IIoT Endpoint Security and the Convergence of IT and OT
30/07/2018 Daniela Previtali
IIoT endpoint security was the leading concern of respondents to the 2018 SANS IIoT Survey: Shaping IIoT Security Concerns. The SANS Institute is a cooperative research and education organization and a leading source for information security training and security certification. More than 200 respondents participated in the survey, spanning various industries including energy/utilities, cyber security, government/public sector, technology and education/training.
There are many interesting insights in the survey report and if you are a stakeholder in the IIoT economy, I highly recommend that you read it. Among the many findings that have confirmed Wibu-Systems’ IIoT security recommendations in the past few years, several points stood out. The first is the fact that the definition of an IIoT endpoint and its relationship to an IIoT device is still being debated. The Industrial Internet Consortium (IIC) Vocabulary Report defines an endpoint as a “component that has computational capabilities and network connectivity.” The SANS report points out that a device manufacturer may consider the single, embedded sensor or actuator as the IIoT endpoint, while a system integrator may define that endpoint as a collection of such devices serving a particular function within a larger subsystem. The asset owner may consider an endpoint as a more complex system that is masked behind a gateway or edge device, such as a wind turbine or cooling tower.
The definition and the agreement on the definition by all industry participants is important because endpoints are ubiquitous across the entire IIoT landscape. The report also points out that an endpoint should be characterized specific to the IIoT system of which it is a part, especially if the endpoint requires configuration or programming based on its intended use in the system. This is essential for developing appropriate protective mechanisms against known and, in some cases, unknown attack vectors. The IIoT community is embracing the development of best practices around endpoint security, as described by the IIC white paper, “Endpoint Security Best Practices,” published March 12, 2018.
Another point in the report that stood out was the differing viewpoints around ownership of the development and enforcement of endpoint security mechanisms. Does it reside within the realm of IT or OT? IIoT has blurred traditional IT and OT infrastructure boundaries and added a level of confusion to the inevitable convergence of the two realms, particularly in regards to security.
The report notes that within each of the responsible segments, the perception of what part of the IIoT is most vulnerable and at risk depends on where the responsibility for managing IIoT risk lies:
The IT team, company leadership and management tend to emphasize data accessibility, reliability, availability and integrity.
Department managers emphasize networking and infrastructure appliances.
The OT team emphasizes the specific systems related to the IIoT endpoints and then the devices.
Where responsibilities for endpoint security lie is also confused by the fact that perceived and actual responsibilities differ within each group. The survey indicates that the IT team is most concerned with the protection of data, guarding against financial loss and compliance with industry regulations, while the OT team emphasizes increases in reliability, availability, efficiency and production, safety inside the organization, and protection of equipment and systems.
The report further points out that members of the OT department, the individuals who are likely the most knowledgeable about IIoT implementation, appear to be the least confident in their organization’s ability to secure these devices, while company leadership and management, including department managers, seem to be the most assured.
One of the conclusions in the report indicated the necessity to harmonize the viewpoints of IT and OT teams and any third-party product and service providers, especially as related to IIoT security requirements, threats and risks. Both IT and OT need to understand the risks imposed by new or existing IIoT devices connecting to the Internet and the corporate network. And, both need to know how to track and manage these risks as a team.