you are sending a letter. It is clear who the recipient is and the postman will make sure the envelope reaches that person, but there is nothing to stop the postman from reading the contents of the letter. In fact, anyone involved in the delivery can read or alter the contents of the package!
The essence of this scenario is also true for the Internet or computer networks in general. We can analyze the use of TCP/IP as the process of sending a letter. The TCP packet passes through many infrastructure components (routers, firewalls, Internet Exchange Points) before reaching its destination. Every participant along the way can read the contents of the packet in clear text, even modify it.
MQTT relies on the TCP transport protocol, and by default, TCP connections do not use encrypted communication. To encrypt all MQTT communication, many brokers allow the use of TLS instead of plain TCP. TLS provides a secure communication channel so that your message reaches the recipient intact, ensuring that the content of your communication cannot be read or altered by third parties.
Altus products with MQTT TLS 1.2 support
To start using TLS 1.2 protocol support on enabled CPUs, simply update the MasterTool IEC XE programming software to the latest version available on the Altus website. To apply it, you will need an MQTT broker, such as Eclipse Mosquitto, available for free download here.
Learn more about the protocol in the article MQTT applied to IoT systems, written by our colleague Igor Franco in the Perspectivas section, and by watching the webinars Demystifying MQTT (part 1) and Demystifying MQTT (part 2) on our YouTube channel.
