One of the most prominent industry groups involved with industrial IoT has unveiled what it calls a comprehensive and sorely needed security framework document. Here are the key details from the Industrial Internet Consortium's announcement:
The IISF emphasizes the importance of five IIoT characteristics – safety, reliability, resilience, security and privacy – that help define “trustworthiness” in IIoT systems. The IISF also defines risk, assessments, threats, metrics and performance indicators to help business managers protect their organizations.
IIoT security cannot be considered in isolation. It comprises a complex set of industrial processes and applications as well as significant safety and reliability requirements. For example, although it is desirable to implement predictive maintenance capabilities in high-value electric power generation equipment, doing so may open the door to new threats. Adding security in this scenario can be challenging but without it, there could be serious consequences as a successful attack could cause injury, loss of life, or long-term damage to the environment.
“Today, many industrial systems simply do not have adequate security in place,” said Dr. Richard Soley, Executive Director, IIC. “The level of security found in the consumer Internet just won't do for the Industrial Internet."
The IIC was formed in 2014 by AT&T, GE, IBM, Cisco and Intel and now counts many other members, including Symantec, Microsoft, Hitachi and Fujistu. The security framework was devised as a way to achieve broad industry consensus on industrial IoT security, with an eye on influencing the shape of official standards that are yet to come.
As many documents written by committee tend to be, the framework is quite lengthy and detailed, weighing in at 173 pages. That right there is a bad sign, says Constellation Research VP and principal analyst Steve Wilson, who leads Constellation's research into security and privacy.
"I'm sorry but on its face, this exercise looks like they're making things way too hard," Wilson says. "We do not need another manifesto of how to do security. The majority of IoT security boils down to embedded software quality and the uncomfortable truth is that we just don't dedicate enough time to the design, review, inspection and testing of embedded software."
"Drug infusion pumps in hopitals can be hacked over the air because some wise guy thought it would be good to network these devices over wifi with out much attention to logon credentials," Wilson adds. "The new Jeep had to be recalled after hackers found they could take over the Chrysler UConnect drive control system, again through poor access cotnrol design. We've seen a shocking absence of inspection and testing in mission-critical software -- like the SSL web security modules in the whole Apple family, or the Heartbeat module in OpenSSL web server software."
"These experiences are a glimpse of what's to come in IoT if we don't reprioritise the software development lifecycle," Wilson says. "We don't need new 173-page guidelines for IoT security. We need to devote more time and care and attention to development."
But Constellation VP and principal analyst Andy Mulholland, who leads Constellation's research into IoT, isn't quite as skeptical.
The announcement contains the good news that at last there is recognition of the need for a strategic approach to IoT security with most of the most influential and experienced names in IoT involved, but unfortunately the solution is not going to be quick or easy, so don't expect too much too soon," Mulholland says. "There are two other plus points to the approach: First, the involvement of Internet 4.0 strengthens the linkage between US-centric and European-centric IoT activities, and second, this initiative may well be the beginnings of an set of Aachitectural practices for IoT which is also sorely needed as in any complex many-to-many integration scenario, security is as much dependent on the architecture of the system as on any one component or activity."
Those contemplating the framework's benefit to current IoT deployments should "understand and make use of the splitting of the technology and deployment of IoT into four areas; endpoints, communications, monitoring, and configuration," he adds. "Constellation Research has long published the importance of understanding these areas and not merely focusing on the business requirement."
24/7 Access to Constellation Insights
Subscribe today for unrestricted access to expert analyst views on breaking news.