As the manufacturing world gets more connected with internet of things technology, security is fast becoming a front-burner issue.
This is why the Industrial Internet Consortium (IIC), an open-membership organization formed to accelerate adoption of the industrial internet of things (IIoT), created the Industrial Internet Security Framework (IISF), which published Sept. 19. Like other such frameworks, the goal of IISF is to provide cybersecurity best practices guidance to a swath of industry verticals and IIoT vendors as they move deeper into the hyperconnected world the IIoT represents.
"You can't be building smart things if you're manufacturing process is not secure," said Sven Schrecker, IISF co-chair and chief architect of IoT security solutions at Intel. "The IISF can be used as a checklist to evaluate the shortcomings in any vertical. It allows you to plan and improve the current [IoT] security posture."
The idea is to drive industry consensus around cybersecurity practices, Schrecker said, so that "security issues don't spin out of control like we did with the internet revolution."
For manufacturers in particular, the IIoT can be a minefield. In the safety-first culture that manufacturing represents, cybersecurity has long been a nice-to-have -- often bolted on to whatever sensor or system that's being put into place, if at all. But when machines are connected to other machines via networks of sensors that may or may not be physically securable (or even part of the operator's own network), the potential for harm goes up dramatically.
The Stuxnet virus, which took out Iran's nuclear centrifuges in 2010, is proof positive that the sensors controlling most of the world's industrial supervisory control and data acquisition (SCADA) systems are extremely vulnerable to hacking. And, in today's world rife with terrorist plots to take out critical infrastructure, these threats cannot be ignored.
"For that reason, I'm genuinely hopeful that [IIoT device makers have been paying] attention -- as have people in the SCADA space -- and are going to be attempting to harden devices and that there will be a demand for hardened industrial devices in the marketplace," said Tom Henderson, principal researcher at Extreme Labs Inc., an IT product review and testing lab, comparing the IIoT space to the more familiar consumer IoT landscape.
System of trust
The IISF is intended as a cybersecurity roadmap for operators, too, Schrecker said. The idea is to give everyone in the IIoT supply chain -- from the device makers, systems integrators and up through the C-suite -- the guidance they need to deploy IIoT systems that have security best practices built in.
"This is an excellent document," said analyst Saniye Burcu Alaybeyi, who is part of Gartner's IoT team and former chair of the IIC's Use Case Task Group. "They thought about everything, from root of trust all the way to the upper layers of the IoT stack."
One of the big cyber problems manufacturing will be faced with, for example, is IIoT's potential for turning sensors and endpoints into a botnet. This is not a theoretical problem. On Sept. 13, the popular cybersecurity blog Krebs on Security was hit with what was reported to be the largest distributed denial-of-service attack in history. The attack was launched from an army of compromised IoT devices, not PCs, as was typical in days past.
How that affects manufacturing is pretty straightforward: At base level, if devices are doing something they're not supposed to be doing, chances are they won't be doing the job they were designed for. This can cause call kinds of problems -- some minor, some potentially catastrophic.
Test beds vs. PowerPoint
One of the big differences between the IISF and other frameworks is the use of test beds to validate, promote and expand the IISF's guidelines going forward, Alaybeyi said. Henderson, too, felt this would give the framework a lot of credibility within the vendor community, allowing them to develop products better suited to the vertical they will be used in.
"Having a test bed where you can test these devices within these different verticals means the consortium helps the vendors evolve their products analogous to how it's done in the consumer and enterprise computing space," Henderson said. "The test bed seems to be one of the big fruits for this organization's thinking."
"The security framework that we're advocating is sensitive to the nature of all these verticals," Schrecker added. This should aid cybersecurity efforts because the entire IIoT stack will be based on similar product development approaches not unlike what happened in the early days of Wi-Fi when vendors vetted their products through the Wi-Fi Alliance and the 802.11 standard.
The long lifespans of IIoT devices are also taken into consideration by the IISF since these devices can be operational, remaining relatively unchanged for years.
But products and vendors aside, the main purpose of the IISF is to get everyone on the same page about cybersecurity so that standards of what it calls "trustworthiness" can be established throughout the IIoT value chain. Failure to account for the seriousness of internet of things security before large scale deployments of connected devices and connected-device networks become the norm could truly prove disastrous.
"That's really important for everyone to understand," Alaybeyi said. "This trust needs to be built from hardware components all the way up through the software because everybody has a stake in it. Hardware manufacturers, OEMs have a part in it -- everyone has a part in this to build trust."
Hackers are targeting industrial control systems
Today is the best day to create an IIoT strategy
Take a comprehensive approach to IoT security