Recently, the Industrial Internet Consortium (IIC) released a white paper entitled, Endpoint Security Best Practices (ESBP). This concise document recommends best practices for endpoint security on industrial control system (ICS) devices such as programmable logic controllers (PLCs), sensors, drives and controllers. Here are the top five reasons you need to read the ESBP.
Top 5 Reasons to Read the IIC ESBP
1. Stronger endpoint security is needed
Cyber attacks are on the rise. In the last 12 months, we’ve seen a number of attacks impact industrial systems, including CrashOverride, Brickerbot, Palmetto Fusion, Dragonfly 2.0 and HatMan. Gartner predicts that more than half of IoT device manufacturers will still be vulnerable to new threats through 2018. While we continue to chase vulnerabilities and patch them, hackers are gaining access to devices because the devices lack even the most basic security. Clearly, stronger endpoint security is needed.
2. Maps to industry standards
The authors of the IIC ESBP did not start this white paper from scratch. In fact, the basis for the document included several industry standards: IEC 62443, NIST 800-53 R4, Industry 4.0 and the IIC’s very own Industrial Internet Security Framework (IISF). So, if you’re looking to comply with these standards, the ESBP will help you to achieve compliance.
3. The white paper was written for you.
Let’s face it. Anyone involved in IoT or industrial controls could use more clarity in determining what type of cybersecurity should be running on their devices to ensure safety and reliability. This document was written for a wide range audiences, including: equipment manufacturers, infrastructure operators, integrators, insurers, and policy makers.
4. The IIC ESBP has broad industry support
This new white paper was authored by Dean Weber, CTO at Mocana; Srinivas Kumar, VP; and Steve Hanna, Principal at Infineon and then approved by the IIC Security Working Group. The IIC is a global organization comprised of small and large companies, academia and government institutions who work together to accelerate the adoption of the IIoT. The IIC membership list is a who’s who of the industrial sector.
5. It’s short and sweet
The IIC ESBP is just 13 pages. Other standards such as TCG TPM 2.0, NIST SP 800-53 and IEC 62443 are made up of hundreds or thousands pages. Finally, there now exists a clear, concise document that provides very clear guidance that you can use.
Getting Started with the IIC Endpoint Security Best Practices (ESBP)
The Industrial Internet Consortium ESBP white paper makes it easy for companies to define the type of security required on devices based on three security levels: Basic, Enhance and Critical. For each of these levels, there is a full-stack architecture for endpoint security.
These ESBP levels roughly correlate to the IEC 62443-3-3 security levels 2, 3 and 4.
So, the first thing you’ll want to do is determine what ESBP security levels are needed on each of your industrial devices. You’ll then want to engage your integrators and vendors to implement the necessary security on each device.
Mocana provides embedded security solutions to make it easier to implement and manage security across the life of a device, from development to manufacturing to device enrollment and finally to the management of the device through to its end of life.
Mocana meets the IIC ESBP security architecture requirements for multiple security levels, including support for Endpoint Secure Boot, Hardware and Software Root of Trust, Cryptographic Services, and Secure Endpoint Identity. To learn more about Mocana’s solution or to schedule time to speak with us, please visit our Solutions web page or contact us.