Evaluating Security of IIoT Testbeds
FINDINGS AND CHALLENGES
The process of security reviews and the practice of creating security profiles has proven beneficial to both the IIC Testbed program and the IIC Security Working Group . According to the feedback given by testbed teams , creating the initial representation of trust boundaries and corresponding threats helps testbeds to brainstorm on attacks , which leads to the early evaluation of possible vulnerabilities . While the risk analysis tools seem to have limitations , the initial assessment still provided testbeds with a good understanding of their risks . For example , the automated output from STRIDE helped one testbed to find a flaw in the design and motivated another to include additional security controls . The information collected from the questionnaire also helped start the evaluation of some of the best practices in the IISF , providing insights for its future revision .
There were several challenges that needed to be addressed within tight time constraints and resources to implement this security evaluation process . To adequately address these challenges , additional research and support from the larger IIoT security community is required . This paper attempts to outline those challenges as a call-to-action to all security practitioners .
Precisely Defining a Trust Boundary is Difficult
The IIC ’ s Industrial Internet Vocabulary Technical Report 5 defines a trust boundary as a separation of different application or system domains in which different levels of trust are required . Since defining trust boundaries is a cornerstone of the IIoT testbed threat evaluation process , it is necessary to precisely define a methodology to determine a trust boundary in an IIoT testbed . From our experience , testbeds require more guidance to correctly create trust boundaries .
For example , edge devices can be diverse within the same testbed , including several classes of PLCs ( programmable logic controllers ) or other machinery . These devices may be within the same trust boundary or multiple trust boundaries . In the extreme case , there can be one trust boundary for each device . If the edge devices are exposed to anyone walking by or are sitting directly on the Internet , this extreme approach makes sense . If the edge devices are in a limited access environment , a single trust boundary may be sufficient for all the devices . Multiple trust boundaries also add to the complexity of the threat modeling effort . Hence a further refined definition of a trust boundary that addresses the nuances expressed in this section is essential .
5
Industrial Internet Consortium . " The Industrial Internet of Things Volume G8 : Vocabulary ,” Industrial Internet Consortium , IIC : PUB : G8 : V2.00 : PB : 20170719 , ( 2017 )
- 58 - March 2018