A review of the latest IIoT security regulations and guidelines
Conformity is everything in the fight against cyber-crime. Traditionally, the way to secure IT systems has been to “bring everything together, and keep everything the same”, remarks Senthil Ramakrishnan, lead member of technical staff at AT&T.
But the internet of things (IoT) confounds this drive for consistency, with a multiplicity of technologies and devices, and invites cyber-attacks. “With IoT, that goes out the window,” says Ramakrishnan. Standardization remains out of reach, making the job for regulatory authorities more urgent and more difficult.
Government both sides of the Atlantic are attempting to create some order amid the chaos, to make the fight against this new branch of cyber-crime more focused.
In August, the US Senate introduced legislation to set security standards for devices installed in US government networks. If passed, the Internet of Things Cybersecurity Improvement Act will ensure estate-owned IoT devices do not feature common security flaws, principally the inability to patch software / firmware and change passwords.
In addition, the bill will commission alternative security requirements for devices with limited functionality, so key security mechanisms come as standard in government IoT devices.
The European Council, meanwhile, has said it will beef up cyber-security in the region, including with closer inter-state cooperation on counter-intelligence, the establishment of a number of cyber-security “competence centers”, and a certification program to increase trust in digital solutions.
These latest plans promise an addendum to the network and information security (NIS) directive in 2016. The General Data protection Regulation (GDPR), scheduled for May 2018, also features a number of cyber-security provisions.
But none of these deal with IoT security specifically, and none with its industrial application. “Although there are great conversations going on around IoT security both at the government and industry levels, there has been little action,” remarks David Dufour, vice president of engineering and cyber-security at Webroot.
Stéphane Quetglas, enterprise IoT marketing manager at Gemalto, says: “Standardization is not very well advanced in manufacturing. There are different initiatives in different regions. We have guidelines, at last, which is better than nothing.”
Among the emerging guidelines on industrial IoT security for enterprises, the German government’s Plattform Industrie 4.0, which seeks to promote and establish the country’s leadership in industrial manufacturing, has comprehensive guidelines on security practices. This is arguably the best resource for enterprises, argue commentators.
Elsewhere, regulation and guidance is better established for utilities and mechanical sectors, and linked generally with the trends for digitization and automation of industry functions. Notably, IEC-62443 is a series of standards, technical reports, and related information, published by the US-based International Society of Automation (ISA), for implementing electronically secure industrial automation and control systems (IACS), for system integrators, security practitioners, and control systems manufacturers.
The North American Electric Reliability Corporation (NERC) establishes cyber-security specifications for power systems in US electrical supply with its CIP 003-3 provision, also extending to IoT connectivity. The National Institute of Standards and Technology (NIST), an agency of the US department of commerce, describes how to secure industrial control systems against cyber attacks. Its Federal Information Processing Standard (FIPS) publication 140-2, establishes standards for approval of cryptographic modules.
Meanwhile, the Chemical Facility Anti-Terrorism Standards (CFATS) establish a set of security regulations for high-risk chemical plants, electrical generating facilities, refineries in the US.
“These are addressed towards industry, and critical infrastructure, and provide guidance for industrial control systems and automation wherever it is operating. It is very up-to-date, and considers IoT as a matter of course, working as a source of live system of guidance. It will develop as the technology itself develops, and as threats develop,” comments Brian Arbuckle, senior analyst at IHS Markit.
For an in-depth look at this topic, download the report “Industrial IoT security – the pitfalls and practicalities of securing manufacturing and supply chain IoT systems.”