The IISF is a comprehensive resource for understanding Industrial Internet of Things (IIoT) security considerations, developed by international security experts from the Industrial Internet Consortium. The objective of the IISF is to drive consensus in the industry, promote IIoT security best practices and accelerate their adoption. The IISF explains how security fits within the business of industrial operations. It defines functional building blocks for addressing security concerns, provides implementation guidance and practical techniques for IIoT security. The download of the Industrial Internet Security Framework is free.
The IISF is written for CTOs, CISOs and technical security experts. They can use the IISF as a guide to implement the industrial Internet security technologies available today to enhance the availability and reliability of their system and thus gain significant return on investment (ROI).
For CEOs and business managers, the IISF provides a discussion on the business drivers enabled by proper security and explores the related industrial concerns on safety, reliability, resilience, and privacy. It highlights the need for every organization across every industry to secure their IIoT systems and to deploy best-practice security solutions immediately.
The Industrial Internet Consortium also published a white paper (also free to download), The Business Viewpoint of Security the Industrial Internet, which provides an executive overview of the Business Viewpoint and offers a window into the IISF’s considerations and best practices.
Every IIoT project must implement security throughout. Deploying appropriate security in an industrial setting brings many levels of complexity. The IISF brings a comprehensive protection approach with the goal of minimizing risk.
Recent events have illustrated the risk of being attacked from unexpected sources both inside and outside the system, whether intended or accidental. There is a commanding need to protect against error, mischance and malicious intent. The Industrial Internet Consortium believes that these industrial security risks represent a major threat to world safety and security.
The IISF identifies, explains and positions security-related architectures, designs and technologies, as well as identifies procedures relevant to trustworthy IIoT systems. It describes their security characteristics, technologies and techniques that should be applied, methods for addressing security, and how to gain assurance that the appropriate mix of issues have been addressed to meet stakeholders' expectations. The publication of the IISF initiates a process to create broad industry consensus on how to secure IIoT systems.
Part I examines key system characteristics, such as safety, reliability, resilience, security, and privacy and how they should be assured together to create a trustworthy system. It also explores what makes IIoT systems different from traditional IT systems.
Part II reviews security assessment for organizations, architectures and technologies. It outlines how to evaluate attacks as part of a risk analysis and highlights the many factors that should be considered, ranging from the endpoints and communications to management systems and the supply chains of the elements comprising the system.
Part III covers the functional and implementation viewpoint. It describes best practices for achieving confidentiality, integrity and availability. It describes security building blocks for policy, data, endpoints, communications, monitoring and management.
The IISF builds on the ‘Industrial Internet Reference Architecture’ (IIRA) that lays out the most important architecture components, how they fit together and how they influence each other. Each of these components must be made secure, as must the key system characteristics that bind them together into a trustworthy system. The IISF extends naturally from a chapter in the IIRA describing security concerns. It moves into security-specific territory to ensure security is a fundamental part of the architecture, not bolted onto it.
IIoT has materialized and the security concerns from the IT world are affecting the OT world. Traditional IT security solutions may not apply directly to the OT world, so the IISF addresses what considerations should be highlighted to implement better security.
By following the guidance of the IISF and securing IIoT systems, businesses are able to access valuable information that was not previously available, leading to a more comprehensive and systematic approach to security. Applying this new information improves the accuracy of the business-critical decisions. Protecting operations against the risk of damage brought about by security breaches saves money, time and reputation.
A successful attack on an IIoT system has the potential to be as serious as the worst industrial accidents to date (e.g., Chernobyl and Bhopal), resulting in damage to the environment, injury or loss of human life. There is also risk of secondary damage such as interruption or stoppage of operations, destruction of systems, leaking sensitive business and personal data resulting in loss of intellectual property, harm to the business reputation, loss of customers, material economic loss, damage to brand and reputation, damage to critical infrastructure handling electricity, water, oil, and gas, irreparable damage to the environment. The advantages of avoiding these circumstances is obvious. Attacks on critical infrastructure and IIoT are growing and appropriate responses must be strategically planned.
A successful attack on an IIoT system has the potential to be as serious as the worst industrial accidents to date (e.g., Chernobyl and Bhopal), resulting in damage to the environment, injury or loss of human life. There is also risk of secondary damage such as interruption or stoppage of operations, destruction of systems, leaking sensitive business and personal data resulting in loss of intellectual property, harm to the business reputation, loss of customers, material economic loss, damage to brand and reputation, damage to critical infrastructure handling electricity, water, oil, and gas, irreparable damage to the environment. The advantages of avoiding these circumstances is obvious. Attacks on critical infrastructure and IIoT are growing and appropriate responses must be strategically planned.
Manufacturers, system integrators and vendors are represented in the IISF. All stakeholders can start adopting a security approach based on the IISF, mapping their products and solutions into the IISF building block, finding gaps in their designs and implementing appropriate remediation techniques. Moreover, the Industrial Internet Consortium encourages vendors to collaborate in creating tools to improve the utilization and adoption of the IISF, such as security checklists for different verticals and maturity models based on the IISF.
Privacy is one of the key system characteristics that most affects the decisions about the trustworthiness of an IIoT system. In the IISF, privacy and the other four key system characteristics are described in detail. Privacy and its assurance are discussed in a dedicated section. Some key system characteristics such as safety and privacy will also be addressed in future topic-specific frameworks.
The IISF is a reference for the Industrial Internet Consortium’s testbeds that span verticals such as smart grid, transportation, smart cities, agriculture, industrial maintenance and others. The security evaluations of these testbeds provide continuous feedback that will be used to update the information in subsequent versions of the IISF and aid in creating evaluation material including security checklists and maturity models for industrial systems.
As the best practices described in the IISF are applied to industrial Internet testbeds and use cases, industrial security standards will be tested and gaps in those standards will be identified. The Industrial Internet Consortium exposes the existence of those gaps to the appropriate standards organizations in the form of recommendations. Based upon these recommendations and the reported testing, it is our hope that the standards organizations will address those gaps. The IISF is not a standard and does not strive to become a standard. The IISF is a living document reflecting collaboration of cross-industry expertise and the actual testing of these concepts, recommendations and practices. It is our plan to be a resource for standards organizations and to positively influence the development of industrial Internet security standards. In this way, we will drive progress toward secure and interoperable industrial Internet systems.
The IISF is a collaboration of members of the Industrial Internet Consortium. This publication reflects thousands of hours of knowledge and experiences from security experts, collected, researched and evaluated for the benefit of all IIoT system deployments. Contributors dedicated their valuable time and expertise in authoring, editing and other ways. For a list of primary authors and contributing organizations, see the IISF landing page.