The Industrial Internet is an internet of - things, machines, computers and people, enabling intelligent industrial operations using advanced data analytics for transformational business outcomes.
Industrial domain is expected to be largest consumer of IoT devices and systems in terms of value
1. Industrial IoT Security Standards
& Frameworks
SACON, Pune
Sujata Tilak, M.D., Ascent Intellimation;
President, ISA Pune Section
2. The Industrial Internet
The Industrial Internet is an internet of - things, machines, computers and
people, enabling intelligent industrial operations using advanced data
analytics for transformational business outcomes.
Industrial domain is expected to be largest consumer of IoT devices and
systems in terms of value
4. Why IIoT Security Standards
Industries will need to use diverse systems and
equipment but everything will be integrated on
smart factory floor
Legacy systems must be brought under
implementation
Legacy approach was to create self sufficient
and unconnected silos which now need to be
integrated
Every weak link in the chain puts whole factory
at RISK
Thus leaving security at the hands of individual
IIoT implementers is suicidal
5. Why IIoT Security Standards
STANDARDS AND FRAMEWORKS ARE
THE ONLY WAY TO “SECURE” IIOT
SYSTEMS “SECURITY”
6. • CIA triad
– Confidentiality
– Integrity
– Availability
• IIoT has two more requirements
– Reliability / Resilience
– Safety
Cybersecurity Requirements
7. GOI - Draft Policy on Internet of Things
5.3.1 STANDARDS
To facilitate global and national participation of industry and research
bodies with relevant global Service Setting Organizations for promoting
standards around IoT technologies developed in the country. To appoint
relevant nodal organization for driving and formalizing globally acceptable
standards relating to technology, process, interoperability and services
Further a Discussion Group is formed for IoT Security
Chaired by:
Dr Ajay Kumar, Additional Secretary, Ministry of Electronics and IT
Members from:
1. CERT-In
2. Various Companies
3. R & D and Educational institutes
9. Onsite / site specific
Offsite
develops control systems
designs and deploys
operates and maintains
is the base for
Control System
as a combination of components
Host
devices
Network
components Applications
Embedded
devices
4-1
3-3
4-2
develops components
Product Supplier
System Integrator
Asset Owner
Service Provider
Industrial Automation and Control System
(IACS)
+
2-4
3-2
2-1
2-4
Operational policies and procedures
Automation solution
Basic Process
Control System
(BPCS)
Safety Instrumented
System (SIS)
Complementary
Hardware and
Software
Maintenance policies and procedures
2-3
3-3
Application of Standard to IACS
10. IIoT Systems
+
Operational policies and procedures
Automation solution
Basic Process
Control System
(BPCS)
Safety Instrumented
System (SIS)
Complementary
Hardware and
Software
Maintenance policies and procedures
Overlay IIoT
Edge DevicesEdge DevicesEdge Devices
Edge DevicesEdge DevicesGateways
IIoT
Server
11. IEC 62443-3-3 and IEC 62443-4-2
Control system capability security levels: SL-C are defined for following
areas. In each area, 4 security levels are defined each level progressively
advance
1. Identification and authentication control (IAC)
2. Use control (UC)
3. System integrity (SI)
4. Data confidentiality (DC)
5. Restricted data flow (RDF)
6. Timely response to events (TRE)
7. Resource availability (RA)
8. Application Requirements (ACR)
9. Embedded Device Requirements (EDR)
10. Host Device Requirements (HDR)
11. Network Device Requirements (NDR)
12. Industrial Internet Reference Architecture (IIRA)
• Published by Industrial Internet Consortium,
www.iiconsortium.org
• Latest version, 1.8, published in Jan 2017
• First consolidated framework for IIoT
• Objective is to build broad industry consensus to
drive interoperability and simplify development of
Industrial Internet systems
• Safety, Security and Privacy is intrinsic part of the
framework and is considered in every aspect
13. Industrial Internet Security Framework (IISF)
• Published in Sept 2016
• Considers divergent views of IT and OT on
– Safety
– Security
– Resilience
• Goes beyond Security and looks at
Trustworthiness of IIoT Systems
• It encompasses - security, safety, reliability,
resilience and privacy
14. Security Perspectives
• Managing Risks
• Business continuity
• Trust
• Reputation / IP
• Investment
Business
Viewpoint
• Confidentiality
• Data integrity / security
• Availability
• Safety
• Resilience
• Performance
Usage &
Functional
Viewpoint
19. Implementation Viewpoint
• Lists eight design principles for implementation of
security capabilities in IIoT systems
• For each item in Functional Viewpoint, describes
– Security objectives
– Architectural considerations
– Security lifecycle
– Threat vectors
– Protection techniques / technologies
– brownfield considerations
20. In a nutshell
• IIoT is a huge paradigm shift for OT / Control
Systems as well as IT
• There are some peculiar security challenges
• Security should be considered at design stage
• However in large number of brown field
installations, security has to be added later
• Standards exist for control systems, but they do
not consider combined IT + OT + CS impact
• IISF is trying to fill this gap and doing a good job
OT systems give highest importance to Safety where as Safety is generally not applicable to most IT systems.
OT systems rely more on physical security and separation
Control Systems are resilient and fault tolerant
OT systems give highest importance to Safety where as Safety is generally not applicable to most IT systems.
OT systems rely more on physical security and separation
Control Systems are resilient and fault tolerant
Endpoint Root of Trust provides a foundation to secure other functions at the endpoint
Economy of mechanism, Failsafe defaults, Separation of privileges