The Industrial Internet of Things (IIoT), which is also called the Industrial Internet, is the domain of industry, government and other realms. It is logistics, fleet management, factory floors, power plants, utilities and other non-consumer facing elements. It’s the big stuff.
It’s not surprising that IIoT security is very important, complex and daunting. Yesterday, the Industrial Internet Consortium (IIC) released a security framework aimed at helping create a path to a secure IIoT.
The framework, the organization said, focuses on safety, reliability, resilience, security and privacy. Together, these attributes, if satisfied, “define ‘trustworthiness’ in IIoT systems,” the press release says. Determining where organizations are in that evolution is done by looking at risks, assessments, threats, metrics and performance. The four areas that will be tracked are endpoints, communications, monitoring and configuration.
In addition to its sheer size and the audacity of its vision, the IIoT makes use of things that are new. Network endpoints – which could number in the trillions and must be rudimentary because they are difficult to power and replace – represent a tricky challenge, according to Computerworld’s Stephen Lawson:
Those edge connections can open up dangerous vulnerabilities, because they’re often designed to carry some of the most sensitive information in an organization. For example, predictive maintenance, a common goal of IIoT implementations, works by collecting data about how well equipment is working. Knowing this helps companies replace worn-out gear before it breaks, but in the wrong hands, that data could help attackers or competitors.
Hamed Soroush, Ph.D, a Senior Research Security Engineer at Real-Time Innovations and IIC Security Working Group Co-chair, told IT Business Edge the framework will soon be tested:
With the IISF being released, the next important step is to see it applied in practice in the context of IIC testbeds. We plan on improving our already existing IIC testbed security review process, both to ensure testbeds’ alignment with IISF and to incorporate feedback from practitioners into the next version of the document.
The IIC is not the only organization thinking deeply about the issue. Late last month, Icon Labs and Renesas Electronics America released a white paper aimed at embedded device developers preparing products for the IIoT. The premise of the paper is that existing security approaches don’t “scale down” to the real-time operating system (RTOS) that elements of the IIoT will use.
Icon and Renesas say that a new approach is needed. The white paper covers access control, security protocols, asymmetric and symmetric encryption, hardware security modules, intrusion detection, secure boot, secure firmware updates, data-at-rest (DAR) protection and security management and visibility.
Icon Labs’ President and Co-founder Alan Grau told IT Business Edge that flexibility is a key to a framework that can gain wide acceptance.
The reason for having a security framework is to allow OEMs to customize the solution based on their requirements. A module framework allows them to implement cyber-security countermeasures that are most important for their device without having to invent a solution from scratch. OEMs must first understand the potential attack vectors that hackers could exploit when attacking their device. These can be used to prioritize which security features are implemented. A truly robust solution will include multiple layers of defense.
Not surprisingly, the priorities Grau cited as important track with what is in the Icon/Renesas white paper. He wrote that priorities are secure boot and secure firmware update environments; secure communication; DAR protection; embedded firewall and intrusion detection; key and certificate management; authentication and integration with security management systems.
Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at firstname.lastname@example.org and via twitter at @DailyMusicBrk.