Evaluating Security of IIoT Testbeds
the IIC’s Industrial Internet Reference
Architecture (IIRA), 2 as shown in Figure
1, but conformance is not mandatory.
A trust boundary is defined by the
TSCG team as the region enclosing
systems and actors under the same
security policy jurisdiction, supporting
isolated execution within that trust
boundary, and with interfaces through
the trust boundary that support
trusted path or communication among
the architectural elements. The details
of how various security mechanisms
are used within each trust boundary
and for which purposes (e.g. to protect
privacy) should be documented.
Mechanisms to provide confidential
and authenticated communications
across trust boundaries over trusted
paths should also be documented.
Use Cases and Security Objectives:
Document a collection of use cases,
each providing the actors and security
objectives.
Trustworthiness
Constraints:
Summarize how the other non-security
aspects of trustworthiness are relevant
and considered in the testbed. These
include safety, reliability, resilience,
and privacy.
Threat Analysis: Provide a threat
analysis of the various system
components using a threat modeling
methodology such as STRIDE 3 . A
ranking of the security threats as
perceived by the testbed team is also
documented.
Figure 1: Three-Tier IIoT System Architecture
2
Industrial Internet Consortium. "The Industrial Internet of Things Volume G1: Reference Architecture," Industrial Internet
Consortium (IIC), IIC:PUB:G1:V1.80:20170131, (2015)
3
Shostack, Adam. Threat modeling: Designing for security. John Wiley & Sons, (2014).
- 52 -
March 2018