Consortium Issues Security Framework for Industrial IoT

The Industrial Internet Consortium's blueprint addresses security from multiple angles and touches on safety, reliability and privacy.

IoT security

The Industrial Internet Consortium has developed a framework that aims to address the thorny and complex issue of security and the internet of things.

The industry consortium this week published the Industrial Internet Security Framework, a dense blueprint designed to address the broad array of security issues concerning the industrial internet of things (IIoT), the increasingly connected and interconnected systems that run the world's industrial operations.

The framework focuses on five characteristics—safety, reliability, resilience, security and privacy—that consortium officials said define industrial systems, and also lays out various risk, assessment, threat and performance indicators that managers can use to protect their companies.

"Industrial networks, which were originally designed to be isolated, are now exposed to continuous attacks of ever-increasing sophistication," Evan Birkhead, vice president of marketing at Bayshore Networks, wrote in a post on the Industrial Internet Consortium (IIC) blog. "Additionally, with the proliferation of connected devices worldwide, there is a need to protect against not only malicious intent but also errors and mischance. The IIC believes that these factors combine to create a perfect storm that represents a major threat to world safety and security."

The issue of security and the IoT is a difficult one. The number of connected devices, systems and sensors worldwide is expected to grow rapidly over the coming years, with Cisco Systems and Intel both predicting as many as 50 billion or more such devices by 2020. The sheer number of these things is daunting: with such a huge attack surface, how do you secure everything? In addition, there are so many vendors making so many different devices and systems, and how do you secure everything from baby clothes with sensors to major industrial systems to public utility facilities like dams?

Security can be a significant barrier to organizations adopting IoT technologies, according to Birkhead. He cited a June study that showed that data security and privacy concerns are key challenges organizations face when considering the IoT. In addition, 58 percent of business executives surveyed said the IIoT makes their companies more open to cyber-attacks.

"The continuing explosion of connected devices provides opportunities for unprecedented growth and performance gains in industrial systems," he wrote. "Unfortunately, this growth also exposes extraordinary increases in risks to plant personnel, to the businesses that operate industrial processes, as well as to society and the environment at large. It's challenging, especially considering the exponential increase in the amount of exposed data."

The IIC's new security framework is designed to help address security from multiple perspectives, including business, functional and implementation, according to officials with the consortium, which now has more than 240 members. Business managers can use the security framework to make more informed decisions based on risk assessments, while it also separates the evaluation of security into various "building blocks," such as endpoint, communications, monitoring and configuration. Each offers best practices for implementation.

The framework also takes a look at security from three roles in the industrial world—component builders who create the hardware and software, system builders who use the hardware and software to create solutions, and operational users of the solutions and systems. Industrial users need to address the level of trustworthiness of the complete system, officials said.

In addition, IIoT security involves everything from industrial processes and applications to safety and reliability needs, and can't be dealt with in isolation, consortium officials said. They used the example of adding predictive maintenance capabilities to high-value electric power generation equipment. Doing so opens the systems up to threats, but while adding security may be a challenge, not doing so could lead to the systems being attacked.

"Today, many industrial systems simply do not have adequate security in place," consortium Executive Director Richard Soley said in a statement. "The level of security found in the consumer Internet just won't do for the industrial internet. In order to add security to an industrial system, you must make sure it won't interfere with safety and reliability requirements."

The framework "describes the consequences of merging different security fields, provides guidance on how to select and achieve security objectives, and describes how to leverage technologies to overcome cyber-sabotage and cyber-espionage," Birkhead wrote.

The security framework will be presented at the Industrial Internet Security Forum Oct. 6 in Sunnyvale, Calif.