Evaluating Security of IIoT Testbeds
privacy requirement of a particular use case is met . Since privacy requirements may not be stated in an easily sharable way for communication across trust boundaries , this can cause challenges to even a capable trust boundary owner . If the need for addressing privacy is not expressed clearly , then other organizations can not plan to implement the privacy requirements of a particular use case , nor can they provide sufficient evidence about how these privacy requirements they did not know about are met by their implementation . These challenges need to be addressed with more specific requirements about interoperability of security information across trust boundaries .
Limitations of Current IIoT Risk Analysis Tools
The IISF does not prescribe any one tool or approach for threat modeling , though it refers to OWASP Top 10 8 for threats , and STRIDE 9 for threat modeling . While STRIDE is a useful approach for threat modeling across pairs of trust boundaries , and the STRIDE methodology works well in web-based systems , the STRIDE methodology is not intuitively useful and sometime not applicable for the multi-trust boundary use cases often found in the IIoT testbeds . Specifically , STRIDE does not address the complexities described earlier related to multi-owner , multi-operator scenarios of trust boundaries , and threat modeling of end-to-end use cases in such environments .
It also does not address interaction of security with safety , reliability , and other system characteristics . IIoT system security assessments will continue to be challenged in capturing threats and modeling them until additional tools and methods appropriate for capturing and analyzing IIoT challenges are readily available . The testbed teams , are still better served by using tools like STRIDE until better tools are available for testbeds .
Reconciling the IIoT Edge Gateway Focus with End-to-End Security Practices
While most IT security evaluations are based on deploying mitigation controls , the IIC focus is on “ security by design ,” an end-toend security design . The IISF documents practices for securing the endpoint such as secure identities on top of a root of trust , which enables secure point-to-point communications , secure firmware updates and other necessary features . However , we observed that none of the evaluated testbeds featured strong end-to-end protections for all of their edge devices . Instead , most testbed ’ s security design relied on the edge gateway for its security , or on intrusion detection features existing in the Platform Tier . Unlike IoT security for consumer electronics , which usually feature point-to-point connectivity from each device to the cloud , industrial IoT assumes physical protections in the form of a strong perimeter and the existence of an edge gateway with security capabilities . The reliance on a gateway to protect the edge requires a
8
OWASP IoT Top 10 https :// www . owasp . org / index . php / Top _ IoT _ Vulnerabilities , ( 2014 )
9
Shostack , Adam . Threat modeling : Designing for security . John Wiley & Sons , ( 2014 ).
- 60 - March 2018