The Industrial Internet Consortium (IIC) is looking to simplify internet of things (IoT) security with its Endpoint Security Best Practices white paper.
IoT endpoints include edge devices such as sensors, actuators, pumps, flow meters, controllers and drives in industrial systems; embedded medical devices; electronic control units; vehicle control systems and communications infrastructure and gateways. It’s a notoriously insecure footprint, riddled with a lack of security-by-design, default and hard-coded passwords and improper default configurations for internet access.
To help administrators lock down this piece of the network puzzle, the IIC has issued a 13-page concise document for equipment manufacturers, critical infrastructure operators, integrators and others, as a reference for implementing countermeasures and controls to ensure the safety, security and reliability of IoT endpoint devices.
“The number of attacks on industrial endpoints has grown rapidly in the last few years and has severe effect,” said Steve Hanna, IIC white paper co-author and senior principal at Infineon Technologies. “Unreliable equipment can cause safety problems, customer dissatisfaction, liability and reduced profits. The Endpoint Security Best Practices white paper moves beyond general guidelines, providing specific recommendations by security level. Thus, equipment manufacturers, owners, operators and integrators are educated on how to apply existing best practices to achieve the needed security levels for their endpoints.”
The paper explores one of the six functional building blocks from the IIC Industrial Internet Security Framework (IISF): endpoint protection, outlining how countermeasures or controls, through risk modeling and threat analysis, can be applied to achieve a particular security level (basic, enhanced or critical).
It also distills key information about endpoint device security from industrial guidance and compliance frameworks, such as IEC 62443, NIST SP 800-53 and the IIC IISF.
While the white paper is primarily targeted at improving the security of new endpoints, the concepts can be used with legacy endpoints by employing gateways, network security and security monitoring, IIC said.
“By describing best practices for implementing industrial security that are appropriate for agreed-upon security levels, we’re empowering industrial ecosystem participants to define and request the security they need,” said Dean Weber, IIC white paper co-author and CTO, Mocana. “Integrators can build systems that meet customer security needs, and equipment manufacturers can build products that provide necessary security features efficiently.”
IIC member Nozomi Networks founder and chief product officer Andrea Carcano said that the expansion of the group’s guidance to include endpoint security is a positive thing.
“As a leader in the fight to protect critical infrastructure from cyber-attacks, Nozomi Networks knows just how real the threat is to industrial networks around the world,” Carcano said. “Effective cybersecurity is critical to the long-term safety of the industrial internet. As a member, we support the IIC’s work and are glad to see them expand their guidance beyond their Industrial Internet Security Framework to provide specific, practical recommendation for end points by security level. This includes real-time and continuous monitoring for endpoints and effective policy and activity dashboards that can deliver much needed visibility and control.