by Dr. Jesus Molina, Security Consultant, Fujitsu
iic
Attacks to industrial sites will not be a local affair in the industrial internet, but an international one. Global cooperation is essential to protect the industrial internet, and developing the recently published Industrial Internet Security Framework (IISF) required intense collaboration from many contributors around the world.
It was not easy, and it didn’t happen overnight. One of the main reason IISF required years to complete, is our promise to listen to everyone willing to work with us, and to be inclusive of many views: OT, IT, academia… you name it.
We received hundreds of comments in each draft of the document, from companies and institutions across the world. In the process, we realized it was essential to get it right rather than rush the document out. But many drafts later, we believe the final document provides a comprehensive and balanced view on how to secure current and future industrial systems. Is also a living document, and we are already working in the next version.
When asked what is the distinctive feature of this framework, my answer is the unprecedented collaboration during its development. In this blog I can provide for you two examples, our cooperation with NIST in the USA and with Industrie 4.0 in Germany, but we are also working with many more institutions around the world.
NIST and Industrie 4.0
Trustworthiness is the new word du jour in the IoT. The National Institute of Standards and Technology (NIST) held a two-day workshop on August 30 and 31 focusing on it: “Exploring the Dimensions of Trustworthiness: Challenges and Opportunities”. With distinguished attendees like Vint Cerf (aka as the internet co-daddy), Tony Scott (the white house CIO) and the Secretary of Cyber Policy for the Department of Homeland Security, this is no doubt an essential topic.
We covered trustworthiness in my previous blog, and trustworthiness is also covered in the IISF. This is no coincidence: the IIC has been cooperating with NIST, sharing a common vocabulary and building on the Cyber Physical Systems (CPS) architecture to structure our evaluation of IIoT systems. In the European side, the German platform for manufacturing in the industrial internet, Industrie 4.0 and the IIC are also cooperating. In the security front, we have hold several calls to evaluate the path going forward, and with the release of the IISF we could start bringing the knowledge and experience in the manufacturing by the Industrie 4.0 membership. As part of the IIC quarterly meeting in Germany, we had a whole day of presentations to coordinate our activities.
The IISF in context
The IISF complements the currently released documents from both institutions. NIST released the CPS architecture, focusing on the evaluation of CPS systems based on multiple characteristics that require evaluation. The IISF complements this evaluation by creating functional building blocks in security, that can be evaluated from each characteristic. In the other hand, Industrie 4.0 are focused on securing a specific vertical, manufacturing, and such provide an in-depth exploration of particular topics that correspond to the IISF functional building blocks.
For example, while building a IIoT deployment, the identity building block in endpoints can be cross evaluated with a privacy framework or any other characteristic that becomes relevant to a specific CPS trustworthy deployment. Consequently, an automotive deployment should leverage strong identities with privacy, for example following the 1609.2 standard to anonymize identities. At the same time, if the deployment is on manufacturing the Industrie 4.0 Secure Identities provides important information for implementation.
Conclusion
The IIC membership spans 250 members from 30 countries, including enterprise, national bodies and academia. We also have liaisons with other organizations committed to security that provided invaluable input that made the IISF possible. As such, this framework is the combined effort of many experts from all security areas, providing a balanced view and guidance that complements other efforts, including the documents released by NIST and Industrie 4.0.
This security framework required many contributions, patience and testing to get it right. All parallel efforts to protect the industrial internet need to converge, and we expect the IISF to complement the ecosystem of security documents for a comprehensive protection of industrial systems. And I agree, the Industrial IoT is inching towards a consensus on security.
The Industrial Internet Security Framework is free and available here.
Additional Resources:
- Learn more at the upcoming Industrial Internet Security Forum.
- Download the Industrial Internet Security Framework.
- Read the Business Viewpoint for Securing the Industrial Internet (Whitepaper).