IISF Frequently Asked Questions
The IISF is a comprehensive resource for understanding Industrial Internet of Things (IIoT) security considerations, developed by international security experts from the Industry IoT Consortium. The objective of the IISF is to drive consensus in the industry, promote IIoT security best practices and accelerate their adoption. The IISF explains how security fits within the business of industrial operations. It defines functional building blocks for addressing security concerns, provides implementation guidance and practical techniques for IIoT security. The download of the Industrial Internet Security Framework is free.
The IISF is written for CTOs, CISOs and technical security experts. They can use the IISF as a guide to implement the industrial Internet security technologies available today to enhance the availability and reliability of their system and thus gain significant return on investment (ROI).
For CEOs and business managers, the IISF provides a discussion on the business drivers enabled by proper security and explores the related industrial concerns on safety, reliability, resilience, and privacy. It highlights the need for every organization across every industry to secure their IIoT systems and to deploy best-practice security solutions immediately.
The Industry IoT Consortium also published a white paper (also free to download), The Business Viewpoint of Security the Industrial Internet, which provides an executive overview of the Business Viewpoint and offers a window into the IISF's considerations and best practices.
Every IIoT project must implement security throughout. Deploying appropriate security in an industrial setting brings many levels of complexity. The IISF brings a comprehensive protection approach with the goal of minimizing risk.
Recent events have illustrated the risk of being attacked from unexpected sources both inside and outside the system, whether intended or accidental. There is a commanding need to protect against error, mischance and malicious intent. The Industry IoT Consortium believes that these industrial security risks represent a major threat to world safety and security.
The IISF identifies, explains and positions security-related architectures, designs and technologies, as well as identifies procedures relevant to trustworthy IIoT systems. It describes their security characteristics, technologies and techniques that should be applied, methods for addressing security, and how to gain assurance that the appropriate mix of issues have been addressed to meet stakeholders' expectations. The publication of the IISF initiates a process to create broad industry consensus on how to secure IIoT systems.
Part I examines key system characteristics, such as safety, reliability, resilience, security, and privacy and how they should be assured together to create a trustworthy system. It also explores what makes IIoT systems different from traditional IT systems.
Part II reviews security assessment for organizations, architectures and technologies. It outlines how to evaluate attacks as part of a risk analysis and highlights the many factors that should be considered, ranging from the endpoints and communications to management systems and the supply chains of the elements comprising the system.
Part III covers the functional and implementation viewpoint. It describes best practices for achieving confidentiality, integrity and availability. It describes security building blocks for policy, data, endpoints, communications, monitoring and management.
The IISF builds on the 'Industrial Internet Reference Architecture' (IIRA) that lays out the most important architecture components, how they fit together and how they influence each other. Each of these components must be made secure, as must the key system characteristics that bind them together into a trustworthy system. The IISF extends naturally from a chapter in the IIRA describing security concerns. It moves into security-specific territory to ensure security is a fundamental part of the architecture, not bolted onto it.
IIoT has materialized and the security concerns from the IT world are affecting the OT world. Traditional IT security solutions may not apply directly to the OT world, so the IISF addresses what considerations should be highlighted to implement better security.
By following the guidance of the IISF and securing IIoT systems, businesses are able to access valuable information that was not previously available, leading to a more comprehensive and systematic approach to security. Applying this new information improves the accuracy of the business-critical decisions. Protecting operations against the risk of damage brought about by security breaches saves money, time and reputation.
successful attack on an IIoT system has the potential to be as serious as the worst industrial accidents to date (e.g., Chernobyl and Bhopal), resulting in damage to the environment, injury or loss of human life. There is also risk of secondary damage such as interruption or stoppage of operations, destruction of systems, leaking sensitive business and personal data resulting in loss of intellectual property, harm to the business reputation, loss of customers, material economic loss, damage to brand and reputation, damage to critical infrastructure handling electricity, water, oil, and gas, irreparable damage to the environment. The advantages of avoiding these circumstances is obvious. Attacks on critical infrastructure and IIoT are growing and appropriate responses must be strategically planned.
Manufacturers, system integrators and vendors are represented in the IISF. All stakeholders can start adopting a security approach based on the IISF, mapping their products and solutions into the IISF building block, finding gaps in their designs and implementing appropriate remediation techniques. Moreover, the Industry IoT Consortium encourages vendors to collaborate in creating tools to improve the utilization and adoption of the IISF, such as security checklists for different verticals and maturity models based on the IISF.
Privacy is one of the key system characteristics that most affects the decisions about the trustworthiness of an IIoT system. In the IISF, privacy and the other four key system characteristics are described in detail. Privacy and its assurance are discussed in a dedicated section. Some key system characteristics such as safety and privacy will also be addressed in future topic-specific frameworks.
The IISF is a reference for the Industry IoT Consortium's testbeds that span verticals such as smart grid, transportation, smart cities, agriculture, industrial maintenance and others. The security evaluations of these testbeds provide continuous feedback that will be used to update the information in subsequent versions of the IISF and aid in creating evaluation material including security checklists and maturity models for industrial systems.
As the best practices described in the IISF are applied to industrial Internet testbeds and use cases, industrial security standards will be tested and gaps in those standards will be identified. The Industry IoT Consortium exposes the existence of those gaps to the appropriate standards organizations in the form of recommendations. Based upon these recommendations and the reported testing, it is our hope that the standards organizations will address those gaps. The IISF is not a standard and does not strive to become a standard. The IISF is a living document reflecting collaboration of cross-industry expertise and the actual testing of these concepts, recommendations and practices. It is our plan to be a resource for standards organizations and to positively influence the development of industrial Internet security standards. In this way, we will drive progress toward secure and interoperable industrial Internet systems.
The IISF is a collaboration of members of the Industry IoT Consortium. This publication reflects thousands of hours of knowledge and experiences from security experts, collected, researched and evaluated for the benefit of all IIoT system deployments. Contributors dedicated their valuable time and expertise in authoring, editing and other ways. For a list of primary authors and contributing organizations, see the IISF landing page.
The IIC is committed to publishing technology specific frameworks – such as Industrial Internet Security Framework (IISF), Industrial Internet Connectivity Framework, Business Strategy and Innovation Framework (BSIF) – that collectively comprise the IIC Industrial Internet of Things suite. The IIRA is the foundation for this collective body of work and along with the IIC Vocabulary document ensures consistency across its breadth and depth.
The IIRA has been widely used in the IIC's testbeds that span verticals such as smart grid, transportation, smart cities, agriculture, industrial maintenance and others. The application of the IIRA in these testbeds assists in their system architecture design and provides validation and feedback to the IIRA for its continuing improvement and evolution.
The IIC has been developing an IIRA Template walking the user through the steps necessary to apply and align with the IIRA. IIC members have created several documents which represent detailed analyses of the alignment between the IIRA and selected testbeds, one of which has been published as a whitepaper accessible to the public.
This new version of the IIRA has the following major updates: As the IIRA is applicable to a broad spectrum of public sector operations and private sector industries, the IIRA does not define a specific architecture. It does however include several example architecture concepts and patterns to assist IIoT System architects in defining the optimal pattern for their specific set of requirements.
Additional architecture patterns are being defined through the IIC testbed and technology frameworks processes and will be published as appropriate.
The IIRA provides significant insight into, and identification of, the requirements for architecting a truly interoperable IIoT system. The IIC, through its formal liaisons with various open standards and industry consortia, collaborates through sharing and feedback during the deliverable development process thereby providing bi-lateral and unilateral sharing of requirements, building consensus, and resulting in complementary rather than competing guidance and standards.