The Industrial Internet is an internet of - things, machines, computers and people, enabling intelligent industrial operations using advanced data analytics for transformational business outcomes. Industrial domain is expected to be largest consumer of IoT devices and systems in terms of value

1. Industrial IoT Security Standards
& Frameworks
SACON, Pune
Sujata Tilak, M.D., Ascent Intellimation;
President, ISA Pune Section

2. The Industrial Internet
The Industrial Internet is an internet of - things, machines, computers and
people, enabling intelligent industrial operations using advanced data
analytics for transformational business outcomes.
Industrial domain is expected to be largest consumer of IoT devices and
systems in terms of value

3. 3
Industrial Ecosystem
UbiquitousNetworkConnectivty
Pervasive Sensing
AdvanceComputing
IIoT
IIoT embodies convergence of
−Operations Technology (OT)
−Information Technology (IT)
−Industrial Automation & Control
Systems (IACS)
−Networking and Communications
Cyber Physical Nature

4. Why IIoT Security Standards
 Industries will need to use diverse systems and
equipment but everything will be integrated on
smart factory floor
 Legacy systems must be brought under
implementation
 Legacy approach was to create self sufficient
and unconnected silos which now need to be
integrated
 Every weak link in the chain puts whole factory
at RISK
 Thus leaving security at the hands of individual
IIoT implementers is suicidal

5. Why IIoT Security Standards
STANDARDS AND FRAMEWORKS ARE
THE ONLY WAY TO “SECURE” IIOT
SYSTEMS “SECURITY”

6. • CIA triad
– Confidentiality
– Integrity
– Availability
• IIoT has two more requirements
– Reliability / Resilience
– Safety
Cybersecurity Requirements

7. GOI - Draft Policy on Internet of Things
5.3.1 STANDARDS
To facilitate global and national participation of industry and research
bodies with relevant global Service Setting Organizations for promoting
standards around IoT technologies developed in the country. To appoint
relevant nodal organization for driving and formalizing globally acceptable
standards relating to technology, process, interoperability and services
Further a Discussion Group is formed for IoT Security
Chaired by:
Dr Ajay Kumar, Additional Secretary, Ministry of Electronics and IT
Members from:
1. CERT-In
2. Various Companies
3. R & D and Educational institutes

8. ISA/IEC 62443-1
General
Information and
Definitions
ISA/IEC 62443-2
Policy and
Procedures
ISA/IEC 62443-3
System Level
Requirements
ISA/IEC 62443-4
Component
Level
Requirements
ISA / IEC 62443 Standards

9. Onsite / site specific
Offsite
develops control systems
designs and deploys
operates and maintains
is the base for
Control System
as a combination of components
Host
devices
Network
components Applications
Embedded
devices
4-1
3-3
4-2
develops components
Product Supplier
System Integrator
Asset Owner
Service Provider
Industrial Automation and Control System
(IACS)
+
2-4
3-2
2-1
2-4
Operational policies and procedures
Automation solution
Basic Process
Control System
(BPCS)
Safety Instrumented
System (SIS)
Complementary
Hardware and
Software
Maintenance policies and procedures
2-3
3-3
Application of Standard to IACS

10. IIoT Systems
+
Operational policies and procedures
Automation solution
Basic Process
Control System
(BPCS)
Safety Instrumented
System (SIS)
Complementary
Hardware and
Software
Maintenance policies and procedures
Overlay IIoT
Edge DevicesEdge DevicesEdge Devices
Edge DevicesEdge DevicesGateways
IIoT
Server

11. IEC 62443-3-3 and IEC 62443-4-2
Control system capability security levels: SL-C are defined for following
areas. In each area, 4 security levels are defined each level progressively
advance
1. Identification and authentication control (IAC)
2. Use control (UC)
3. System integrity (SI)
4. Data confidentiality (DC)
5. Restricted data flow (RDF)
6. Timely response to events (TRE)
7. Resource availability (RA)
8. Application Requirements (ACR)
9. Embedded Device Requirements (EDR)
10. Host Device Requirements (HDR)
11. Network Device Requirements (NDR)

12. Industrial Internet Reference Architecture (IIRA)
• Published by Industrial Internet Consortium,
www.iiconsortium.org
• Latest version, 1.8, published in Jan 2017
• First consolidated framework for IIoT
• Objective is to build broad industry consensus to
drive interoperability and simplify development of
Industrial Internet systems
• Safety, Security and Privacy is intrinsic part of the
framework and is considered in every aspect

13. Industrial Internet Security Framework (IISF)
• Published in Sept 2016
• Considers divergent views of IT and OT on
– Safety
– Security
– Resilience
• Goes beyond Security and looks at
Trustworthiness of IIoT Systems
• It encompasses - security, safety, reliability,
resilience and privacy

14. Security Perspectives
• Managing Risks
• Business continuity
• Trust
• Reputation / IP
• Investment
Business
Viewpoint
• Confidentiality
• Data integrity / security
• Availability
• Safety
• Resilience
• Performance
Usage &
Functional
Viewpoint

15. Functional Viewpoint Blocks
Source: IISF
• Four core security functions
• Data protection layer
• Security model and policy layer

16. Endpoint Protection
Source: IISF

17. Communication & Connectivity Protection
Source: IISF

18. Data Protection
Source: IISF

19. Implementation Viewpoint
• Lists eight design principles for implementation of
security capabilities in IIoT systems
• For each item in Functional Viewpoint, describes
– Security objectives
– Architectural considerations
– Security lifecycle
– Threat vectors
– Protection techniques / technologies
– brownfield considerations

20. In a nutshell
• IIoT is a huge paradigm shift for OT / Control
Systems as well as IT
• There are some peculiar security challenges
• Security should be considered at design stage
• However in large number of brown field
installations, security has to be added later
• Standards exist for control systems, but they do
not consider combined IT + OT + CS impact
• IISF is trying to fill this gap and doing a good job

21. Thank You!
sujata.Tilak@aiplindia.com