Building blocks of industrial IoT security architecture
For the three-tier architecture discussed in the previous section, the IIoT security architecture has to span end-to-end across the three tiers -- from device endpoints at the edge, through the platform tier, and ultimately to the enterprise tier. In the case of layered databus deployments, the security framework needs to encompass the databus communication and schemas, the endpoints at each layer, and also the interlayer communication through the databus gateways. This proves the pervasive nature of IIoT security. Besides, security can't be bolted on as an afterthought, rather security risks should be evaluated early in the deployment lifecycle; and countermeasures must be built into the design. These security requirements are however, not always easy to implement in real-world industrial IoT deployments, due to some distinguishing characteristics of IIoT, as excerpted below from IIC's Industrial Internet Security Framework (IIC-IISF) document:
- Since IIoT involves both IT and OT, ideally security and real-time situational awareness should span IT and OT subsystems seamlessly without interfering with any operational business processes.
- Average lifespan of an industrial system is currently 19 years. Greenfield deployments using the most current and secure technologies are not always feasible. Security technology must often be wrapped around an existing set of legacy systems that are difficult to change. In both greenfield and brownfield deployments, all affected parties -- manufacturers, systems integrators and equipment owner/operators -- must be engaged to create a more secure and reliable IIoT system.
- As there is no single "best way" to implement security and achieve adequately secure behavior, technological building blocks should support a defense-in-depth strategy that maps logical defensive levels to security tools and techniques. Due to the highly segregated nature of industrial systems, security implementation needs to be applied in multiple contexts. Multiple sub-networks and differing functional zones may have different operating technologies and security requirements. Security tools and techniques built for IT environments may not always be well suited for OT environments.
- IIoT systems may have constrained system resources that need to meet various requirements, such as system safety and real-time execution. These factors may not allow implementing all security measures and controls to their fullest extent (as required by the defense-in-depth strategy). The security program implementation considerations should take into account all the required functional and non-functional aspects of the system behavior, including their relative priorities.
Based on the preceding distinguishing characteristics, Figure 2.11 shows the functional building blocks for a multilayered IIoT security framework from edge to cloud proposed by (IIC-IISF). It maps to the functional viewpoint of IIC's reference architecture:
The functional viewpoint of the security framework is composed of six interacting building blocks. These building blocks are organized into three layers. The top layer consists of the four core security functions: endpoint protection, communications and connectivity protection, security monitoring and analysis, and security configuration management.
These four functions are supported by a data protection layer and a system-wide security model and policy layer.
A brief description of each of these layers has been excerpted from (IIC-IISF):
- Endpoint protection: This implements defensive capabilities on devices at the edge and in the cloud. Primary concerns include physical security functions, cyber security techniques, and an authoritative identity. Endpoint protection alone is insufficient, as the endpoints must communicate with each other, and communications may be a source of vulnerability.
- Communications and connectivity protection: This uses the authoritative identity capability from endpoint protection to implement authentication and authorization of the traffic.
Cryptographic techniques for integrity and confidentiality, as well as information flow control techniques, protect communications and connectivity.
Once endpoints are protected and communications secured, the system state must be preserved throughout the operational lifecycle by security monitoring and analysis, and controlled security configuration management for all components of the system.
These first four building blocks are supported by a common data protection function that extends from data at rest in the endpoints to data in motion in the communications. It also encompasses all the data gathered as part of the monitoring and analysis function and all the system configuration and management data.
- Security model and policy: The functional layer governs how security is implemented and the policies that ensure the confidentiality, integrity, and availability of the system throughout its lifecycle. It orchestrates how all the functional elements work together to deliver cohesive end-to-end security.
A four-tier IIoT security model
An industrial IoT system is highly complex and involves several moving parts. To simplify the security analysis and implementation, there are multiple ways we can decompose IIoT architecture into constituent components. Since most common deployment models consist of the edge, platform, and enterprise tiers, and security research and development are more aligned with the technology stacks, in this book, to facilitate security analysis, planning, and implementation, we shall dissect the overall architecture in a four-tier security model, with the following tiers:
- Endpoints and embedded software
- Communication and connectivity
- Cloud platform and applications
- Process and governance
'Practical Industrial Internet of Things Security'
Buy your copy on Amazon.
This layering follows the unique security considerations of IIoT as discussed earlier, namely:
- Security integration needs to factor in IT and OT domain specific dynamics
- Security needs to address the industrial lifecycle (which may run into decades) and brownfield deployments (coexistence with older technologies)
- Resource constraints of industrial endpoints and their high availability requirements
This four-tier security model takes into account data protection layer functionality in the IISF (Figure 2.11), which encompasses data at rest, in use, and in motion. The functionalities in the top layer of the security framework map to tiers 1-3 of this four-tier security model. The security and policy layer of the security framework maps to the process and governance tier of this model:
The four-tier model is explained as follows:
- Tier 1 -- Endpoints and embedded software: In IIoT deployments, security must extend from the silicon to the software layers of device endpoints. IIoT endpoints range from resource-constrained field devices to enterprise-grade servers and routers with significant storage and compute capabilities. Many industrial deployments include legacy devices with insecure protocol stacks. This provides a unique environment where security must not be limited to the network perimeter, but extend up to the endpoints. Chapter 3, IIoT Identity and Access Management, and Chapter 4, Endpoint Security and Trustworthiness, discuss the challenges involved in IIoT endpoint security, and present various endpoint security methodologies and solutions, such as access and identity management, establishing root of trust and trust chains, secure boot and firmware/software upgrades, partitioning, and more.
- Tier 2 -- Communications and connectivity: This tier focuses on securing data in use and in motion through secured transport, deep packet inspection, intrusion detection and prevention, secured communication protocols, and more. In Chapter 5, Securing Connectivity and Communications, the challenges and solutions of securing IIoT connectivity and communication have been dealt with in depth.
- Tier 3 -- Cloud platform and applications: This is the third tier that needs to be secured. Cloud-based IIoT deployments extend the attack surface significantly. IIoT use cases involve mission-critical command and controls with low latency requirements, which presents a unique set of security challenges at this tier. Cloud platform services often extend to the industrial edge, and as such need to factor in special attack vectors and mitigation strategies. Security architectures and methodologies to protect the industrial edge, cloud, and applications are discussed in depth in Chapter 6, Securing IIoT Edge, Cloud, and Apps.
- Tier 4 -- Process and governance: Practical security management requires a riskbased approach to "right-size" security investments. Security management must cut across the entire lifecycle, from design through operations. IIoT stakeholders must also play their respective roles to secure IIoT deployments.
Every organization that adopts and implements industrial IoT would benefit by having policies and governance guidelines for threat prevention and risk management. This is an essential component of meeting security objectives and business goals with industrial IoT. Security standards developed by industry organizations such as NIST, IEEE, and so on, and also open industry standards, need to be evaluated and suitably adopted at the design and planning phase of any IoT deployment. In addition, use case specific security models and policies need to be developed around configuration and management, data protection, connectivity, endpoint protection, threat analysis, and so on.
Download the PDF of chapter 2 to learn more!
Chapter 7, Secure Processes and Governance, provides more insights into the risk management aspects of industrial IoT. It also reviews existing standards and governance principles to develop a successful security governance model for businesses.
Reprinted with permission from Packt, copyright © 2018