Industrial Internet Security Framework v 1.0 | Page 23
Security Framework
4.3
4: Distinguishing Aspects of Securing the IIoT
REGULATORY REQUIREMENTS AND STANDARDS IN IT AND OT
Given the risks, it is unsurprising that governments have put in place wide-ranging regulations
and require their compliance. Regulatory and compliance rules mandate controlling access to
financial systems, protecting credit card information, upholding privacy expectations and
protecting critical infrastructure. Decisions on the implementation and operation of an IIoT
system must account for these externally imposed business policies, including strict safety
requirements.
Many IIoT systems are subject to external regulations that require compliance, and these
compliance requirements may include IT and OT regulations as discussed in Annex A.
A wider view of regulations will be needed. Those from the OT environment will have to expand
their view beyond safety to include a broad view of security for widely networked systems. Those
with an IT background will have to consider safety regulations, as well as considering how IIoT
systems relate to security regulations. In both cases, privacy regulations are of increasing
importance as data is collected and shared for storage and analysis.
New legislation will likely impose additional types of audit, assurance and compliance
requirements on both OT and IT to cover IIoT. For example, HIPAA 1 in healthcare focuses on
protecting the IT side, such as patient data confidentiality, but fails to cover endpoint protections,
including X-ray machines and insulin pumps, which now are connected to the network and can
be target of attacks, or even used to pivot into restricted networks.
Compliance requirements are based on standards that are heavily fragmented into IT and OT.
Annex A in the appendix describes a wide range of standards and regulations that may apply to
IIoT deployments.
4.4
BROWNFIELD DEPLOYMENTS IN OT
The term brownfield describes an environment where new solutions and components must coexist and interoperate with existing legacy solutions. The term is used in contrast to greenfield,
where legacy systems are absent, removing such constraints.
OT systems are often deployed as brownfield due to the size and capital expense involved in
building and retrofitting the industrial processes they encompass. Assets are often very longlived, and reflect massive investments in operational, reliability and safety testing. It is therefore
neither economically nor technically feasible to replace existing equipment and applications
wholesale with newer alternatives in the short- or medium-term.
Most industrial installations contain equipment that by IT and security standards is “old” or “out
of date.” Such equipment is at greater risk of attacks than equipment with the latest versions of
security features and the latest security updates applied, deeply affecting security.
1
See [HHS-HIPAA]
IIC:PUB:G4:V1.0:PB:20160926
- 23 -