Industrial Internet System Security: Several Good Questions And Many Good Answers
04/11/2015 Terry Gaul
The Industrial Internet Consortium held an interesting TweetChat where 6 questions received enthusiastic responses by many leading security experts.
The Industrial Internet Consortium held an interesting TweetChat last week in preparation for their Security event held on Tuesday, November 4 in NYC. The IIC-led chat posed 6 questions and received enthusiastic responses in a lively chat by the many security experts who participated. I’ll attempt to summarize answers to the questions in this post, but you can view the TweetChat in its entirety here.
Q1: What are some examples of solutions you have already seen securing Industrial Internet Systems?
This question solicited pointers to many current security solutions, from wastewater facility control networks to anomaly detection and machine-learning-based approaches to uncover malicious activities. Others mentioned security solutions for embedded devices for protecting product know-how and software IP from theft and piracy, and of course, Wibu-Systems mentioned our solutions for railway control systems, data validation and reconciliation systems, and manufacturing. Case studies of many of these solutions can be found on the IIC website.
Q2: Intentional vs unintentional threats: are there different approaches to protecting Industrial Internet systems?
There seemed to be general agreement that both types of threats will need to be addressed during the design phase, while intentional threats would require strong encryption measures and comprehensive security, and “unintentional threats require easy but strong user authentication”. The IIC unveiled an interesting security infographic of their own to add content to the conversation.
Q3: Do the benefits of deploying Industrial Internet solutions outweigh the security risks?
This question was answered with a resounding "yes" by the group and several noted that “the greater the risk the greater the reward, and the IIoT is no exception.” Wibu-Systems cautioned that a single incident can disrupt production, compromise safety, reveal confidential data with financial and legal consequences.
Q4: Open standards or proprietary solutions for IIoT security? Why?
Most participants agreed that Open International Standards would “allow for greater participation, ease of adoption and accessibility for security researchers". Transparency, industry cooperation, and interoperability are key. However, a few thought that there was still room for proprietary solutions or a mixture of both.
Q5: What new security functions will future industrial devices need to support?
User authentication, encryption, signing, access control, measures against tampering and reverse engineering, are all key security features for Industrial Internet systems. Being secure, vigilant and resilient in the connected age seemed to be the consensus for this question.
Q6: What are some measures an organization can take to ensure their system is secure?
It seemed here that common sentiments were to incorporate security by design mentality, get management buy-in early, educate, take great care in the amount and manner in which data is collected, and hire experts as necessary to help design and check device security.
I’m sure this TweetChat was one of many more collaborative events focused on developing innovative solutions for securing Industrial Internet systems. Wibu-Systems is an active participant in the IIC Security Working Group and we will continue to report progress in the coming weeks.