Recently, the Industrial Internet Consortium (IIC) released a collaborative paper detailing security issues involved in the industrial Internet of Things (IIoT). The document, called the Industrial Internet Security Framework (IISF), was written to identify and explain security-related architectures and technologies for the IIoT, as well as to create broad industry consensus on addressing IIoT security.
Let’s take a brief look at some of the ideas the IISF has to offer the IoT engineering community.
Obtaining IIoT Trustworthiness
A key point of the IISF is that security cannot be considered in isolation. That’s why the report begins by describing five key IIoT system characteristics that enable trustworthiness: security, safety, reliability, resilience and privacy. The IISF defines trustworthiness as follows:
Trustworthiness: the degree of confidence one has that the system performs as expected in respect to all the key system characteristics in the face of environmental disruptions, human errors, system faults and attacks (IISF p. 23).So how exactly can one obtain a high level of trustworthiness in an IIoT system? The IISF breaks this problem down into three distinct roles: component builders, those who create hardware and software; system builders, those who compile the hardware and software into functional systems; and operational users, the owners/operators of the system who ultimately manage the risk it poses to their industrial processes. Only by considering all of these roles can one assess the trustworthiness of a complete IIoT system and thereby ensure end-to-end security.
For a much more detailed discussion of these ideas, read the full IISF.
Adjusting to Increased Industrial Risk
Industrial security used to be fairly straightforward: put a lock on your factory door, install an alarm system, may be hire a security guard or two. But with the adoption of ubiquitous connectivity and big data analytic techniques, these physical security barriers are no longer sufficient to guard against risks. Even the risks themselves are growing—the IISF posits that “a successful attack on an IIoT system has the potential to be as serious as the worst industrial accidents to date (e.g.,Chernobyl and Bhopal), resulting in damage to the environment, injury or loss of human life” (IISF, p. 16).
“Today, many industrial systems simply do not have adequate security in place,” said Dr. Richard Soley, executive director of the IIC. “The level of security found in the consumer Internet just won't do for the industrial Internet. The IISF explores solutions to industrial problems that have plagued the industry for years.”
The IISF was a collaboration between members of the IIC, including Intel, AT&T, Fujistsu, Belden and many more. The collaborative nature of the project gives it a cross-industry perspective that benefits from a large number of security experts. You can access the complete IISF, free of charge, on the IIC website.If you don’t have time to read the full 173-page report, the IIC has also published a brief executive overview.