Active Cyber Surveys the Standards Landscape for OT and IoT Systems Security

A Plethora of Standards and Guidance for OT / IoT Security

In my research into OT and IoT systems security, I have come across a plethora of guidance and standards from various organizations and standards bodies. To some extent, this wide range of guidance is difficult to get your arms around to figure out what is really important for securing your OT / IoT systems. Although formal standards have an important role, it seems to me what is more often needed is how to translate your security priorities into actual protection measures, and what to do to be conformant (if conformance is really necessary). There are also guidance and standards that are shaping new ways of doing business in the ever-changing IoT domain.

One of the key takeaways of my survey of standards and guidance is the implication that OT/IoT professionals must choose wisely. There’s no one-size-fits all IoT framework of standards and implementation roadmap, nor is one likely to emerge in the next year or two given the growing number of standards bodies publishing IoT and OT guidance and standards. The many contributions to this space seem to add to the problem. There’s not yet a universally accepted cybersecurity framework governing how underlying IoT or IIoT components work together securely and effectively, however there are some efforts to harmonize the disparate architectures and frameworks that look promising.

So here is a subset of what I have found – let me know if you have other guidance or standards that you feel are noteworthy as well.

An effort that shows growing acceptance among many standards bodies and a lot of interesting guidance is oneM2M.  I did a call with a couple of its members earlier in 2020 – Ken Figueredo of Chordant™, and Peter J. Kim, of the Telecommunications Technology Association (TTA), who are both Technical Plenary Founding members. oneM2M is the global standards initiative that covers requirements, architecture, API specifications, security solutions and interoperability for Machine-to-Machine and IoT technologies. oneM2M was formed in 2012 and consists of eight of the world’s preeminent standards development organizations: ARIB (Japan), ATIS (U.S.), CCSA (China), ETSI (Europe), TIA (U.S.), TSDSI (India), TTA (Korea), and TTC (Japan), together with industry fora or consortia (GlobalPlatform) and over 200 member organizations, including Qualcom. These SDOs agreed to a common goal of promoting an international IoT standard rather than multiple and incompatible local standards. With inputs from more than 200 member organisations, oneM2M oversees an open process to standardize a framework for IoT solutions. oneM2M specifications provide a framework to support applications and services such as the smart grid, connected car, home automation, public safety, and health. oneM2M actively encourages industry associations and forums with specific application requirements to participate in oneM2M, in order to ensure that the solutions developed support their specific needs. The purpose and goal of oneM2M is to develop technical specifications which address the need for a common M2M Service Layer that can be readily embedded within various hardware and software, and relied upon to connect the myriad of devices in the field with M2M application servers worldwide. A critical objective of oneM2M is to attract and actively involve organizations from M2M-related business domains such as: telematics and intelligent transportation, healthcare, utilities, industrial automation, smart homes, etc. oneM2M prepares, approves and maintains Technical Specifications and Technical Reports for:

• Use cases and requirements for a common set of Service Layer capabilities;
• Service Layer aspects with high level and detailed service architecture, in light of an access independent view of end-to-end services;
• Protocols/APIs/standard objects based on this architecture (open interfaces & protocols);
• Security and privacy aspects (authentication, encryption, integrity verification);
• Reachability and discovery of applications;
• Interoperability, including test and conformance specifications;
• Collection of data for charging records (to be used for billing and statistical purposes);
• Identification and naming of devices and applications;
• Information models and data management (including store and subscribe/notify functionality);
• Management aspects (including remote management of entities); and
• Common use cases, terminal/module aspects, including Service Layer interfaces/APIs between:
  • Application and Service Layers;
  • Service Layer and communication functions

This comprehensive set of services makes it attractive to large scale IIoT development efforts. In fact, according to Peter Kim, South Korea has a master plan to use it for smart cities.

oneM2M underpins a software framework for linking IoT applications to a set of value-added services relating to: network connectivity; device security; transport protocols; content serialization; IoT device services and management; and, IoT semantic ontologies. Each of these oneM2M services lets application developers focus on application-specific functionality (e.g. turning on/off a light switch), while relying on abstraction techniques to mask the underlying technology-specific details (e.g. whether the light switch uses a fixed or Wi-Fi network, a CoAP or HTTP transport, a JSON or XML serialization, an open Connectivity Foundation (OCF) or Thread service enablement, or an ontology based on Smart Appliances REFerence (SAREF) or W3C’s Thing Description.

