Industrial Internet Security Framework v 1.0 | Page 23

Security Framework 4.3 4: Distinguishing Aspects of Securing the IIoT REGULATORY REQUIREMENTS AND STANDARDS IN IT AND OT Given the risks, it is unsurprising that governments have put in place wide-ranging regulations and require their compliance. Regulatory and compliance rules mandate controlling access to financial systems, protecting credit card information, upholding privacy expectations and protecting critical infrastructure. Decisions on the implementation and operation of an IIoT system must account for these externally imposed business policies, including strict safety requirements. Many IIoT systems are subject to external regulations that require compliance, and these compliance requirements may include IT and OT regulations as discussed in Annex A. A wider view of regulations will be needed. Those from the OT environment will have to expand their view beyond safety to include a broad view of security for widely networked systems. Those with an IT background will have to consider safety regulations, as well as considering how IIoT systems relate to security regulations. In both cases, privacy regulations are of increasing importance as data is collected and shared for storage and analysis. New legislation will likely impose additional types of audit, assurance and compliance requirements on both OT and IT to cover IIoT. For example, HIPAA 1 in healthcare focuses on protecting the IT side, such as patient data confidentiality, but fails to cover endpoint protections, including X-ray machines and insulin pumps, which now are connected to the network and can be target of attacks, or even used to pivot into restricted networks. Compliance requirements are based on standards that are heavily fragmented into IT and OT. Annex A in the appendix describes a wide range of standards and regulations that may apply to IIoT deployments. 4.4 BROWNFIELD DEPLOYMENTS IN OT The term brownfield describes an environment where new solutions and components must coexist and interoperate with existing legacy solutions. The term is used in contrast to greenfield, where legacy systems are absent, removing such constraints. OT systems are often deployed as brownfield due to the size and capital expense involved in building and retrofitting the industrial processes they encompass. Assets are often very longlived, and reflect massive investments in operational, reliability and safety testing. It is therefore neither economically nor technically feasible to replace existing equipment and applications wholesale with newer alternatives in the short- or medium-term. Most industrial installations contain equipment that by IT and security standards is “old” or “out of date.” Such equipment is at greater risk of attacks than equipment with the latest versions of security features and the latest security updates applied, deeply affecting security. 1 See [HHS-HIPAA] IIC:PUB:G4:V1.0:PB:20160926 - 23 -