Data Distribution Service: An Overview Part 1

In this three-part series, we focus on Data Distribution Service (DDS), which drives systems such as railways, autonomous cars, spacecraft, diagnostic imaging machines, luggage handling, and military tanks, among others. We’ll also explore the current status of DDS and highlight recommendations enterprises can take to minimize the threats associated with this middleware.

But first, let’s discuss what DDS is and how it is applied in various industries.


DDS is a standardized middleware software based on the publish-subscribe paradigm, helping the development of middleware layers for machine-to-machine communication. This software is integral especially to embedded systems or applications with real-time requirements. Maintained by the Object Management Group (OMG),7 DDS is used in all classes of critical applications to implement a reliable communication layer between sensors, controllers, and actuators.

DDS is at the beginning of the software supply chain, making it easy to lose track of and is an attractive target for attackers. Notably, the following companies and agencies use DDS (note that this is not an exhaustive list of currently using this technology):

  • National Aeronautics and Space Administration (NASA) at the Kennedy Space Center
  • Siemens in wind power plants
  • Volkswagen and Bosch for autonomous valet parking systems
  • Nav Canada and European CoFlight for air-traffic control

From a software development standpoint, DDS is also a communication middleware used for the interoperability of processes across machines in all main programming languages. Moreover, DDS is a data-centric publish-subscribe communication protocol that allows developers to build a flexible shared data “space” for virtually any application requiring two or more nodes to exchange typed data.

From a programmer’s perspective, DDS is a powerful application programming interface (API). On top of the plain byte-streams and C-strings, DDS supports serialization and deserialization of any built-in or custom data type through a dedicated interface definition language (IDL).

DDS Applications

DDS is the foundation of other industry standards, like OpenFMB for smart-grid applications and Adaptive AUTOSAR. The Robot Operating System 2 (ROS 2), the de facto OS for robotics and automation, uses DDS as the default middleware.

DDS, along with Real-Time Publish-Subscribe (RTPS), is used to implement industry-grade middleware layers for mission critical applications. For example, when the artificial intelligence (AI) of an autonomous car needs to issue a “turn left” command, DDS is used to transport the command from the electronic control unit (ECU) down to the steering servo motors.

Here is a list of examples where DDS is used in critical industries, including external resources offering estimates on how many devices in each sector exist or are expected to exist in the near future:


Example Use Cases

Notable Users

Telecommunications and networks

Software-defined networking (SDNs) technologies

Appliance Life Cycle 

Management (LCM) tools, including 5G



Command and control (C&C) systems

Navigation and radar systems

Launch systems

National Aeronautics and Space Administration (NASA)

NATO Generic Vehicle Architecture (NGVA)15

Spanish Army

Virtualization & Cloud

Inter- and intra-communications of security operations centers (SOC)



Power generation and distribution

• Research

GE Healthcare

Medical Device Plug-and- Play interoperability program (MD PnP)


Precision mining

Mining system automation

Geological modeling



Atlas Copco

Industrial internet of things (IIoT) and robotics

Universal middleware

Robot Operating System (ROS 2)

AWS RoboMaker


Public and private transportation

Autonomous vehicles

Air traffic control (ATC)

Railway management and


Volkswagen and Bosch16

Coflight Consortium (Thales, Selex-SI)

Nav Canada

Examining DDS Attack Feasibility

Our expert team of researchers analyzed the DDS standard and discovered multiple security vulnerabilities. Thirteen were given new CVE IDs in November 2021 from the six most common DDS implementations, plus one vulnerability in the standard specifications.

Read More HERE