IoT is complex, fast-growing and often intertwined with systems that govern things like water and power. That makes IoT security a critical requirement, but it’s one that’s not necessarily well understood.
The Industrial Internet Consortium, a group that includes some of the biggest players in the internet of things, took action on Monday to clear the air. It rolled out the IISF (Industrial Internet Security Framework), a set of best practices to help developers and users assess risks and defend against them.
Like other IIC projects, the security framework is also an attempt to build a consensus among companies building and using IoT. In this case, the group has laid out a systematic way to implement security in IoT and a common language for talking about it.
The framework document, available free of charge, goes into technical detail about recommended implementations, though it stops short of recommending specific products. The long-term goal is to make sure security is an integral part of every IoT system and implementation.
IIC is well positioned to get industry to agree on ways of doing things. It was formed more than two years ago by Cisco Systems, General Electric, AT&T, Intel and IBM. The authors of the security framework came from some of those companies, plus Fujitsu, Infineon, Schneider Electric and other vendors and universities.
The group has said it’s not a standards body but wants to identify the requirements for standards. It also compiles best practices in various areas and builds testbeds to show how technologies can be implemented. Security is the latest and possibly the most talked-about area IIC has weighed in on.
“The level of security found in the consumer Internet just won't do for the industrial internet,” IIC Executive Director Richard Soley said in a press release.
Immature security is the biggest thing delaying adoption of industrial IoT, said Jesus Molina, co-chair of IIC’s security working group, in an interview. Components commonly used in enterprise IT security, like identity and root of trust, don't really exist yet in IoT, he said.
There are several components to making anything in IoT trustworthy, the framework says: safety, reliability, resilience, security and privacy. These issues come up because industrial IoT connects so many components, including things like sensors and actuators at the edge of an enterprise, that didn’t exist or weren’t connected to the internet up until now.
Those edge connections can open up dangerous vulnerabilities, because they’re often designed to carry some of the most sensitive information in an organization. For example, predictive maintenance, a common goal of IoT implementations, works by collecting data about how well equipment is working. Knowing this helps companies replace worn-out gear before it breaks, but in the wrong hands, that data could help attackers or competitors.
The framework prescribes best practices in four areas: endpoints, communications, monitoring and configuration. They’re addressed to component builders, system builders and users. IIC plans to use the best practices in testbed projects.
IIC will work with governments to help solve the problem of IoT security, but it doesn’t plan to rely on laws to make vendors and enterprises use the framework. Instead, the group will form a number of alliances to help build consensus. On Wednesday, IIC will meet with backers of the Industry 4.0 initiative, and it’s also working with the World Economic Forum.