The Industrial Internet Security Framework: What It Is and Why You Should Care
Written by Hamed Soroush
October 5, 2016
Industrial Internet of Things (IIoT) systems connect and integrate industrial control systems with enterprise systems, business processes, and analytics. According to the World Economic Forum (WEF), the Industrial Internet will be hugely transformative; it will change the basis of competition, redraw industry boundaries, and create disruptive companies. Hugely improved operational efficiency, emergence of an outcome economy, and new connected ecosystems -- that blur traditional industry boundaries -- are among key business opportunities. There are, of course, significant hurdles to overcome, chief among them are security and interoperability based on the same report.
Security risks in IIoT systems can not be underestimated. To get a glimpse of what could potentially happen, take a look at the following video; demonstrating an experiment known as Aurora Generator Test, conducted by Idaho National Lab back in 2007:
The experiment demonstrates how a computer program could be used to rapidly open and close a diesel generator’s circuit breakers out of phase from the rest of the grid, causing it to explode. The Aurora vulnerability itself is not a software vulnerability, but existence of a huge amount of old infrastructure and legacy communication protocols creates concern about the security of these systems and the ability of attackers to exploit this vulnerability.
Of course, a lot has happened since 2007 when the Aurora research experiment was conducted. Real attacks on critical infrastructure have already happened. Attacks on Ukraine’s power grid and a German Steel Mill or existence of malware like StuxNet indicate that the industrial internet should take necessary steps to protect the large number of already deployed legacy systems, in addition to coming up with new processes and technologies with thoughtfully integrated security support.
The Industrial Internet Consortium (IIC), the leading Industrial Internet consortia, comprises more than 250 companies and sets the architectural framework and direction for the Industrial Internet. The IIC recognized the necessity of protecting legacy systems and developing integrated security support since its inception in 2014. The Security Working Group at the IIC was tasked with initiating a process to create broad industry consensus on how to protect IIoT systems. This guidance would also be applied in IIC Testbeds, prototypes of IIoT systems developed by teams made up of IIC member companies. After two years of hard work, the IIC released the first version of this guidance document, titled the “Industrial Internet Security Framework (IISF).”
IISF is made up of different parts, each treating different viewpoints and aspects of security for the Industrial Internet.
Part I: Introduction
In Part I, key system characteristics for IIoT systems, and their assurance requirements that make these systems trustworthy, are examined. Furthermore, aspects of IIoT systems that are distinguished from Information Technology (IT) systems, Operational Technology (OT) Systems, and consumer IoT systems are discussed and their consequences for security designs explored.
Part II: The Business Viewpoint
In Part II, different aspects of identifying, communicating, and managing risk is discussed, along with requirements and approaches for assessing security of organizations, architectures, and technologies.
Part III: Functional and Implementation Viewpoints
This section describes functional building blocks for implementing security in IIoT systems as well as related technologies and best practices for protecting endpoints, communications and connectivity, configuration, management, and monitoring.
In the upcoming IIC Industrial Internet Security Forum, hosted at RTI headquarters, authors and editors of the IISF will cover more details about the framework. See the full agenda here. In my presentation, I will go over more details on functional and implementation aspects of protecting communications and connectivity. RTI’s VP of Products & Markets, David Barnett, will go over a specific use case on protecting Medical IoT systems: showing why and how Data Distribution Service Security could be used to protect Integrated Clinical Environments (ICE).
 Read more about protecting Integrated Clinical Environments in this paper.