How will ICS cybersecurity standards be impacted by IIoT?
There has been quite a bit of discussion and speculation about the potential impact of the Industrial Internet of Things (IIoT) on the development, deployment, and operation of industrial control systems (ICS). Predictions have ranged from “Nothing changes” to “It will turn everything that we do on its head.” As is usual in situations like this, we will have to wait for the smoke to clear a bit to get a final answer. Regardless of how it eventually plays out, there are certain aspects of industrial control that will almost certainly be impacted in some manner. One of these is the cybersecurity. Specifically, what are the principles, standards and practices required to assure that an industrial control system is operating in a secure fashion, and is protected from inadvertent, collateral, and deliberate threats.
Some of the more cynical pundits in the ICS community have even joked that in this context, the IIoT term should be seen as short for the “Industrial Internet of Threats.” This is based largely on the expectation that growth in IIoT has the potential to explode the number of possible sources of attack – also known as the “attack surface” – by introducing vast numbers of widely distributed sensors and other devices that may or may not have been designed to industrial security standards. On the other hand, optimists among us may assume that since the practice of industrial control has a long history of connecting to and gathering data from devices of one sort or another, then this is just more of the same.
The ISA99 committee has primary responsibility for the development of the ISA and IEC 62443 series of standards on industrial and automation control systems security. I am one of two volunteer co-chairs of the committee.
Standards and technical reports in the series address the subject at various levels, ranging from general principles, concepts and practices to detailed requirements at the system and component level. Currently the IIoT standards in the series have identified over 500 normative requirements and requirement enhancements, of which at least 125 address ICS devices and components.
It is for this reason that the leaders of the ISA99 committee have proposed a new working group within the committee to address the question of IIoT impact in this area. They have written a draft description or charter for this group, which will be submitted to the voting members of the committee for review and approval. Several committee members have already come forward expressing an interest in participating.
When the group is approved it will convene to address a host of questions, including:
- Are there additional risks introduced by this class of technology?
- Will this require or justify new or significantly changed requirements in the standards?
- What for should the recognition of the IIoT impact take in existing and planned standards?
Given that the complexity of the IACS cybersecurity topic has already led to the identification and development of thirteen separate documents in the 62443 series, the hope is that we can avoid creating additional ones devoted to specific technology areas such as IIoT.
The preferred approach is to analyze the impact at the intersection of IIoT and cybersecurity, in order to identify specific areas where existing and developing standards and reports may need to modified to add the appropriate consideration and emphasis of IIoT on deployment and operations plans.
The new working group will be responsible for conducting this analysis, and making recommendations to the committee leaders. Based on those recommendations the committee will take the most appropriate steps.