By Gregory Hale
Security in the evolving Industrial Internet of Things (IIoT)-laden manufacturing automation sector means there is a need to understand differing areas of expertise.
They first have to understand the IoT environment, then they need process automation expertise, comprehend the IT/OT relationship, and then of course cybersecurity.
There is now one place where manufacturing automaton practitioners can go to gather all that information, and that is with the Security Maturity Model (SMM) Practitioner’s Guide, which provides detailed actionable guidance enabling IoT stakeholders to assess and manage the security maturity of IoT systems.
“The guide gives guidance on how do you deal with the challenges and invest properly to solve your problems in security and do it in the right amount and the right ways which is a difficult problem. As a strategy, it gives guidance and a model of how to go about doing this and it leads into actionable things to do,” said Frederick Hirsch, standards manager at Fujitsu and also Co-Chair of the Trustworthiness Task Group for the Industrial Internet Consortium (IIC), which published the guide.
As organizations connect their systems to the Internet, they become vulnerable to new threats, and they are have concerns about security. Addressing these concerns requires investment, but determining investment focus and amount is a difficult business decision. The SMM provides a structured top-down approach toward setting goals as well as a means toward assessing the current security state, taking into account various specific practices. The SMM allows an organization to trade off investment against risk.
“There are many questions to ask in what you are trying to do,” Hirsch said. “It is like how do you know what is going on in your threat environment? How do you address the requirements properly? How do you evaluate the risk?”
The model assess the maturity of organizations’ IoT systems in a way that includes governance, technology and system management. Other models hit on parts of the what the guideline covers, but this attempts to cover all the bases.
“What you do is highly dependent on the situation you are in,” Hirsch said. “You have different needs on what you are doing. If you are in a hospital room it is much different than on a manufacturing floor, which is different than just a smart light bulb. There is no one set of answers for anything, so you are going to have to figure it out.”
One of the aspects the guide deals with is convergence of IT and OT.
“The model is very flexible so it can work in both cases if the organization treats IT and OT separately or if they have converged the model, it will be applicable in any case,” said Matthew Eble, practice director of IoT security services for Praetorian and co-author of IIC’s SMM Practitioner’s Guide.
“We have to consider IT/OT together,” Hirsch said. “It is converging over time. There are issues and difficulties like patch management to how you manage your systems. The forces driving the desire to interconnect systems for business information data and analytics are really strong so the thought the system can be totally distinct from each other is not right. The need to collect data and enhance your processes and use machine learning is a really strong motivating factor for combining systems, but yet they are different communities at this point and so yeah there will be a time period where we have to see both ways of doing things. We have to address the risks when you suddenly try to connect an industrial system to the Internet where if you don’t think about it, there are a lot of consequences for safety. Even if you think you are air-gapped you are not as strong as you think.”
Built in Flexibility
The practitioner’s guide includes tables describing what must be done to reach a given level of comprehensiveness for each security domain, subdomain and practice and can be extended to address specific industry or system scope needs. Following each table is an example using various industry use cases to demonstrate how an organization might use the table to pick a target state or to evaluate a current state.
“We have comparable models for enterprise security level.” Eble said. “This allows more flexibility and focuses on things that matter and what is really going to move the needle in terms of security rather than a compliance-based list of implementing all controls where any number of them might not make any sense.
“This gives us a common language to have security discussions. To do this properly you have to have some expertise and you have to spend some time to think analytically and really assess which controls are applicable and which are going to make the most difference,” Eble said. “It is a little harder than if you have a framework that has a list of things that you have to implement. However, after go through the exercise you can feel more confident the security investments you are making are actually going to help the eco-systems’ overall security and you are not spending time implementing things that are not going to give you value.”
Click here to download the guide.