Relevant security standards for Internet of Things
Virtually every study exploring the benefits of Internet of Things includes some reservations on IT security. According to an analysis by Deutsche Telekom 90% of managers are concerned about security (Cyber Security Report 2015), 70% of respondents surveyed by VDE see IT security risks (2) and a Bitkom survey reported more than 50 percent of study participants (3) were concerned about privacy and security. These concerns are well founded. With network access to production and process control systems, there are very real risks to employees and the production process. But there are already plenty of established standards and frameworks to establish IT security down to the production environment. Many of the initiatives originate in US organizations but the German Federal Office for Information Security has also released several publications and software related to security standards.
A detailed introduction with specific recommendations for action is offered by document 800-82 (v2) of the National Institute of Standards and Technology (NIST). The "Guide to Industrial Control Systems (ICS) Security" is a general introduction to ICS and deals with specific issues presented by the ICS network architecture and uses many elements from classical ISMS, such as the controls concept from ISO2700X. With many examples and a very detailed bibliography in the appendix, NIST 800-82 is a good (and free) framework that will appeal to both security beginners with ICS training and security experts looking for information on the specifics of ICS security. Excluding the numerous appendices, the framework is around 100 pages long, which is manageable for most busy administrators and technicians. For ISO professionals, there is also a very useful mapping of NIST and ISO similarities. Appendix D of 800-82 framework includes a very detailed list of security frameworks for specific sectors such as oil and gas or major energy companies.
The ISA99 standard in the US is known as IEC62443 in Europe. IEC 62443 takes a holistic approach by considering the management system (CSMS), the system and the components for industrial environments. In simple terms, IEC 62443 uses a zoning and conduit concept that treats IACS components separately to other components. The separation of the zones must be enforced at different levels – either physical or logical. Unfortunately, these standards are not available for free, the IEC standards can be obtained from VDE Verlag and the IEC drafts can be ordered from the DKE document service.
The information from the Federal Office for Information Security may not be quite as extensive but it does include supporting software for free. In addition to the top 10 list of ICS threats there is also an ICS security compendium for both ICS operators and manufacturers. Light and Right Security (LARS) is a simple but effective guide to help people implementing security measures. The IT Grundschutz catalogs are another useful reference for ISMS. Many areas of the Grundschutz catalogs are product and vendor independent – they deal with organizational aspects which also apply to industrial environments.
Besides the three mentioned standards and frameworks there are at least a dozen other documents and information series on ICS security, for example by ISACA or SANS. Most of them can be downloaded online, all the operator needs is a little time to read up on the subject. And that is certainly a wiser investment than spending time worrying about data protection and IT security on the factory floor.