Toward IIoT Security Standards

Security is a high priority within Industrial IoT projects, but it is advancing like the rest of the industry—inconsistently, with big gaps between the leaders and everyone else.

That isn’t unique to one or two industrial segments. It applies to all of them, and even to slices within particularly industries.

“There is some confusion about security because it’s not just the IT issues,” said Frederick Hirsch, a standards manager at Fujitsu. “There are operational technology issues that also need to be resolved, and there are special conditions to be considered in each industry.”

Hirsch should know. He helped to develop the security framework the Industrial Internet Consortium (IIC) published earlier this year, and has been involved in in standards-development working groups on privacy and security at OASIS, as well as IIC. He also co-authored a white paper outlining a security maturity model for the Industrial IoT, which was published recently by the Industrial Internet Consortium (IIC) (PDF).

“Security concerns are different if you’re dealing with device to treat diabetes than for equipment on a light manufacturing floor,” according to Hirsch. “It’s getting to be a very complicated as the world gets more interconnected. You have all kinds of threats, all kinds of software flaws and all kinds of devices, so you’re not going to use the same approach everywhere.”

It’s not just the number of industries that’s confusing, though. In June 2017, IoT Analytics counted a total of 450 software vendors. A McKinsey & Co. report, released the prior month, came up with only 150 or so, after eliminating some for being incomplete even in their own categories.

“If there are [even] 100 IoT platforms, then there is no platform, just aspirants,” the McKinsey report concluded. It also issued a warning that the market eventually would have to boil down to just two or three leaders.

That may not happen any time soon, given the number of vertical market categories, and the likelihood that some platforms will play better in some industries than others. But 450, or even 150 is far too many for either technology providers or customers to track, especially without standards that would make migration, management, security and everything else easier to handle, according to Asaf Ashkenazi, vice president of IoT security products for Rambus Security.

“In the x86 world the standards and APIs to do all that are well known,” Ashkenazi said. “But here there are many, many configurations of chipsets and even if there is a root of trust, each has a different way of doing it, a different way to do TLS because of memory restrictions in the device, there’s nothing to tell you how the private key is stored for PKI or how you identify the hardware. It turns out to be very difficult. We had a customer come to us who had implemented 1,000 devices and 3,000 devices connected to their service. It appeared not all those were legitimate, but they couldn’t tell which were and which weren’t.”

Blind insecurity
That is not unusual according to Cisco’s 2018 Security Capabilities Benchmark Study, which showed that devices without permission to be set up are allowed onto networks anyway, by organizations that just assume what they are and that whatever they’re doing is legitimate.

The “endpoint visibility gap” ranges from 12% for government agencies, 33% for healthcare organizations, 43% in technology companies and 50% in finance.

Unfortunately, there is very little consistency in the level of functional capability from one developer to another, and even less consistency in their awareness or ability to create secure networks of IoT devices,” according to Gerardo Pardo, CTO of Real-Time Innovations, who co-wrote the Data Distribution Service (DDS), a secure, machine-to-machine middleware and Object Management Group standard that provides high-performance, real-time data exchange on a publish-subscribe basis for financial trading applications, air traffic control and other latency-sensitive, device-dependent applications.

“Some vendors have very comprehensive security practices and really understand what the problems are and have comprehensive solutions to the problems,” Pardo said.

There is already an alarming amount of mystery about the hardware people are installing, Ashkenazi said.

“When we started to look at the security of IoT devices three years ago, we were surprised to find that a lot of the chipsets being used already had the hardware to provide fundamental security – secure boot, encryption, authentication and PKI (public key infrastructure) support,” Ashkenazi said. “[Customers] didn’t know those functions were there. Their vendors didn’t ask for more money to put it in there; it was included as part of the basic function, but it was only the basic building blocks. You need to have some security software or APIs from the OEM, some APIs in the cloud to know how to talk to it and a service with a database that knows how to manage all these devices.”

That doesn’t help organizations building IIoT networks, which often are developed without understanding the difference between the relative security and isolation of supervisory control and data acquisition (SCADA) systems. Moreover, those networks frequently utilize automation software that was not designed for access through the cloud or across the Web and the new IIoT architectures they’re jumping into. Integrators or developers accustomed to physical isolation or non-standard networks, or limited network access or other forms of isolation common to traditional SCADA systems, may not understand the risks at each layer of the network when they try to migrate to the cloud or add web-based access.

