In-brief: The Industrial Internet Consortium has released a security framework for addressing security issues in industrial Internet of Things systems. The goal: avoid the mistakes of the consumer IoT space.
The Industrial Internet Consortium, private public industry group, on Tuesday released a security framework for addressing security issues in industrial Internet of Things systems.
The Industrial Internet Security Framework (IISF) is intended to guide firms in sectors like manufacturing, transportation and power generation in addressing security, privacy, safety and reliability issues engendered by the addition of Internet connectivity to historically disconnected devices. The goal: set a higher bar than that for consumer devices.
“Today, many industrial systems simply do not have adequate security in place,” said Dr. Richard Soley, Executive Director, IIC. “The level of security found in the consumer Internet just won’t do for the Industrial Internet. In order to add security to an industrial system, you must make sure it won’t interfere with safety and reliability requirements.”
The Consortium includes representatives from leading IT firms including Cisco Systems, IBM, Oracle and Intel, as well as industrial giants like GE and Bosch.
The new framework articulates a standard for “trustworthiness” in industrial IoT systems and provides standard definitions for concepts like “risk,” “threats,” “metrics” and “performance indicators.” As opposed to traditional industrial control systems, Industrial IoT systems are “connected extensively to other systems and people, increasing their diversity and scale.” Such systems also rely on sensors and actuators that “interact with the physical world.” And, as a result, “uncontrolled change can lead to hazardous conditions.”
The framework, at more than 170 pages, lays out an extensive roadmap for securing industrial IoT deployments, weighing in on issues such as the interaction between information technology and the operational technology (OT) that dominates many industrial environments. The framework also weighs in on “brownfield” issues, where older and “insecure by design” legacy equipment, protocols and software are connected to the Internet or modern, IP-based networks.
The complexity of IIoT networks and the long life span of industrial devices requires changes to how security is done, the framework says. “The cultures of operational and information technology worlds differ, leading to a need to integrate these cultures for IIoT systems. All of these differences have implications on how these systems need to be secured,” the report says.
The framework divides the industrial space into three roles: component builders who create hardware and software; the system builders who innovate on top of the hardware and software to craft discrete solutions and the owners and operators of those systems and manage the risk to their industrial processes posed by the systems. To ensure end-to-end security, industrial users must assess the level of trustworthiness of the complete system, the framework says.
Trustworthiness is defined as” the degree of confidence one has that the system performs as expected in respect to all the key system characteristics in the face of environmental disruptions, human errors, system faults and attacks,” the framework states. Both IT and OT needs must be met for a product to be trustworthy.
“Every Industrial Internet of Things project must incorporate security throughout, but doing it properly in an industrial setting means dealing with many levels and dimensions of complexity,” said Greg Gorbach, Vice President, ARC Advisory Group. “The IISF security framework provides a comprehensive approach to ensure that all the bases are covered so risk is minimized.”