Industrial Internet Consortium Guidance Aims to Improve IIoT Endpoint Security for Manufacturers and Practitioners
The Industrial Internet Consortium (IIC) has published a new paper designed to provide a concise overview of the countermeasures necessary to secure industrial endpoints; that is, the industrial internet of things (IIoT).
The paper (PDF) is not meant to provide a checklist for compliance or certification, but rather a starting point to understand what is necessary to ensure IIoT endpoint security. It is, in fact, a distillation of best practices drawn from existing guidance and compliance frameworks: (IISF [IIC-IISF2016], Industrie 4.0 [Ind4.0-ITSec], IEC 62443 [IEC-62443-11], and NIST SP 800-53 [NIST-800-53r4] [NIST-800-53r5]).
“Although there are existing documents such as the IIC’s own Industrial Internet of Things Security Framework (PDF) and other documents from NIST and IEC,” comments Dean Weber, CTO at Mocana, “they’re complex and abstract; and it’s often challenging for practitioners to know how the guidance applies to them in particular.”
But however complex the problem, the need to ensure security for the IIoT, both for itself and for the role it plays in the critical infrastructure, is increasing rapidly. The IIoT is an expanding and fundamental part of operational technology, rapidly increasing its attack surface. Criminals are attracted by the possibility of extorting companies that rely on their OT, while nation states are surveilling — and sometimes employing — methods to disrupt critical infrastructures.
This paper provides a starting point for improving IIoT endpoint security, such as sensors, actuators, pumps, flow meters, controllers and drives in industrial systems, embedded medical devices, electronic control units, vehicle control systems; and communications infrastructures and gateways.
The authors of the paper — Steve Hanna (Infineon Technologies), Srinivas Kumar (Mocana), and Dean Weber (Mocana) — define three levels of endpoint security: basic, enhanced and critical. These correspond to security levels 2, 3, and 4 as defined in IEC 62443 3-3. Neither the levels nor the advice in the paper are geared towards any particular industry sector, but are designed to provide a cross-sector horizontal starting point.
“The purpose of the document,” Weber told SecurityWeek, “is to provide some concise recommendations on best practices for securing industrial endpoints. The reason this is so important is because industrial systems are increasingly connected within the system and beyond, including cloud big data. While there are many benefits to having this additional connectivity and bringing crowd intelligence on things like predictive maintenance, customized manufacturing etc, there are also some significant drawbacks if the security is not properly handled.”
Basic security is defined as providing protection against “intentional violation using simple means with low resources”, such as an ordinary virus. Enhanced security provides protection against attackers using “sophisticated means with moderate resources”, such as exploiting known vulnerabilities. Critical security provides protection against attackers with “sophisticated means with extended resources”, such as the ability to develop custom zero-day attacks. Risk assessments should determine the correct level of security for each endpoint in different organizations.
Security needs to be interwoven with other requirements such as safety, privacy, reliability and resilience in the face of environmental disruptions, human errors, system faults and attacks in order to provide the overall goal: trustworthiness.
The three security levels are described with the countermeasures required for each level. Basic security requires ‘root of trust’, ‘endpoint identity’, ‘secure boot’, ‘cryptographic services’, and ‘secure communications’. Enhanced security requires the addition of ‘endpoint configuration and management’; while critical security further requires ‘continuous monitoring’ ‘security information and event management’, and a ‘policy and activity dashboard’.
Each of these countermeasures and the rationale for their inclusion in each security level is then further discussed. The detail of some countermeasures changes between the levels. For example, a root of trust is required for all three levels. It is required to provide endpoint identity for all levels; but is further required to provide attestation of software and hardware identity and integrity in the enhanced and critical levels.
“By describing best practices for implementing industrial security that are appropriate for agreed-upon security levels, we’re empowering industrial ecosystem participants to define and request the security they need,” said Dean Weber, IIC white paper co-author, and CTO, Mocana. “Integrators can build systems that meet customer security needs and equipment manufacturers can build products that provide necessary security features efficiently.”
The difficulty with all best practices is in getting them adopted by relevant parties. Manufacturers are often blamed for developing new product without sufficient regard for building in security. Weber is confident that best practices such as these can reverse things. “Both manufacturers and users cite security as the number one issue for the industrial internet of things,” he told SecurityWeek. “But manufacturers don’t always know what is required, while users don’t always know what to demand.
“These best practices,” he continued, “will help solve the industrial endpoint security problem for both the manufacturers and the practitioners. What we’ve tried to do is provide a summation common to the existing security documents and to do so in short form and easily understood manner; and including footnotes tying it back to the larger documents.”