Security experts have warned for some time that the so-called Internet of Things opens many vulnerabilities when interconnecting industrial devices across a public distributed network.
Now C-level executives who aren’t sure what to do about it can consult a security framework published by the Industrial Internet Consortium, a group of over 240 vendors and associations including Schneider Electric, General Electric, Fujitsu, Intel, Kaspersky, Cisco Systems, Symantec, Microsoft and SAP. The framework emphasizes the importance of five industrial IoT characteristics – safety, reliability, resilience, security and privacy, as well as defines risk, assessments, threats, metrics and performance indicators to help business managers protect their organizations.
“Today, many industrial systems simply do not have adequate security in place,” Richard Soley, the consortium’s executive director. “The level of security found in the consumer Internet just won’t do for the Industrial Internet. In order to add security to an industrial system, you must make sure it won’t interfere with safety and reliability requirements. The (framework) explores solutions to industrial problems that have plagued the industry for years.”
Because Internet-connected industrial control systems (ICS) — everything from sensors on electrical grids and pipelines to medical devices — often link with enterprise systems, they are just as much a target for attackers as the servers, switches and routers on the corporate side. And if compromised the effect can be tremendous — possibly shutting down power stations, for example. Industrial Internet systems may also connect with intermediary organizations, so link encryption may not be a solution. Another complication is the devices have long lifetimes.
The security framework goes along with reference architecture, connectivity and other guides previously published by the consortium. This document separates security evaluation into endpoint, communications, monitoring and configuration building blocks, each with implementation best practices.
It also breaks the industrial space down into three roles: Component builders (who build hardware and software), system builders (better known to readers here a system integrators) and operational users. To ensure end-to-end security, the consortium notes industrial users must assess the level of trustworthiness of a complete system.
As for the future, the concluding note in the framework points out that as the sheer volume of data required for managing devices increases, there’s a point where centralized security management ceases to be effective and efficient. Instead, embedding security into each piece of equipment individually, and empowering the equipment with the security context required to make safe decisions, might become a far more scalable approach.
“Though arguably not as transformational as the industrial revolution in the 1800’s, the Industrial Internet revolution will certainly bring about major improvements in the quality of our day-today lives,” the report concludes. “The world may see quicker adoption of IIoT in emerging countries thanks to more opportunity for new greenfield deployments. But, we must take care and apply the appropriate level of forethought and wisdom to ensure that the technological advances do not cost us dearly in the end. There may be a finite period—a window of opportunity—where we can design a cohesive security vision that realizes endpoint-to-endpoint secure communication and enables security management and monitoring.”