“If you’ve got some oil drilling rig facilities operating totally isolated from the rest of the world, maybe physical security is good enough because you’re way out at sea,” Pardo said. “If you go to the cloud, you could have everything right — identity management, authentication, social engineering and all the rest. But if I want to monitor the oil rig using my iPad with a cellphone connection and JavaScript or something from my home, if the endpoint is not secure, it’s not an end-to-end solution and you are vulnerable.”

Rambus addresses the problem with a service called CryptoManager IoT Security Service, which provides a device-to-cloud security service using a platform as a service provider on the server side and, on the client side, a software development kit that includes chipset and client software support. All of this can be adapted to a variety of devices and use the root-of-trust and authentication capabilities to create a secure base.

It is a turnkey solution aimed at service and technology providers, and Rambus licenses its implementations of DDS to companies including Mentor, a Siemens business, which pre-integrates it as a communications layer. Standards such as DDS allow authentication with standard protocols, access control, and transport using almost any networking protocol. They also offer support for vendor-agnostic communications methods such as the IIC’s Internet Reference Architecture, which Real-Time Innovations helped develop as a member of the IIC working group.

Higher standards
However, preventing a breach isn’t a high enough bar to set for a security model that defines maturity, Hirsch said. And because the IIoT involves both operational technology and information technology, any maturity model has to include elements of both.

“You have to combine security with other aspects of trustworthiness — privacy, resiliency, privacy, safety,” Hirsch said. “There’s a lot of confusion for everyone, not just about the IT, but for the non-IT aspects it affects on other areas.”

The highest priority of many operational technology systems, according to the report, is to avoid causing injury or death, followed by the need to avoid putting the public at risk or causing harm to the environment. The rest of the model is designed to highlight elements of trustworthiness, as well as safety by including such things as coordination with other departments or organizations and communication of risk and priority. This is not just about identification of threats, though it does cover security models and elements, including how to secure endpoints.

The goal is to create a broad framework, not to confine it to one technology or one aspect of information security and burrow down from detail to minutiae, according to Stephen Mellor, CTO of the IIC.

“The maturity model documents address how technology fits within a broader landscape in which you define the level of security you need for a specific situation, make sure you are right about that, and go about getting it,” Mellor said. “There’s no point in using the greatest, most effective security on the planet for a box with no data. There’s no need to expend all that money, so you start by determining your business requirements and then go on to how much it would cost and what kind of technology you need to deliver it.”

In the model, maturity is measured across different levels of consistency — minimal, ad-hoc, consistent and formalized — which is consistent with other maturity models. The maturity table also offers a measure of how well a particular function fits into a particular industry or system or area of concern – a measure called scope that is marked on the vertical axis of the table with the categories General, Industry and System (See Fig. 1.)

Fig. 1: Maturity is measured across each practice. Source: IIC

“It’s hard to measure, but we wanted a way to measure applicability,” Hirsch said. “So if you were at an ad hoc level of consistency, and an activity wasn’t important in the medical field, you could leave it at a lower stage to reflect that priority. It gives you a way to rate certain things according to context rather than frequency. We do have a number of ways to visualize things, but we were trying not to load people up with implementation details. We tried to help them know at a given level what is your degree of vulnerability and whether you’re doing the right thing to address it.”

The problem is so enormous that it’s difficult for people to grasp in the first place, and even more difficult to determine how to deal with it.

“We hope this model will help them get a hold of their thoughts, decide what matters and think about whether it’s appropriate to use encryption,” Hirsch said. “Rather than focus on it without realizing that it’s possible in that situation, authentication might be more appropriate.”

Related Stories
Why IIoT Security Is So Difficult
A fragmented market and ecosystem mean it will take at least five years to get security to a meaningful level.
IIoT Security Threat Rising
Rising value of data and growing complexity driving sense or urgency.
Data Leakage And The IIoT
Connecting industrial equipment to the Internet offers big improvements in uptime and efficiency, but it adds security issues.
IIoT Grows, But So Do Risks
Things are coming together for the Industrial Internet of Things, but security is a huge and growing issue.