Industrial Internet Security Framework v 1.0 | Page 43
Security Framework
6: Permeation of Trust in the IIoT System Lifecycle
builder to create a framework that allows various technical components to be integrated into a
platform to be resold at scale across a number of equipment owner/operators.
Because the design from a system builder is more customized than that of a technical component
builder, it may be possible to address trust issues in specific components by applying mitigating
controls. This does not eliminate the risk if the weakness was to occur during operation, but it
reduces the likelihood. For example, a software component that is no longer updated by the
software publisher (and without an alternative vendor) may contain a well-known security
weakness from a network attack vector. This component may require network-based
countermeasures such as firewalls, strict access controls, network intrusion detection or
behavioral anomaly detection to ensure the component is not compromised.
While a technical component builder should never deliver an untested product to a customer,
the system builder should perform external tests and certifications so uncovered weaknesses can
be addressed with design modifications. The system builder is in the position to address trust
issues that may have been delivered by technical component builders.
System builders have similar challenges as component builders. They have to assure that their
built system fulfills the expectations during the whole lifespan of the system. Initially they are
paid only for the design, installation and successful setup and sometimes to assure the
continuation of the running system, but a system builder must be able to deliver functionality
across the expected lifespan of the system. This includes not only replacing failed components
but also keeping and maintaining the knowledge about the built system over this lifespan.
In many cases, an owner/operator buys technical components and just uses them. The usage of
combined components is still a role of the system builder, but it has been merged with the role
of owner/operator and named in-house developer in Figure 6-2. In larger companies, such inhouse system building is frequently delegated to a department that has only one “customer” (the
operator/owner). But if this department is dissolved, required maintenance cannot be performed
and the system risks instability, uselessness and danger.
6.5
TRUST AT THE OPERATIONAL USER ROLES
The operational user is the starting point of the permeation of trust. The owner/operator of the
operational system must assure at regular intervals (see section 5.4):
•
•
•
•
that the system meets the stakeholder needs,
all threats to the deployed system are assessed,
the risk to the deployed system is quantified and approved and
updates, countermeasures and mitigating controls are implemented to manage this risk
during the whole lifecycle.
Sometimes owner/operators take their role as owners of the system to a level that was never
intended by the system builder, for example by disassembling a system and reusing its
components somewhere else. The owner/operator should always be aware that the trust in a
IIC:PUB:G4:V1.0:PB:20160926
- 43 -