Evaluating Security of IIoT Testbeds
privacy requirement of a particular use case is met. Since privacy requirements may not be stated in an easily sharable way for communication across trust boundaries, this can cause challenges to even a capable trust boundary owner. If the need for addressing privacy is not expressed clearly, then other organizations can not plan to implement the privacy requirements of a particular use case, nor can they provide sufficient evidence about how these privacy requirements they did not know about are met by their implementation. These challenges need to be addressed with more specific requirements about interoperability of security information across trust boundaries.
Limitations of Current IIoT Risk Analysis Tools
The IISF does not prescribe any one tool or approach for threat modeling, though it refers to OWASP Top 10 8 for threats, and STRIDE 9 for threat modeling. While STRIDE is a useful approach for threat modeling across pairs of trust boundaries, and the STRIDE methodology works well in web-based systems, the STRIDE methodology is not intuitively useful and sometime not applicable for the multi-trust boundary use cases often found in the IIoT testbeds. Specifically, STRIDE does not address the complexities described earlier related to multi-owner, multi-operator scenarios of trust boundaries, and threat modeling of end-to-end use cases in such environments.
It also does not address interaction of security with safety, reliability, and other system characteristics. IIoT system security assessments will continue to be challenged in capturing threats and modeling them until additional tools and methods appropriate for capturing and analyzing IIoT challenges are readily available. The testbed teams, are still better served by using tools like STRIDE until better tools are available for testbeds.
Reconciling the IIoT Edge Gateway Focus with End-to-End Security Practices
While most IT security evaluations are based on deploying mitigation controls, the IIC focus is on“ security by design,” an end-toend security design. The IISF documents practices for securing the endpoint such as secure identities on top of a root of trust, which enables secure point-to-point communications, secure firmware updates and other necessary features. However, we observed that none of the evaluated testbeds featured strong end-to-end protections for all of their edge devices. Instead, most testbed’ s security design relied on the edge gateway for its security, or on intrusion detection features existing in the Platform Tier. Unlike IoT security for consumer electronics, which usually feature point-to-point connectivity from each device to the cloud, industrial IoT assumes physical protections in the form of a strong perimeter and the existence of an edge gateway with security capabilities. The reliance on a gateway to protect the edge requires a
8
OWASP IoT Top 10 https:// www. owasp. org / index. php / Top _ IoT _ Vulnerabilities,( 2014)
9
Shostack, Adam. Threat modeling: Designing for security. John Wiley & Sons,( 2014).
- 60- March 2018