The IIC published the Industrial Internet Security Framework for Securing Industrial IoT
Yesterday, the Industrial Internet Consortium (IIC) released a security framework intended for securing industrial IoT. The Industrial Internet Consortium is an open membership organization founded by AT&T, Cisco, General Electric, IBM, and Intel in March 2014. The IIC catalyzes and coordinates the priorities and enabling technologies of the Industrial Internet.
The framework that was created, focuses on safety, reliability, resilience, security and privacy. Together, these attributes are securing industrial IoT and “define ‘trustworthiness’ in Industrial IoT systems”.
Determining where organizations are in that evolution is done by checking;
Risks, Assessments, Threats, Metrics and Performance
Four areas that will be tracked are;
Endpoints, Communications, Monitoring and Configuration.
“Today, many industrial systems simply do not have adequate security in place,” said Dr. Richard Soley, Executive Director, IIC. “The level of security found in the consumer Internet just won’t do for the Industrial Internet. In order to add security to an industrial system, you must make sure it won’t interfere with safety and reliability requirements. The IISF explores solutions to industrial problems that have plagued the industry for years. The IIC is also putting the IISF vision into practice in our testbed program.”
The IISF breaks the industrial space down into three roles – the component builders, the system builders, and the operational users. The operational users are the owner/operators of the systems. To ensure end-to-end security, industrial users must assess the level of trustworthiness of the complete system.
IIoT endpoint connections can open up dangerous vulnerabilities because they’re often designed to carry sensitive information. For example, predictive maintenance, a common Industrial IoT implementation, collects data about how good equipment is working. Knowing this alerts plants to replace equipment before it breaks, but that implementation in the wrong hands could be detrimental.
With the IISF being released, the next important step is to see it applied in practice in order to incorporate feedback from practitioners into the next version of the document.
The IIC is not the only organization thinking deeply about the issue. Late last month, Icon Labs and Renesas Electronics America released a white paper aimed at embedded device developers preparing products for the Industrial IoT. The paper states that securing industrial IoT must include the real-time operating system (RTOS) that elements of the IIoT will use.
The reason for having a security framework is to allow OEMs to customize the solution based on their requirements. A module framework allows them to implement cybersecurity countermeasures that are most important for their device without having to invent a solution from scratch. OEMs must first understand the potential attack vectors that hackers could exploit when attacking their device. These can be used to prioritize which security features are implemented.