Securing Industrial Systems by Design

The Industrial Internet Consortium (IIC) recently released the first version of a document entitled "Industrial Internet Reference Architecture Technical Report". The document serves to initiate a process of evaluation and industrial transformation to create broad industry understanding about technical requirements, methodologies and roadblocks and to drive product interoperability and simplify the development of Industrial Internet systems (IISs). Because the Industrial Internet is being driven by participants in an array of diverse fields, the IIC is committed to building early consensus among stakeholders on major architecture questions.

As a member of the IIC and an active participant in the Security Working Group, we are very pleased to see that the IIC has emphasized the importance of security for IISs. The IIC points out that because IISs are connected and distributed, they continue to evolve over time and consequently offer an “attack surface that is significantly larger than isolated industrial control systems”. The IIC Reference Architecture calls for integrated security policies for physical plant, hardware, software and communication as core to system design. It is also important to note that the IIC recognizes that attacks can come from a variety of sources, whether it be employees or other insiders, casual hackers or terrorists.

The specific security issues addressed by the IIC report include:

• End-to-end security: requires building in security by design rather than the often-tried and often-failed paradigm of bringing it in as an afterthought.
• Securing legacy systems: most IISs incorporate legacy systems that offer limited or no security protocols and are not modifiable. Security of the overall system requires securing the endpoints of these legacy systems.
• Security for architectural patterns: every architecture pattern has its own specific security requirements and challenges and must be addressed individually.
• Endpoint security: many IISs need to embed security capabilities and policy enforcement directly in end-point devices. The embedded security measures should include mitigating controls, countermeasures and/or remediation actions defined by security policies to minimize the risk of being compromised and the impact when being compromised
• Information exchange security: communication and data exchanges within an IIS must be protected for authenticity, confidentiality, integrity and non-repudiation.

Over the years, Wibu-Systems, in conjunction with several technology partners, has accumulated a wealth of knowledge in embedded system protection and is collaborating closely with the IIC Security Working Group to map out a security strategy for IISs. There are many technologies we can bring to the table, such as encryption, protection against software piracy and reverse engineering, tamper-proofing and integrity protection, authenticity and authentication, as well as license lifecycle management, feature on demand activation, and other embedded software monetization strategies.

Many of these security technologies and techniques were discussed in a recent Webinar, Embedded Security and the Internet of Things – Challenges, Trends, and Solutions. I invite you to view the recorded e-cast and contact us if you have questions or would like more information.