25 organizations band together to develop a Security Framework for Internet-connected devices used for industrial purposes. This group is known as Industrial Internet Consortium (IIC), and they are working to create a framework to secure IoT connected equipment utilized in all industries. In fact, they have published the Industrial Internet Security Framework (IISF), which can be acquired at no charge from www.iiconsortium.org/IISF.htm.
With the publication of the IISF and the manufacturers of IoT devices have a common ground to address security issues related to connecting some industrial equipment to the Internet. As we have seen recently from attacks using botnets like Mirai, which hijacked devices into doing dirty work, manufacturers are beginning to realize that connecting industrial equipment to the internet makes them more vulnerable to Trojans and viruses like Stuxnet.
We have to recognize that once a device is attached to the web, it becomes impossible to secure it all the time or in every context. Nonetheless, there are several situations where it is desirable to have increased access to those devices. For example, for a doctor to review patient insulin intake remotely and make corrections as needed, or maybe controlling temperatures in a nuclear reactor without having to go inside the reactor chamber.
Such scenarios show how much good can come from using the industrial Internet of Things (IIoT), but it also shows how devastating the results of an attack like a Distributed Denial of Service (DDOS) attack can become when exposing such systems to the internet with feeble security measures. An example of such lacks are the devices that provide no option to change the default password.
Having a framework may be a step in the right direction, time will tell. Nonetheless, we are left to wonder if addressing the three concerns confidentiality, integrity and availability (CIA) is enough to outweigh the losses as the probability of targeted attacks increases due to the competitive nature of the industrial sector or even national rivalries.
The impact of an attack against the industrial establishment of a city, state or country may be devastating to the local population and may have far reaching consequences in today’s global economy. It is possible to make an analogy based on the impact of 9/11 attacks against the Twin Towers in NY, which had a compound effect that resonated across the globe and are still felt today.
The situation is becoming more and more chaotic, and even this framework will not address the devices already in use at homes or industrial plants. The attack surface created by IIoT and IoT devices is immense and seem to become more and more unmanageable with the resources we have today.
Most are in agreement that something must change, and a Framework is a start. Nonetheless, it still requires the engagement of more than just 25 organizations. It also requires the participation of law enforcement, governmental and non-governmental institutions as well as employee Unions.
The framework is a good first step, however, baby steps in securing IoT and IIoT are too small for the leaps and bounds this technology is making.