WIBU-SYSTEMS

Perfection in Protection, Licensing, and Security

IIoT Endpoint Security and the Convergence of IT and OT

MarketingWIBU-SYSTEMS AG on July 30, 2018 at 4:04 PM

IIoT endpoint security was the leading concern of respondents to the 2018 SANS IIoT Survey: Shaping IIoT Security Concerns. The SANS Institute is a cooperative research and education organization and a leading source for information security training and security certification. More than 200 respondents participated in the survey, spanning various industries including energy/utilities, cyber security, government/public sector, technology and education/training.

There are many interesting insights in the survey report and if you are a stakeholder in the IIoT economy, I highly recommend that you read it. Among the many findings that have confirmed Wibu-Systems’ IIoT security recommendations in the past few years, several points stood out. The first is the fact that the definition of an IIoT endpoint and its relationship to an IIoT device is still being debated. The Industrial Internet Consortium (IIC) Vocabulary Report defines an endpoint as a “component that has computational capabilities and network connectivity.” The SANS report points out that a device manufacturer may consider the single, embedded sensor or actuator as the IIoT endpoint, while a system integrator may define that endpoint as a collection of such devices serving a particular function within a larger subsystem. The asset owner may consider an endpoint as a more complex system that is masked behind a gateway or edge device, such as a wind turbine or cooling tower.

The definition and the agreement on the definition by all industry participants are important because endpoints are ubiquitous across the entire IIoT landscape. The report also points out that an endpoint should be characterized specific to the IIoT system of which it is a part, especially if the endpoint requires configuration or programming based on its intended use in the system. This is essential for developing appropriate protective mechanisms against known and, in some cases, unknown attack vectors. The IIoT community is embracing the development of best practices around endpoint security, as described by the IIC white paper, “Endpoint Security Best Practices,” published March 12, 2018.

Another point in the report that stood out was the differing viewpoints around ownership of the development and enforcement of endpoint security mechanisms. Does it reside within the realm of IT or OT? IIoT has blurred traditional IT and OT infrastructure boundaries and added a level of confusion to the inevitable convergence of the two realms, particularly in regards to security.

The report notes that within each of the responsible segments, the perception of what part of the IIoT is most vulnerable and at risk depends on where the responsibility for managing IIoT risk lies:

  • The IT team, company leadership, and management tend to emphasize data accessibility, reliability, availability, and integrity.
  • Department managers emphasize networking and infrastructure appliances.
  • The OT team emphasizes the specific systems related to the IIoT endpoints and then the devices.

Where responsibilities for endpoint security lie is also confused by the fact that perceived and actual responsibilities differ within each group. The survey indicates that the IT team is most concerned with the protection of data, guarding against financial loss and compliance with industry regulations, while the OT team emphasizes increases in reliability, availability, efficiency and production, safety inside the organization, and protection of equipment and systems.

The report further points out that members of the OT department, the individuals who are likely the most knowledgeable about IIoT implementation, appear to be the least confident in their organization’s ability to secure these devices, while company leadership and management, including department managers, seem to be the most assured.

One of the conclusions in the report indicated the necessity to harmonize the viewpoints of IT and OT teams and any third-party product and service providers, especially as related to IIoT security requirements, threats and risks. Both IT and OT need to understand the risks imposed by new or existing IIoT devices connecting to the Internet and the corporate network. And, both need to know how to track and manage these risks as a team.

You can learn more from security experts and editors of IIC’s Industrial Internet Security Frameworkin an on-demand Webinar, IIoT Endpoint Security – The Model in Practice. The presenters outline in detail the significance of data protection, physical security, root of trust, endpoint identity, access control, monitoring and analysis, secure configuration and management, and integrity protection of IIoT endpoints.

Login or register now and enjoy all the benefits of a community!

To get the whole functionality of IndustryArena Forum you need to login or register. This process is absolutely free.

Password forgotten?
Contact request
Guest Photo
Your message
The controller within the meaning of Art. 4(7) GDPR is: IndustryArena GmbH, Katzbergstraße 3, 40764 Langenfeld, Germany.
You may reach our data protection officer under [email protected].

Purpose of processing
We process your personal data concerning the use of the contact form and the communication with the company of the newsroom as well as the transmission of your data to this company in accordance to Art. 6 (1a) GDPR. This constitutes a legitimate interest for us in accordance to Art. 6 (1f) GDPR.

Recipient of the data
Within our organization, those units gain access to your data, which are necessary to fulfil the above purposes.
Personal data will only be transmitted to third parties if this is necessary for the aforementioned purposes or if another legal basis exists. If necessary, we conclude the corresponding data protection agreements with third parties, in particular pursuant to Art. 28 GDPR.

Data storing
Your data will be transmitted to the company of the newsroom for further processing. The period of storing is the duration of the processing of your request by the respective company.

Select contact person

Newsroom Logo

Design options

  • Title text color:
  • Content background:
  • Content text color:
  • Navigation background:
  • Tab text color:
  • Active tab text color:
  • Link text color:
  • Active link text color:
  • Background image Background color:

    How do you want to position the background-image?

    Please note: Banners and skyscrapers are only saved for the current language. For other languages, change the language using the button at the top right.

    Set the link for the background image

  • Banner

    How do you like to align the banner?

    Please note: Banners and skyscrapers are only saved for the current language. For other languages, change the language using the button at the top right.

    Set the link for the banner

  • Skyscraper

    Set the link for the skyscraper

Please note:

Banners and skyscrapers are only saved for the current language. For other languages, change the language using the button at the top right.