Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

IIC Publishes Best Practices for Securing Industrial Endpoints

Industrial Internet Consortium Guidance Aims to Improve IIoT Endpoint Security for Manufacturers and Practitioners

Industrial Internet Consortium Guidance Aims to Improve IIoT Endpoint Security for Manufacturers and Practitioners

The Industrial Internet Consortium (IIC) has published a new paper designed to provide a concise overview of the countermeasures necessary to secure industrial endpoints; that is, the industrial internet of things (IIoT).

The paper (PDF) is not meant to provide a checklist for compliance or certification, but rather a starting point to understand what is necessary to ensure IIoT endpoint security. It is, in fact, a distillation of best practices drawn from existing guidance and compliance frameworks: (IISF [IIC-IISF2016], Industrie 4.0 [Ind4.0-ITSec], IEC 62443 [IEC-62443-11], and NIST SP 800-53 [NIST-800-53r4] [NIST-800-53r5]).

“Although there are existing documents such as the IIC’s own Industrial Internet of Things Security Framework (PDF) and other documents from NIST and IEC,” comments Dean Weber, CTO at Mocana, “they’re complex and abstract; and it’s often challenging for practitioners to know how the guidance applies to them in particular.”

But however complex the problem, the need to ensure security for the IIoT, both for itself and for the role it plays in the critical infrastructure, is increasing rapidly. The IIoT is an expanding and fundamental part of operational technology, rapidly increasing its attack surface. Criminals are attracted by the possibility of extorting companies that rely on their OT, while nation states are surveilling — and sometimes employing — methods to disrupt critical infrastructures. 

This paper provides a starting point for improving IIoT endpoint security, such as sensors, actuators, pumps, flow meters, controllers and drives in industrial systems, embedded medical devices, electronic control units, vehicle control systems; and communications infrastructures and gateways.

The authors of the paper — Steve Hanna (Infineon Technologies), Srinivas Kumar (Mocana), and Dean Weber (Mocana) — define three levels of endpoint security: basic, enhanced and critical. These correspond to security levels 2, 3, and 4 as defined in IEC 62443 3-3. Neither the levels nor the advice in the paper are geared towards any particular industry sector, but are designed to provide a cross-sector horizontal starting point.

“The purpose of the document,” Weber told SecurityWeek, “is to provide some concise recommendations on best practices for securing industrial endpoints. The reason this is so important is because industrial systems are increasingly connected within the system and beyond, including cloud big data. While there are many benefits to having this additional connectivity and bringing crowd intelligence on things like predictive maintenance, customized manufacturing etc, there are also some significant drawbacks if the security is not properly handled.”

Basic security is defined as providing protection against “intentional violation using simple means with low resources”, such as an ordinary virus. Enhanced security provides protection against attackers using “sophisticated means with moderate resources”, such as exploiting known vulnerabilities. Critical security provides protection against attackers with “sophisticated means with extended resources”, such as the ability to develop custom zero-day attacks. Risk assessments should determine the correct level of security for each endpoint in different organizations.

Security needs to be interwoven with other requirements such as safety, privacy, reliability and resilience in the face of environmental disruptions, human errors, system faults and attacks in order to provide the overall goal: trustworthiness.

The three security levels are described with the countermeasures required for each level. Basic security requires ‘root of trust’, ‘endpoint identity’, ‘secure boot’, ‘cryptographic services’, and ‘secure communications’. Enhanced security requires the addition of ‘endpoint configuration and management’; while critical security further requires ‘continuous monitoring’ ‘security information and event management’, and a ‘policy and activity dashboard’.

Each of these countermeasures and the rationale for their inclusion in each security level is then further discussed. The detail of some countermeasures changes between the levels. For example, a root of trust is required for all three levels. It is required to provide endpoint identity for all levels; but is further required to provide attestation of software and hardware identity and integrity in the enhanced and critical levels.

“By describing best practices for implementing industrial security that are appropriate for agreed-upon security levels, we’re empowering industrial ecosystem participants to define and request the security they need,” said Dean Weber, IIC white paper co-author, and CTO, Mocana. “Integrators can build systems that meet customer security needs and equipment manufacturers can build products that provide necessary security features efficiently.”

The difficulty with all best practices is in getting them adopted by relevant parties. Manufacturers are often blamed for developing new product without sufficient regard for building in security. Weber is confident that best practices such as these can reverse things. “Both manufacturers and users cite security as the number one issue for the industrial internet of things,” he told SecurityWeek. “But manufacturers don’t always know what is required, while users don’t always know what to demand.

“These best practices,” he continued, “will help solve the industrial endpoint security problem for both the manufacturers and the practitioners. What we’ve tried to do is provide a summation common to the existing security documents and to do so in short form and easily understood manner; and including footnotes tying it back to the larger documents.”

Related: Mocana Launches Industrial IoT Security Platform 

Related: Improved IoT Security Starts with Liability for Companies, Not Just Legislation 

Related: How to Shield Against IoT Security Threats 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

ICS/OT

Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

ICS/OT

More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

ICS/OT

Siemens and Schneider Electric address nearly 100 vulnerabilities across several of their products with their February 2023 Patch Tuesday advisories.

ICS/OT

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).