In architectural terms, oneM2M is a middleware technology. It groups several common service functions in an abstraction layer that exists between IoT applications (i.e. business logic) and the communications networks that provide connectivity to end-point devices and sensors (i.e. actuation and data capture). Since the IoT industry continues to evolve, oneM2M handles new specification requirements through release cycles. Release 1 was issued in 2015. oneM2M will shortly publish Release 4 which covers topics such as Fog/Edge computing, 3GPP internetworking and semantic reasoning for IoT solutions.

According to Ken Figueredo, some of the initial concerns around device communications are now solved. OneM2M makes use of common communications standards such as mqtt, CoAP, and HTTP. The emphasis today is on metadata standards as data sharing is coming into the picture. Metadata discovery and sharing is needed to optimize decision-making across an ecosystem of devices such as connected cars which need data from streets and weather and other cars. oneM2M hasn’t tackled provenance yet, however, work on privacy is underway. According to Ken, Chordant is leveraging the oneM2M framework to build marketplaces for sharing data. A base ontology is supported by oneM2M – basically an extension of the semantic web. Applications can use the oneM2M defined ontology and oneM2M will manage the translation to the respective underlying ontology used by the IoT devices. oneM2M can deal with streaming and snapshot data. Location is a common service, and oneM2M is working with with the Open Geospatial Consortium to standardize on location data.

The data-sharing efforts were recently proven out when two member companies, Huawei and InterDigital, demonstrated the potential for interoperable and cross-vendor solutions by linking their respective IoT platforms. This testbed demonstrated that an IoT application on one platform could access data from a sensor connected to the other platform. Conformance to the oneM2M standard made this possible. More about this demonstration and the benefits of oneM2M can be found in the Industrial Internet Consortium (IIC) publication – Best Practices for Developing and Deploying IIoT Solutions.

OneM2M uses a resouce model and requires all entities – whether physical or virtual – to register and create a unique identification. The use of non-standard identifiers and proprietary formats for identifying software applications makes interconnection extremely difficult, as well as not necessarily being unique. It also prevents effective tracking and reporting necessary for service fulfilment and billing. The oneM2M Application-ID Registry solves the problem by providing a central source for application registrations and subsequent lookups. The registry enables:

• Generation of unique standards-based identifiers
• Centralized App-ID data management through a robust, fault-tolerant registry
• Processing of thousands of concurrent transactions.

ATIS, a oneM2M founding partner, is the initial Registry Management Authority for the oneM2M App-ID Registry.

The Service Layer includes a security module that has a set of security services for IoT applications to call, to include:

• Security
  • Secure Communication
  • Authorization and Dynamic Authorization
  • Privacy Policy Manager
  • Enrollment and Provisioning
  • End-to-end Security
• Device Management
  • Device Configuration
  • Device Diagnostics
  • Device Firmware Upgrade
  • Device Topology Management
• Application and Service Management
  • Software Management
  • Software Configuration.

As a service layer, the security services are abstracted from the application developers, making it easier and more standardized in terms of handling security protections and ensuring conformance to the technical specifications – ultimately enabling better interoperability.

oneM2M relies on many other Standards Development Organizations (SDOs) to help manage the development of IIoT and IoT standards that are included in its framework. Several stalwarts for security guidance such as NIST, ISA/IEC, IIC, and DHS that have all published standards and guidance for OT / IoT systems security that are being used by oneM2M, and they can be found in the list below.

