When the internet was invented almost 40 years ago, security was not on anyone's radar. No one considered it at all. There was no need—the application in mind was to share documents across labs at CERN, and those documents were not secret. The internet was person-to-person, and these were persons who wanted to share.
The critical invention, the URL, is now used in a person-to-business manner. We can bank online, book flights and hotel rooms, and provide our credit card details over the internet. Since the internet is no longer a simple document-sharing scheme, security is now a major concern. Moreover, health records are often online and we (sometimes unwittingly) provide huge amounts of personal data via social media and sites that provide specific services, such as dating. We want that data to be kept private. Privacy is now definitely a major concern.
We are now connecting things to the internet. We can control physical devices in the real world; the internet is business-to-thing. Consequently, safety is a concern. Moreover, autonomous vehicles, for example, must not only be safe in the "airbag" sense, but they also need to be resilient and reliable in terms of their autonomous technology so that they don't break down at 65 miles an hour; they need to be resilient so that when they do break down, they degrade gracefully.
This Industrial Internet of Things (IIoT) is an internet of things, machines, computers, and people that will transform economies and societies. But only if it is trustworthy.
Trustworthiness is a combination of security (it's not just cyber- any more!), privacy, safety, reliability, and resilience across both the Information Technology (IT) and Operational Technology (OT) domains. This convergence involves people from many different areas with different vocabularies ("security" means different things to an IT specialist and a plant manager) and different timelines (IT is updating my phone as we speak, while a chemical plant requires many compliance checks). It requires careful thought and reconciliation of culture, processes, values, and emphasis.
Trustworthiness is therefore a complex, expansive subject that encompasses multiple dimensions and disciplines. It requires comprehensive groundwork to promote awareness, expertise, and practical actions. It ties directly to safety, environmental damage, and ethics—the entire economy and society worldwide. Yet there's a lack of comprehensive understanding of trustworthiness among business stakeholders and technical professionals, including system developers, integrators, and manufacturers. Industrial users looking to adopt IIoT need comprehensive guidance.
This book, Practical Industrial IoT Security, takes the IIC's work, existing standards, and best practices and combines them into a security practitioner's handbook. It is widely applicable across verticals, targeting solutions architects and anyone else responsible for IIoT security, allowing them to digest a single volume to consume the breadth of the security issues in IIoT. The book seamlessly aligns with these frameworks and demonstrates their practical applicability to various IIoT uses cases.
The industry today is much in need of such a resource. This book fills the gap between conceptual frameworks and practice. It addresses the security roles and responsibilities across the life cycle, from business case and requirements definition, development, and integration, right the way to deployment and live operations. In addition to IIC resources, readers will also find several useful industry references, including works done by the IEEE, IEC, OMG, Cloud Security Alliance, NIST, research organizations, and academics. As such, this book is very closely tied with the IIC's vision and initiatives.
This book is not the conclusion for IIoT security, but rather the start of a journey to realize a digitally connected world, enabling it to evolve to meet the security challenges of the foreseeable future.
Stephen J Mellor
CTO
Industrial Internet Consortium
La Jolla, CA, USA
2018-06-27