Standards

Certification

Education & Training

Publishing

Conferences & Exhibits

ISA Bangalore

Section

ISA

TR

NG

/2014.0

4.2

5-2

6/S

lide N

o. 1

International Society of Automation

ISA Bangalore’s training program on:

IoT, IIoT, and Industrie 4.018-19 November, 2016Hotel Chancery Pavilion, Lavelle Road, Bengaluru

Security in IoT Network

Ms. Apala Ray,

Senior Scientist,

ABB Corporate Research,

Bangalore, India

Mail ID: apala.ray@in.abb.com

Tel: +91 9008588661

ISA

TR

NG

/2014.0

4.2

5-2

6/S

lide N

o. 2

IoT, IIoT, and Industrie 4.0

Security in IoT NetworkApala Ray

Academic

- B. Tech. (ECE): West Bengal University of Technology

- M. Tech. (IT): Networking and Communication, IIIT, Bangalore

- Ph. D.: Security for Industrial Communication, Malardalen University, Sweden

(Pursuing)

Experience:

- ABB Corporate Research, Bangalore as researcher for 8+ years in Industrial Communication System

- 8+ years research and development experience in the area of communication and software in ABB Corporate Research

- Wireless solutions for industrial application:

- WirelessHART Integration and Performance Evaluation,

- ZigBee Energy Meter Gateway, 6LowPAN for Low Voltage Products,

- Tropos Wireless mesh integration with non-Wi-Fi

- Industrial Communication Networks security

- Initial Trust establishment in industrial communication network – Key management infrastructure

- Smart Grid Wireless Security – Intrusion Detection

- ABB Proprietary communication networks

Competency Areas:

- Communication protocol Understanding

- Wireless network Security (802.11, 802.15.4)

- Key Management – Trust Model in security

- Wireless network deployment and integration

ISA

TR

NG

/2014.0

4.2

5-2

6/S

lide N

o. 3

IoT, IIoT, and Industrie 4.0

Security in IoT Network• Contents

• Introduction

• What is Industrial IoT

• How IoT will become prevalent in

coming years

• Cyber Security in Industrial

Automation

• What are the challenges specific to

IIoT Security

• Communication Architecture of

IIoT

• Heterogeneous

communication stack

• User centric view of IIoT

• Trust relationship between

actor

• Key aspects of IIoT security

• Functional Domain of IIoT

• Security Life cycle for IIoT

• Contents (Contd.)

• Overview of Industrial IoT security

• What are the sources of

heterogeneity in Industrial IoT

Security

• Threat and vulnerabilities in IIoT

• Security Focus Areas in IIoT

• Security functional Building

blocks

• Security Framework

• Device Security

• Communication protection

• A quick overview on

symmetric and asymmetric

cryptography

• Security Monitoring

• Conclusion

• Summary

• Future Research Challenges

ISA

TR

NG

/2014.0

4.2

5-2

6/S

lide N

o. 4

IoT, IIoT, and Industrie 4.0

Security in IoT Network

Industrial IoTDefinition

Network of separate, uniquely

identifiable devices that

sometimes have the ability to

talk with each other, without

requiring “human to human” or

“human to computer interaction”

What is Industrial IoT?

• End-to-end digitization of all

physical assets and

integration into digital

ecosystems with value chain

partners

• Generating, analyzing and

communicating data

seamlessly

• Related terms: Industrial IoT,

Industry 4.0, ‘Industrial

Internet, Digital Factory

ISA

TR

NG

/2014.0

4.2

5-2

6/S

lide N

o. 5

IoT, IIoT, and Industrie 4.0

Security in IoT Network

Examples of industrial IoT

Smart grid devices, Machine-to-machine communication, Industrial devices,

Factory automation, Automobile, Health care, etc.

Few aspects of IT-OT convergence

• Security evolution in IT and OT

• Regulatory requirements and standards in IT and OT

• Brownfield deployments in OT

• Cloud systems in IoT

Prevalence of IoT in Coming Years

* Source: Coursera Online Course

ISA

TR

NG

/2014.0

4.2

5-2

6/S

lide N

o. 6

IoT, IIoT, and Industrie 4.0

Security in IoT Network

• Traditional Information

Security model focuses on

Confidentiality, Integrity,

Authentication

• In automation domain

Availability comes first

• The safety of personnel,

equipment, and the

environment is another

important aspects to

consider

• Any loopholes in the security

infrastructure may severely

impact the system and might

affect the safety of the plant

and its personnel.

Cyber Security in Industrial Automation

ISA

TR

NG

/2014.0

4.2

5-2

6/S

lide N

o. 7

IoT, IIoT, and Industrie 4.0

Security in IoT Network

Attacks on Industrial segments

ISA

TR

NG

/2014.0

4.2

5-2

6/S

lide N

o. 8

IoT, IIoT, and Industrie 4.0

Security in IoT Network

Communication architecture

• The key role of the connectivity

framework is to provide syntactic

interoperability among the

endpoints.