1. NIST Cybersecurity Framework – Outlines the best cybersecurity practices to minimize risk to critical infrastructure. Recently, the National Cybersecurity Center of Excellence (NCCoE) has invited eleven technology providers and industry experts to collaborate on the Protecting Information and System Integrity in Industrial Control System Environments Project. So NIST is stepping up to not only inform operators of what is needed but is providing practical examples of tool implementations to show how to secure these OT systems. The tool collaborators for this project are CyberX, Dragos, GreenTec USA, ForeScout Technologies Radiflow, Tenable TDi Technologies, and VMware. These collaborators will work with the NCCoE project team to provide a practical solution to help manufacturers protect their industrial control system(s) (ICS) from data integrity attacks. The result will be a freely available National Institute of Standards and Technology (NIST) Cybersecurity Practice Guide that includes the practical steps needed to implement the NIST Cybersecurity Framework and industry standards and best practices.
2. NIST Special Publication (SP) 1108 Revision 3: Framework and Roadmap for Smart Grid Interoperability Standards – Provides a road map for the open architecture of smart grid technologies and their software systems, for interaction with other systems and technologies.
3. NIST Interagency/Internal Report 7628: Guidelines for Smart Grid Cybersecurity – Companion document to the NIST SP 1108 Revision 1; describes a high-level conceptual logical reference model for the smart grid, identifies applicable standards, and specifies a set of high-priority, standards-related gaps and issues.
4. NIST SP 800-82 Revision 2: Guide to Industrial Control Systems (ICS) Security – A highly referenced guide on how to secure ICS, including supervisory control and data acquisition systems, distributed control systems, and other control system configurations such as programmable logic controllers, while addressing their unique performance, reliability, and safety requirements. The document provides an overview of ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks.
5. NIST SP800-53, Rev 5 (Final Public Draft): Security and Privacy Controls for Information Systems and Organizations (March 2020) – Another highly referenced guide that contains a catalog of security and privacy controls for federal information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, natural disasters, structural failures, human errors, and privacy risks. The controls are flexible and customizable and implemented as part of an organization-wide process to manage risk.
6. NIST Internal Report (NISTIR) 8267, Security Review of Consumer Home IoT Products – This is the first report from this NIST project and presents the results of a study to examine the observable aspects of cybersecurity features available on several consumer home IoT devices. The types of consumer home IoT devices reviewed include smart light bulbs, security lights, security cameras, doorbells, plugs, thermostats, and televisions. The purpose of the technical review was to better understand built-in cybersecurity features of consumer home IoT devices and inform general considerations for improving the cybersecurity of consumer home IoT devices. Observations and analysis were guided by NIST’s current work around good practices for cybersecurity features and implementation, including, but not limited to the recent draft NISTIR 8259, Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers.
7. The International Society of Automation (ISA), through its ISA99 development committee, provides a collection of standards and guidance for securing industrial automation and control systems known as the ISA/IEC 62443 series of standards on the cyber security of industrial automation and control systems. The ISA99 standards development committee brings together industrial cyber security experts from across the globe to develop ISA standards on industrial automation and control systems security. This original and ongoing ISA99 work is being utiilized by the International Electrotechnical Commission in producing the multi-standard IEC 62443 series. The various ISA/IEC standards dealing with security for OT systems can be found at this link – https://www.isa.org/isa99/. ISA also created the ISA Global Cybersecurity Alliance (isa.org/ISAGCA) to advance cybersecurity readiness and awareness in manufacturing and critical infrastructure facilities and processes. The Alliance brings end-user companies, automation and control systems providers, IT infrastructure providers, services providers, system integrators, and other cybersecurity stakeholder organizations together to proactively address growing threats.
8. ISA95 is another standard from ISA for developing an automated interface between enterprise and control systems. It was developed to be applied in all industries, and in all sorts of processes, like batch processes, continuous and repetitive processes. The objectives of ISA95 are to provide consistent terminology that is a foundation for supplier and manufacturer communications, provide consistent information models, and to provide consistent operations models which is a foundation for clarifying application functionality and how information is to be used. Specifically, it defines semantics and operational models for how industrial control systems exchange information with enterprise resource planning applications. ISA95 comprises six key components, each of which builds on the other. Most manufacturing applications, software and services in the past 25 years have implemented ISA95. Experts continue to work on ISA95. Parts two and five have been updated in 2017 and 2018 respectively to include capabilities required by IoT. Given the established framework of ISA95, architects can best spend their efforts on network, compute, storage and cybersecurity for IoT and IIoT. The ISA-developed IEC 62443 cybersecurity standard mentioned earlier aligns with ISA95, but it focuses more on the information and modeling or conceptual level and requires enhancement and extension to cover the entire IIOT. ISA-95 is one of the best-known standards for industrial IoT (IIoT), but it’s far from the only one. Instead, each standards body has created its own with the intent to provide more detailed implementation guides downstream.
9. The Industrial Internet Consortium was founded in March 2014 to bring together the organizations and technologies necessary to accelerate the growth of the industrial internet by identifying, assembling, testing and promoting best practices. Members work collaboratively to speed the commercial use of advanced technologies. Membership includes small and large technology innovators, vertical market leaders, researchers, universities and government organizations. One example of its work is the Industrial Internet Security Framework (IISF) -an in-depth cross-industry-focused security framework comprising expert vision, experience and security best practices.
10. Catalog of Control Systems Security: Recommendations for Standards Developers developed by DHS provides a baseline of security requirements for ICS. This dated document (2011) was developed to help facilitate the development of control systems cybersecurity industry standards and still provides useful guidance today. This catalog presents a compilation of practices that various industry bodies have recommended to increase the security of control systems from both physical and cyber attacks. It reflects content from NIST SP 800-53r3 PM-1; API 1164r2 1.2, Annex A, Annex B.4.1.2; NERC CIPS CIP 002-3 through CIP 009-3; NRC RG 5.71 App. B.3.11.  The recommendations in this catalog are grouped into 19 families, or categories, that have similar emphasis. The recommendations within each family are displayed with a summary statement of the recommendation, supplemental guidance or clarification, and a requirement enhancements statement providing augmentation for the recommendation under special situations.
11. On November 16, 2018, President Trump signed into law the Cybersecurity and Infrastructure Security Agency Act of 2018. This landmark legislation elevated the mission of the former National Protection and Programs Directorate (NPPD) within DHS and established the Cybersecurity and Infrastructure Security Agency (CISA).  CISA coordinates security and resilience efforts using trusted partnerships across the private and public sectors, and delivers technical assistance and assessments to federal stakeholders as well as to infrastructure owners and operators nationwide. For Infrastructure Security, CISA’s main focus areas include:

• • Providing free tools and resources for government and private sector partners
  • Facilitating Critical Infrastructure Vulnerability Assessments
  • Strengthening security and resilience across the chemical sector
  • Providing training, encouraging information sharing, and fostering sector partnerships and international engagement.

In addition to these main standards and governing bodies, there are several other places where good guidance can be found. First stop is the The National Telecommunications and Information Administration (NTIA), an agency of the Department of Commerce, who has a working group looking at existing standards and initiatives related to security patching and upgrading of IoT devices. The WG put together a draft document in 2017 that lists many initiatives and standards that are still germane to this effort as well as overall security guidance for the IoT environment.

The North American Electric Reliability Corporation (NERC) provides a significant oversight role for electric grid operators. Its NERC Relibility Guideline: Cyber Intrusion Guide for System Operators assists system operators in recognizing events that may indicate a cyber attack, and how and when to share information with others. In addition, the NERC Reliability Guideline: Situational Awareness for the System Operator provides guidance for organizations to have a process in place for assessing and increasing the effectiveness of the situational awareness to their operators in electric systems when it comes to safety and security. Finally, the NERC Critical Infrastructure Protection Standard Series, or CIP Standards, imposes rules that address power system security and specifies minimum security requirements for the bulk power systems. These standards are used widely in the US, parts of Mexico, and even referenced by the EU.

