A new guidance published that can offer an overview of starting off security and the countermeasures needed to secure the industrial Internet of Things (IIoT).
Published by the Industrial Internet Consortium (IIC), the paper, written by Steve Hanna from Infineon Technologies, Srinivas Kumar and Dean Weber, both from Mocana, is a starting point to understand what is necessary to ensure IIoT endpoint security.
The paper is a compilation of best practices drawn from existing guidance and compliance frameworks, (IISF [IIC-IISF2016], Industrie 4.0 [Ind4.0-ITSec], IEC 62443 [IEC-62443-11], and NIST SP 800-53 [NIST-800-53r4] [NIST-800-53r5]).
With all the concepts of security floating around and end users just starting up a security program, it is often a challenge to know where to start and how everything applies to the specific organization.
With IIoT continuing its growth curve, the need to ensure security is hitting the industry quickly. The IIoT is an expanding and fundamental part of operational technology, rapidly increasing its attack surface.
Cybercriminals are attracted by the possibility of extorting companies that rely on their OT, while nation states are spying and searching for ways they could disrupt critical infrastructures in the future.
The paper provides a starting point for improving IIoT endpoint security, such as sensors, actuators, pumps, flow meters, controllers and drives in industrial systems, embedded medical devices, electronic control units, vehicle control systems; and communications infrastructures and gateways.
The authors of the paper define three levels of endpoint security: Security Level Basic, Security Level Enhanced, and Security Level Critical.
These correspond to security levels 2, 3, and 4 as defined in IEC 62443 3-3.
By describing best practices for implementing industrial security appropriate for agreed-upon security levels, this document empowers industrial ecosystem participants where:
• Owner-operators can define and request the security they need
• Integrators can build systems that meet customer security needs efficiently
• Equipment manufacturers can build products that provide necessary security features
• Governments can drive adoption of best practices for industrial security