Ensuring IIoT security best practices
Data is coming into manufacturers’ systems at unprecedented rates and while that will surely help organizations perform better and become more profitable, making sure that information remains secure becomes more vital in the age of the Industrial Internet of Things (IIoT).
Protecting IIoT data becomes so critical to the point where an organization needs to fight off all types of internal and external attacks. That means understanding the entire scenario to be able to apply security measures to avoid serious consequences for IIoT systems like disruptions, safety incidents, loss of IP, regulatory fines, and negative impact on brand reputation. But the problem is, just where should a manufacturer begin this IIoT and security journey?
One piece of research is available from the Industrial Internet Consortium (IIC) which published the “Data Protection Best Practices White Paper,” designed for those involved in cybersecurity, privacy, and IIoT trustworthiness. The paper describes best practices that can be applied to protect various types of IIoT data and systems.
The 33-page paper covers multiple adjacent and overlapping data protection domains, for example data security, data integrity, data privacy, and data residency.
“One key takeaway is data protection is a team sport that involves multiple people and multiple stakeholders in the organization, and not just the security officer,” said Bassam Zarkout, executive vice president at IGnPower and one of the authors of the paper. “Maybe the security officer is leading the effort, but the concerns of the stakeholders expand across different domains and different functions across the organization.”
Trustworthiness and protecting IIoT data
Protecting IIoT data during the lifecycle of systems is a critical foundation of trustworthy systems.
“One observation we made is data leaks can lead to multiple consequences,” Zarkout said. “Not only one consequence. A data leak can lead to a data privacy issue as well as a data confidentiality issue. So the same data can be sensitive from a personal perspective and a business perspective. In that case, two sets of controls, requirements and processes need to be applied to protect the data and report on the issue and apply the corrected action.
“Data security is part of what we refer to as IIoT trustworthiness in the sense that you have IT and OT issues converging in the industrial world. Topics and issues related to security and privacy are no longer independent to issues related to safety, reliability and resilience,” Zarkout said.
Zarkout listed the five elements of trustworthiness:
Zarkout said they all must operate in conformance with business and legal requirements with data protection a key enabler for compliance with these requirements.
In these days leading up to the IIoT, there is an understanding organizations need to be more digitally enabled, but they end up paralyzed because they don’t know where to start.
“There is a huge push to incorporate security into highly distributed systems, but oftentimes the discussion are deferred or we are not able to get the details we need because it is not clear where we should start,” said Niheer Patel, product manager at Real-Time Innovations (RTI) and another author of the paper. “This paper guides folks in how to start approaching security for their system. We have identified some key areas where there should be some level of attention or awareness of what the use case might be and how to address the use case.”
IIoT best practices
The paper covers best practices for various security aspects like authenticated encryption, key management, root of trust, access control, and audit and monitoring.
“It is important to look at access control because all this data is coming in from any place and it is coming in and being stored back in the cloud,” said Apurva Mohan, Industrial IoT security lead at Schlumberger, and the third author of the paper. “Access control and data encryption are a white flags and also how do we protect data in the cloud. One of the first questions a customer asked me was I get all the talk about security, but how are you going to protect data in transit and in the cloud? Those kinds of questions come up with educated customers, but there are others that don’t even understand the risks, so this paper will give them some insight into what data protection is and what should be done.”
IIoT is falling upon the industry like and early morning blanket of summer dew and there are some that are more advanced than others, but in the end this paper gives best practices and tips on how to get a security program up and running in the digital age.
It will also bring a better understanding of collaborating with everyone within the manufacturing enterprise. People will get an end-to-end view of how it all should work and connect.
“The expert in privacy will not learn anything new in the paper,” Zarkout said, “but the expert will learn how privacy works within a bigger topic in the organization.”