Industrial IoT Security in Focus As IIC Issues New Guidance

New guidance issued by the Industrial Internet Consortium (IIC) aims to help industrial equipment operators and manufacturers better ensure the safety, security and reliability of IoT endpoint devices.

Drawing on and pulling together guidance issued by both the IEC (International Electrotechnical Commission) and the National Institute of Standards and Technology (NIST), the 13-page white paper provides concrete measures to take to secure critical endpoint devices like pumps, actuators, controllers and drives across industries and verticals. While IEC and NIST have done a good job of characterizing risk, the paper’s co-authors said, the white paper provides a consistent approach on how to build a secure system within the level of risk assessed. In such a way, it provides concise, concrete best practices that can, for instance, be included in RFPs when acquiring new equipment or planning upgrades.

“We have an opportunity here to begin at the ground floor of OT security. Let’s build these elements into the systems as opposed to bolting them on,” said Dean Weber, CTO of Mocana and one of the co-authors of the paper. “This gets us started with the endpoint as being the place where the rubber meets the road. If we get that right, we can start moving outbound from that.”

The white paper, “Endpoint Security Best Practices,” is the work of the Security Applicability Group within the IIC Security Working Group. It builds on the reference architecture documentation and IIoT security best practices issued in 2016 with the IIC Industrial Internet Security Framework (IISF).

[Internet of Things World addresses the security concerns for IoT implementation in every vertical, attracting senior security professionals from the world’s biggest organizations. Get your tickets and free expo passes now.]

Recommendations in the new white paper draw on and distill guidance issued in IEC 62443 and NIST SP-800-53. It breaks security into three levels – basic, enhanced and critical – describing what countermeasures and controls are generally recommended to achieve each level of security. Aside from the benefits to OT professionals, this helps equipment manufacturers and integrators define which security level their products, systems, and solutions are designed to meet, according to the white paper. It also can help insurers and policy makers by establishing a common benchmark that can be used to analyze risk and encourage security improvements, according to the white paper. 

It is the first of six areas of industrial IoT security that will be examined by the group, which plans to publish additional security best practices documents to cover areas like data protection, communications and connectivity.

Starting by better defining endpoint security made sense for a number of reasons, according to interviews with the co-authors. 

For one, in the industrial community, the focus has been about safety and reliability for decades, and adding the realm of cyber security to that has not been simple, Weber said. Because a lot of industrial equipment operators don’t have the background in cyber security, it’s hard to identify the priorities and what concerns should be addressed, according to Steve Hanna, IIC white paper co-author, and Senior Principal, Infineon Technologies.

“With just broad guidelines, it leaves a lot of room for interpretation and possible confusion of omitting measures that need to be taken,” Hanna said.

A dearth of people with these skills, coupled with the growing vulnerability of endpoint devices – something made clear by the Stuxnet attacks — has heightened the stakes for security, according to Weber.

“The endpoint is where it starts and stops,” Weber said. “If you’re going to make decisions, sometimes life or death decisions on data, and you don’t have any knowledge about whether the device that generated that data is any good, you don’t know if can trust it.”

The broad applicability of the document, and the fact that several parties from across industries have come together both requesting and working to produce guidance, shows how important the security conversation has become in the industrial space, according to Hanna.

“The fact that these parties have come together in the IIC, and put together this guidance document, these are all very helpful signs,” Hanna said. “It is very promising that we see industries stepping up to the plate and taking action.”