Industrial Internet Security Framework v 1.0 | Page 25

Security Framework 4: Distinguishing Aspects of Securing the IIoT constraints apply to both OT and IT safety and security systems, and equipment that involves human or environmental safety must be certified at some cost in time and money. New attacks and threat models must be evaluated, and security programs should include all stakeholders. These stakeholders may have complex roles in securing IIoT systems, with different systems’ boundaries implying different business models—and risk models. When single owner/operators controlled an isolated system, there was one boundary with clear security concerns. In IIoT systems, increased connectivity requires exposing more interfaces and that implies risk. Most OT systems depend on infrastructure with lifetimes measured in decades, while IT systems can be upgraded frequently at little or no cost. In the upcoming years, these systems need to be integrated into an evolving landscape of endpoint, communication, monitoring and management systems that provide the required security. Safety-critical systems now are connected to the cloud for management and analysis of collected data. IIC:PUB:G4:V1.0:PB:20160926 - 25 -