• Heterogeneous networks with

different communication

protocols

Key system characteristics

• Performance

• Resilience

• Security

• Scalability

• Interoperability

Challenges Specific to IIoT Security

Se

rve

rN

etw

ork

Devic

e

Physical Layer

Link Layer

Network Layer

Transport Layer

Framework

Data Management

….../ Energy & Utility/ Manufacturing/ Transportation/…

802.1/802.3

802.15.4/802.11

802.16

3GPP

IP

UDP TCP

MQTT

HTTP

CoAP

DDSI-RTPS

Web

ServiceDDS/ OPC

Source: Industrial IoT - Security Framework

ISA

TR

NG

/2014.0

4.2

5-2

6/S

lide N

o. 9

IoT, IIoT, and Industrie 4.0

Security in IoT Network

User-centric view of IIoT

Roles involved in IIoT

• When an isolated system is

controlled by a single

owner/operators, there is only

one boundary with clear

security concerns.

• Each stakeholder might have

specific roles in securing IIoT

systems.

• There need to be trusted

assurance between all the

roles

Challenges Specific to IIoT Security

Component

Builder

System

Builder

Plant

Owner

Security

Assurance

Trust

ISA

TR

NG

/2014.0

4.2

5-2

6/S

lide N

o. 10

IoT, IIoT, and Industrie 4.0

Security in IoT Network

Functional domain of IIoT

Key Aspects of IIoT Security

ISA

TR

NG

/2014.0

4.2

5-2

6/S

lide N

o. 11

IoT, IIoT, and Industrie 4.0

Security in IoT Network

Key Aspects of IIoT Security

Security lifecycle in IIoT

ISA

TR

NG

/2014.0

4.2

5-2

6/S

lide N

o. 12

IoT, IIoT, and Industrie 4.0

Security in IoT Network

Sources of Heterogeneity in IIoT

Supporting legacy devices

• Devices with large installation base run processes efficiently over times

• Not enough business motivation to replace those devices for not having

advanced state-of-the-art security support.

• Overall secure plant operation with those traditional devices also

Co-existence of wired and wireless protocols

• Ideal scenario: The end users will look for solutions which do not need

parallel infrastructures of wired and wireless solutions

• Inherent wireless properties with packet losses

Different computation capabilities

• Digital certificates and fixed key management infrastructures can be too

heavy-weight for computationally-insufficient devices.

