Evaluating Security of IIoT Testbeds
I NTRODUCTION
between the TSCG and the testbed team.
The overall goal of the security review
process is to provide candid feedback to the
testbed proposers to improve the security
posture of the testbed. This security review
also provides an opportunity for continuous
feedback based on subsequent revisions of
the IISF.
The Industrial Internet Consortium (IIC)
published the Industrial Internet Security
Framework (IISF) 1 in 2016, to identify,
explain, and incorporate security into the
architectures, designs, and technologies of
Industrial Internet of Things (IIoT) systems,
as well as to add appropriate security
procedures into the IIoT systems
themselves. The IISF also introduced the
concept of trustworthiness and trustworthy
IIoT systems, adding system characteristics
such as safety, reliability, resiliency, and
privacy along with security into the
evaluation. After the publication of the IISF,
the IIC updated the security review
procedures of its testbed program, which to
date include 26 IIoT projects in verticals such
as manufacturing, healthcare, farming,
transportation, connected vehicles, energy,
and retail.
This paper provides an introduction to the
testbed program and uses two case studies
to explain the parts of the security review
process. It then describes the findings and
challenges in evaluating security in testbeds,
especially in the early stages of their
planning and deployment.
T ESTBED PROGRAM
The testbed program in the IIC is designed to
support the IIC’s goal of accelerating the
adoption of the industrial internet and the
transformation of the global economy. For
this adoption and transformation to occur,
guidance on interoperability, security,
connectivity, business models, standards,
architectures, and patterns must be firmly
rooted in reality and practicality. The
program provides realistic lessons and
experience and is thus valuable to the IIC and
its members.
The security review process is mandatory,
done before testbed approval, and prior to
its implementation. As a first step, the
testbed creates a security profile using the
IIC testbed security questionnaire. The
security profile covers use cases, their
security risks, threats analysis, and
implementation goals for the security
controls. The security profile is evaluated by
the Testbed Security Contributing Group
(TSCG), a volunteer group of security experts
with relevant expertise and backgrounds
from member companies of the IIC. This
evaluation is complemented by an interview
The outcomes from testbeds form the
essence of a feedback loop from concept to
reality and back to guidance for further
innovation to the IIC community. Therefore,
1
Industrial Internet Consortium. "Industrial Internet of Things Volume G4: Security Framework,” Industrial Internet Consortium,
IIC:PUB:G4:V1.0:PB:20160926, (2016)
- 50 -
March 2018