Industrial Internet Security Framework v 1.0

Security Framework Contents CONTENTS Part I: Introduction 1 Overview ........................................................................................................................ 11 1.1 1.2 1.3 1.4 1.5 1.6 Purpose............................................................................................................................. 11 Scope ................................................................................................................................ 11 Audience ........................................................................................................................... 11 Terms and Definitions........................................................................................................ 12 Conventions ...................................................................................................................... 12 Relationship with Other IIC documents .............................................................................. 12 2 Motivation ...................................................................................................................... 13 3 Key System Characteristics Enabling Trustworthiness ...................................................... 15 3.1 3.2 3.3 3.4 3.5 3.6 3.7 Assurance of Key System Characteristics ............................................................................ 15 Security ............................................................................................................................. 16 Safety................................................................................................................................ 17 Reliability .......................................................................................................................... 18 Resilience .......................................................................................................................... 18 Privacy .............................................................................................................................. 19 Trustworthy Systems ......................................................................................................... 20 4 Distinguishing Aspects of Securing the IIoT ...................................................................... 21 4.1 4.2 4.3 4.4 4.5 4.6 Convergence of Information Technology and Operational Technology ................................ 21 Security Evolution in IT and OT........................................................................................... 22 Regula tory Requirements and Standards in IT and OT......................................................... 23 Brownfield Deployments in OT .......................................................................................... 23 Cloud Systems in the IIoT ................................................................................................... 24 Implications for Securing the IIoT ....................................................................................... 24 Part II: The Business Viewpoint 5 Managing Risk ................................................................................................................ 27 5.1 5.2 Security Programs ............................................................................................................. 28 Risk Assessments............................................................................................................... 29 5.2.1 OWASP IoT Attack Vectors................................................................................................ 31 5.2.2 STRIDE Threat Model ........................................................................................................ 31 5.3 Communicating Risk .......................................................................................................... 32 5.4 Ongoing Business Attention ............................................................................................... 33 5.5 Metrics and Key Performance Indicators ............................................................................ 34 5.6 Management Considerations ............................................................................................. 34 6 Permeation of Trust in the IIoT System Lifecycle .............................................................. 36 6.1 6.2 6.3 6.4 6.5 System Lifecycle ................................................................................................................ 36 Roles in the Permeation of Trust ........................................................................................ 38 Trust at Component Builder Roles ...................................................................................... 40 Trust at System Builder Roles ............................................................................................. 42 Trust at the Operational User Roles.................................................................................... 43 IIC:PUB:G4:V1.0:PB:20160926 - iii -

Industrial Internet Security Framework v 1.0 | Page 3