• Surge of low-cost sensing devices - still there will be light-weight

computing devices for emerging applications

ISA

TR

NG

/2014.0

4.2

5-2

6/S

lide N

o. 13

IoT, IIoT, and Industrie 4.0

Security in IoT Network

A High Level Threat and Vulnerabilities in IIOT

ISA

TR

NG

/2014.0

4.2

5-2

6/S

lide N

o. 14

IoT, IIoT, and Industrie 4.0

Security in IoT Network

Security Focus Areas in IIoT

ISA

TR

NG

/2014.0

4.2

5-2

6/S

lide N

o. 15

IoT, IIoT, and Industrie 4.0

Security in IoT Network

Security Functional Building Blocks

IIoTSecurity

Framework

Device Security

CommSecurity

Security Monitoring & Analysis

Security Config &

Mgmt

Data Protection

• Secure Logging

• Signature/Anomaly

based analysis

• Forensic analysis

• Physical Security

• Secure Identity

• Secure Access

Control

• Security Management

• Secure Operation

Management

• Physical Security of

connection

• Cryptographic protection

• Information flow protection

• Protect Data-in-rest,

Data-in-use and Data-

in-motion

Source: Industrial IoT - Security Framework

ISA

TR

NG

/2014.0

4.2

5-2

6/S

lide N

o. 16

IoT, IIoT, and Industrie 4.0

Security in IoT Network

Device Security• Physical Security

• Access control –

Authentication and

authorization

• Secure identity

• Hardware security

• Trusted platform -

HSM/TPM/TEE

• Firmware security

• Secure boot

• Root of trust - Attestation,

software tagging

• Application security

• Secure programming

interface

• Mutual authentication

ISA

TR

NG

/2014.0

4.2

5-2

6/S

lide N

o. 17

IoT, IIoT, and Industrie 4.0

Security in IoT Network

Device security

• Protection of data

• Integrity Protection

• Data-at-rest

• Data-in-use

• Data-in-motion

• Monitoring and Analysis

• Secure Logging

• Device level intrusion

detection

• Security Policies

• Effect on performance –

Battery Life

• Brownfield deployment – Use

of Gateway

Security Framework of Industrial IoT

ISA

TR

NG

/2014.0

4.2

5-2

6/S

lide N

o. 18

IoT, IIoT, and Industrie 4.0

Security in IoT Network

Device security

• Configuration and

management

• Commissioning phase

• Operational phase

• Maintenance phase

• Manage security

parameters

Component Builder Third Party

Industrial Plant

Device Manufacturer Commissioning Engineer

Operators Maintenance Engineer

Security Framework of Industrial IoT

ISA

TR

NG

/2014.0

4.2

5-2

6/S

lide N

o. 19

IoT, IIoT, and Industrie 4.0

Security in IoT Network

Communication security

• Data security

• Integrity – Tampering

protection

• Confidentiality - Privacy

• Flow security

• Network topology

• End-to-end protection

• Cryptography

• Protect communication by

providing authentication and

authorization of the

communicating parties

• Securing the integrity and/or

confidentiality of a message

• Symmetric and asymmetric

key cryptography

Security Framework of Industrial IoT

ISA

TR

NG

/2014.0

4.2

5-2

6/S

lide N

o. 20

IoT, IIoT, and Industrie 4.0

Security in IoT Network

----------

----------

----------

----------

----------

Security Management Component

Manages key used for

communication

1. Secured Channel

2. Secured Channel

3. Secured Channel

3. Secured Channel

Symmetric Key Based Key Distribution

A quick overview

Device B

Device A

ISA

TR

NG

/2014.0

4.2

5-2

6/S

lide N

o. 21

IoT, IIoT, and Industrie 4.0

Security in IoT Network

Asymmetric Key Based Key Distribution

A quick overview

----------

----------

----------

----------

----------

Security Management Component

1. Secured Channel

2. Secured Channel

3. Trusted Channel

Device B

Device A

ISA

TR

NG

/2014.0

4.2

5-2

6/S

lide N

o. 22

IoT, IIoT, and Industrie 4.0

Security in IoT Network

Communication security

• Physical security of connection

• Network access control

• Network segmentation

• Monitoring and Analysis

• Secure Logging

• Filtering technologies

• Network level intrusion detection

• Security policies

• Brownfield deployment – Use of

gateway

• Configuration and management

• Operational phase – Security

assurance

Security Framework of Industrial

IoT

ISA

TR

NG

/2014.0

4.2

5-2

6/S

lide N

o. 23

IoT, IIoT, and Industrie 4.0

Security in IoT Network

Security monitoring

• Incident prevent, detection,

analysis and response

• Data collection and logging

• Security monitoring and

analytics

• Anomaly based

• Signature based

• Security policy

• Brownfield consideration

• Configuration and

management

• Software patch and update

• Identity management

Security Framework of Industrial

IoT

ISA

TR

NG

/2014.0

4.2

5-2

6/S

lide N

o. 24

IoT, IIoT, and Industrie 4.0

Security in IoT NetworkConclusion

Research Challenges

Trust Management

Trade off Performance and Security

Usable Secure

Solutions

Key Management

Mobile Workforce

Human Factors

• Finding an optimal trust model

• The knowledge from operational

phase

• Implications of the trade-offs to

be made keeping usability

aspects in mind.

• Standardized key management

solutions for heterogeneous

industrial networks.

• Manage small mobile handheld

devices with better tracking and

recovery for those devices.

• Security Monitoring – Fear

factors for human workforce

ISA

TR

NG

/2014.0

4.2

5-2

6/S

lide N

o. 25

IoT, IIoT, and Industrie 4.0

Security in IoT Network

References

• Gartner, Hyper Cycles Research. 2014. http://www.gartner.com/

technology/research/hype-cycles.

• Industrial Internet Reference Architecture, Industrial Internet Consortium,

https://www.iiconsortium.org/

• Industrial Internet of Things Volume G4: Security Framework, Industrial Internet

Consortium, https://www.iiconsortium.org/

• IoT security needs scalable solutions, https://techcrunch.com/2016/03/01/iot-

security-needs-scalable-solutions/

• Interim Industrial Security, Icon Labs Firewalls Grandpa Equipment,

http://eejournal.com/archives/articles/20160919-floodgatedefender/

• 4 Security Challenges Facing IoT Devices, https://raed.it/blog/4-security-

challenges-facing-iot-devices/

• These Are The Weakest Points in Your IoT Security,

http://www.iotcentral.io/blog/these-are-the-weakest-points-in-your-iot-security

• Gartner’s Top 10 Security Predictions2016,

http://www.gartner.com/smarterwithgartner/top-10-security-predictions-2016/

ISA

TR

NG

/2014.0

4.2

5-2

6/S

lide N

o. 26

IoT, IIoT, and Industrie 4.0

Security in IoT Network

ABB: the pioneering technology leader

ISA

TR

NG

/2014.0

4.2

5-2

6/S

lide N

o. 27

IoT, IIoT, and Industrie 4.0

Security in IoT Network

ABB technology

All around us

ISA

TR

NG

/2014.0

4.2

5-2

6/S

lide N

o. 28

IoT, IIoT, and Industrie 4.0

Security in IoT Network

What does it take to win in digital?

Mastering the control room

ISA

TR

NG

/2014.0

4.2

5-2

6/S

lide N

o. 29

IoT, IIoT, and Industrie 4.0

Security in IoT Network

Today: ABB –a “hidden” digital champion

Large, global software and digital offering

ISA

TR

NG

/2014.0

4.2

5-2

6/S

lide N

o. 30

IoT, IIoT, and Industrie 4.0

Security in IoT Network

Quantum leap in digital: ABB AbilityTM

Creating one common offering for digital end-to-end solutions

ISA

TR

NG

/2014.0

4.2

5-2

6/S

lide N

o. 31

IoT, IIoT, and Industrie 4.0

Security in IoT Network

………… Apala Ray