The New IIoT Security Framework: Some Guiding Principles
September 2016 marked an important milestone in the purposeful development and intelligent evolution of the Industrial Internet of Things (IIoT), namely the publication of the Industrial Internet Consortium’s new security framework, “The Industrial Internet Security Framework Technical Document.” This new framework, which significantly expands upon and advances earlier iterations, stands as the most in-depth, cross-industry-focused security framework available today.
I’m not going to attempt to summarize 170 pages of technical specifications and best practices in the course of a single blog post. I will, however, gladly share some insights and perspective gleaned from it and an illuminating discussion with my fellow IIC Steering Committee Member, renowned systems security expert, and one of the framework’s key contributors and thought leaders, Robert “Bob” Martin.
In speaking with Bob, it’s clear that security for the IIoT isn’t exactly what one might expect. Yes, protecting IIoT systems from cyberattacks is a key goal, but that’s only part of a much bigger, more comprehensive picture.
The New Security Framework: Meeting High Expectations at Scale
It’s natural to think of big industrial processes and systems when we think of IIoT. Examples range from the smart grid and the smart city to the operation of a manufacturing line or nuclear power plant. But it’s useful to frame the IIoT security discussion in simpler, more common examples that everyone can appreciate such as using your ATM or mobile banking. When we go to an ATM terminal, we simply expect our account access to be available, and we expect the transaction to be safe. We want it to not be tampered with but to also be accessible across any device, any time and from any location. And with a nod to my friends in the financial services community, we want it without a big fee.
Our IIoT systems must work this well, too, masking their innate complexity through a superior efficiency that is reliable, cost-effective and honors our expectations of privacy. The new security framework for IIoT attempts to lay out how industry can meet these very high expectations, and do so at scale.
In this regard, the new security framework technical document is a very comprehensive compilation of security topics, choices, design concepts, techniques and best practices currently available. Yet the IIoT community should also also find how security is framed here, within a context of other needs and business drivers, to be of equal use, import and interest.
The Business Viewpoint of the New Framework
The title of the white paper accompanying the new security framework, “The Business Viewpoint of Securing the Industrial Internet,” says a lot about where IIC is intent on taking the Industrial Internet of Things. So often we think of the technological leaps that need to be made to realize the tremendous production and efficiency potential of IIoT, but IIoT is such a multi-faceted system, and business leaders and stakeholders have a tremendous say in how fast and how far we can take it.
Nowhere is that more true than with security. In the business world, security is often viewed as something “added” to a product, process or system to make it safe,. What the new framework is saying, however, is security needs to be an integral facet of how the things of IIoT are created in the first place, i.e., designed with security “built in.”
And that is where the business viewpoint really is going to matter. Building secure products and systems won’t come for free, so it will be incumbent upon senior business leaders to take up the security mantle – explaining, really selling, it to shareholders as a necessary cost of doing business (and as an investment that enhances the prospect of a profitable future). In parallel, business leaders will have to challenge their competitors to deliver secure offerings, too, at the same high level in their products, resisting the temptation to shortchange security for a temporary price advantage in the market.
Security as Part of a Constellation of “Trustworthiness”
The framework makes an important point about security in IIoT, namely: “Security cannot be considered in isolation.” The framework expands on the idea of security, placing it in interaction with other key IIoT system characteristics, including safety, resilience, reliability and privacy. Together, these system characteristics promote trustworthiness, which IIC defines as “the degree of confidence one has that the system performs as expected in the face of environmental disruptions, human errors, system faults and attacks.”
Reaching a trustworthiness built on these key characteristics is in everyone’s self interest, and, as we have learned from experience, we need to strive and begin to realize these characteristics of trust contemporaneously. For example, we cannot work on product safety in isolation, then move on serially to figure out security, and so on. If even one of the key characteristics of trustworthiness fails, the whole system fails.
This is why it is not surprising to see early IIoT successes occurring in vertically-integrated industries, such as energy, medical device manufacturing, and aerospace. Companies within these spaces have a history of working together effectively and have had to evolve together, navigating exacting product and technical demands as well as industry and governmental compliance issues and regulations.
One best practice emerging from this vertically-oriented collaboration that bodes well for the future of IIoT – and the building of trustworthiness into it – is the emergence of “ #assurancecases ,” also known as “safety cases.” Vertically-integrated industries have relied on assurance cases to do global business, making transparent the ways in which they have met various safety standards.
This assurance-case concept could well be adopted within the IIoT community, so that in the future we will see assurance cases that address security, privacy and safety where companies will have to provide detailed information about how they met specific standards and expectations. This transparency will enable others to not start from a blank slate when they develop their products, but rather build upon the standard already established. Today, we see various “accreditations.” But we don’t see the kind of transparency and sharing about the evidence supporting those accreditations. We’ll need that kind of evidence to build security and other characteristics into IIoT at scale—credibly.
Yet we’re optimistic this will happen. About 10 years ago, we saw the emergence of engineering views of systems, including an operations view, a security view, a data-flow view, a power-usage view, etc. At the time, the modeling tools had no ties between the different views, so engineers and developers didn’t know if assumptions made in one view obviated, or impacted otherwise, the needs of another. All of the stakeholders soon learned that such a siloed view wouldn’t work, and that’s a lesson that we are successfully paying forward and applying to the betterment of IIoT.