A new model for sustainable, end-to-end security

Dec. 15, 2016
Developers first need to look at how potential solutions will be deployed.
“The IIoT story can’t be told without cybersecurity, but how can it be implemented properly without interfering with industrial processes already in place?” said Sven Schrecker, chief architect, IoT Security Solutions, Intel, and co-chair, Security Working Group, Industrial
Internet Consortium (IIC). He presented the keynote address, “Next-generation cybersecurity for the IIoT,” at September’s Smart Industry 2016 conference in Chicago. 

“Intel has a global security strategy, which it tests with help from the IIC’s 250 members, who build testbeds, check performance, and report back to Intel with recommendations,” explained Schrecker. “We’re now in the fourth industrial revolution, which consists of cyber-physical systems and IIoT. On the positive side, this means potentially huge productivity, efficiency, optimization and performance gains. However, on the negative side, there are natural security concerns because IIoT also means increased risk due to more attack vectors, larger attack surfaces and potentially grave consequences.”

To develop a set of common cybersecurity solutions, Schrecker reported that developers first need to look at how potential solutions will be deployed because user and consumer buy-in will be crucial for them to succeed. “Industrial revolutions like IIoT aren’t driven by  researchers, inventors and technology designers,” he said. “The reality is they’re driven by investors, consumers, regulators and citizens, who adopt and employ these new technologies in daily life. So how can we enable the safe, reliable and secure operation of the IIoT?”

Trust must soak through 

Schrecker explained that another essential IIoT principle is that cybersecurity doesn’t exist in isolation. “Security is one of five characteristics that support IIoT trustworthiness,” he explained. “The others are safety, privacy, resilience and reliability. Together, they create the trustworthiness that the IIoT needs to protect against system faults, environmental disruptions, human errors and cyber attacks.”

Schrecker added that IIoT trustworthiness also relies on information technology (IT) and operations technology (OT) coming together. “We need a new, comprehensive adoption model for trustworthiness as the basis for industrial adoption of IIoT. Then we need to look at all environments from a security perspective, and leverage trustworthiness to manage risk and increase the likelihood of correct business decisions,” said Schrecker. “Security can’t be something we do just for compliance.

“We need permeation of trust in all system elements, in how they’re integrated, and how they interact with each other by assuring it across the entire industrial system of component builders, system builders and operational users from top to bottom and from end to end. Trust flows down from the owner/operator to all parts of the IIoT system, but trust must also be enabled from the bottom up.”

Standards beat perceptions

Once all IIoT participants reach a common understanding and work together for security, Schrecker reported they must design and integrate security into their components and systems before building them because it’s much harder to bolt on security after the fact. “We need chips, boards and software with security built in from the beginning, and we need them attested to the right level of security from the top down,” said Schrecker.

Schrecker added that successful cybersecurity for the IIoT requires standards, some of which haven’t arrived yet but are getting closer. “Several organizations including IIC are working on this,” added Schrecker. “IIC has met with several Industrie 4.0 groups to list goals and convergence plans, and begin to adopt security models and standards that can kick in.”

A key element of developing IIoT security standards is revising the traditional perception of IIoT as starting at edge devices and communicating to the cloud, according to Schrecker. “We can’t just be secure at the edge and in the cloud, and think we’re secure overall,” he said. “We need end-to-end security based on comprehensive models and policies. Each part of an application needs to protect itself, whether it’s at the edge, on the network or in the cloud. We need communications, so we can’t just lock things down. Further, protections can degrade, so we need to monitor and manage security as environments change.”

The just released Industrial Internet Security Framework (IISF) from the IIC offers a security model and policy built in conjunction with the organization’s Industrial Internet Reference Architecture (IIRA). IISF has a data protection layer with several security building blocks and techniques for IIoT, including security configuration and management, security monitoring and analysis, communications and connectivity protection, and plant protection that includes edge devices and the cloud. The IISF is available for download at the IIC website at iiconsortium. org.

Apply security to IIoT

Once a useful IIoT security model and policy is settled on, Schrecker explained that a security layer can be overlaid on existing industrial processes, spanning them end to end without interfering with those processes. These techniques include:

• Embedded cyber and physical security and embedded identities on boards and components

• Secure communications, especially for machine-tomachine applications

• Overall security monitoring and management, including secure policy management and event monitoring

Consequently, embedded security deployment models should include:

• Process isolation with security in the same operating system (OS) as other components, but separate security processes

• Containerization isolation of software and software containers

• Virtualization isolation with security in separate OSs

• Physical isolation using gateway or bump-in-the-wire functions

“Some infrastructures allow individual devices to protect themselves and some models allow post-attack, rootcause analysis. If you do these functions in software, then they can all do their own thing,” said Schrecker. “There are also a lot of brownfield applications, but they can also start on the IIoT security roadmap by using network gateways to secure OT data flows and protect their devices.

“Next, users can harden devices and implement edge security control by taking software from those devices, virtualizing it, and putting it on their gateways or servers. This puts the soul of a device like a PLC in its gateway. The traditional way of protecting end devices is putting a software agent in the operating system, but we say it’s better to put a second chip in the end device, so you can have operations on one chip and security on another.”

A security chip can monitor and manage all security tasks, enforce firewall functions, store identity information, mutually authenticate devices and users, and authorize network traffic. A security chip can also be defined as the only device that’s allowed to talk to the outside, so all operations chip communications go through the security chip, and follow its security models and policies, much like a network whitelist.

“All of this gives security a place to run,” concludes Schrecker. “Then you can carry out more sophisticated security management, reactively and proactively update devices as needed, and pull security data including metrics and KPIs for better security monitoring and analytics.”