Medical devices are also under scrutiny from a cybersecurity perspective. Medical device manufacturers must comply with federal regulations.
Part of those regulations, called quality system regulations (QSRs), requires that medical device manufacturers address all risks, including cybersecurity risk. The pre- and post- market cybersecurity guidances provide recommendations for meeting QSRs. The Food and Drug Administration (FDA) has published premarket and postmarket guidances that offer recommendations for comprehensive management of medical device cybersecurity risks, continuous improvement throughout the total product life-cycle, and incentivize changing marketed and distributed medical devices to reduce risk.  Also on the security of medical devices, DITTA issued a white paper in 2019 covering cybersecurity best practices for the development and manufacture of medical devices which can be found here – DITTA White Paper on Cybersecurity: Best Practices in the Medical Technology Manufacturing Environment. DITTA is the global industry voice for diagnostic imaging, radiation therapy, healthcare ICT, electromedical and radiopharmaceuticals, representing more than 600 medical technology manufacturers, committed to improving health care and patient outcomes. The white paper is derived from NEMA CPSP 2-2018 Cyber Hygiene Best Practices, and it provides references to other documents and standards for each best practice area which it describes.

Underwriters Laboratories (UL) is also providing a variety of cybersecurity services for factory automation and industrial control systems that includes:

• Testing – penetration testing, source code analysis, vulnerability analysis, fuzz testing
• Certification – IEC 62443-2-4, IEC 62443-3-3, IEC 62443-4-1, IEC 62443-4-2 or UL 2900-2-1
• Training – IEC 62443, security best practices, threat analysis
• Advisory – Gap assessment

Additionally, UL has created a rating system that measures the security of connected products. With this IoT Security Rating, UL tests and classifies products into one of five security levels, ranging from the lowest level, bronze, to the highest level, diamond. Each level represents a set of security capabilities that is strongly implemented in the product by the manufacturer. Level bronze contains a set of essential must-have security capabilities, level silver contains enhanced security capabilities, level gold contains more advanced security capabilities, and so on.

UL’s Supplier Cyber Trust Level solution aids procurement mechanisms and helps strengthen the overall supply chain for OT and IoT systems. UL’s Supplier Cyber Trust Level helps suppliers and vendors better navigate procurement and quality assurance processes by demonstrating the trustworthiness of their security practices across the following key trust categories:

• Software development practices
• Software development environment and infrastructure
• Hardware development practices
• Product documentation
• Secure production processes and delivery management
• Security issue management
• Hosted software
• Quality management
• Enterprise security
• Supplier management

The UL Trust Level rating solution also helps to coalesce requirements across different supply chain security standards by mapping and leveraging security controls from well-known/popular industry best practices, standards and frameworks.

Also, with the technical leadership of Edge Case Research, Underwriters Laboratories has published UL 4600: Standard for Safety for the Evaluation of Autonomous Products – it is the first standard addressing autonomous vehicles and other applications. Rather than require a particular technical approach, UL 4600 concentrates on ensuring that a valid safety case is created. A safety case includes three elements: goals, argumentation, and evidence. Goals describe what it means to be safe in a specific context, such as generic system-level safety goals (e.g., don’t hit pedestrians) and element safety requirements (e.g., ensure a computing chip produces correct computational results despite potential transient hardware faults). Arguments are a written explanation as to why a goal is achieved (e.g., vehicle-level argumentation that the system can detect and avoid pedestrians, including ones that are unusual or appear in the roadway from behind obstacles, within the limits of physics and subject to the vehicle displaying appropriate defensive driving behavior). Evidence supports that the arguments are valid, typically based on analysis, simulations, and test results (e.g., for a computing chip mathematical analysis of error correction codes combined with the results of fault injection experiments).

The Center for Internet Security produces and manages the CIS Controls, a prioritized set of practices that can mitigate risks to networked systems. Currently in Version 7.1, the Controls are broadly accepted as a means to assess and address common risks to systems, providing steps that can notably reduce the likelihood of exposure and impacts. A community of experts—representing most industries—helps to manage these best practices. Because IT and OT domains share similarities yet also have key differences, the application of the Controls in each domain requires careful consideration, especially where IT/OT convergence is prevalent. The CIS Controls Implementation Guide for Industrial Control Systems for Version 7 provide a useful starting point for a security improvement assessment for ICS. These ICS Controls provide a road map for an organization embracing or moving toward converged IT/OT systems, including industrial IoT solutions spanning across domains and may reach outside of the organization’s local network architecture.

In 2018, the International Organization for Standardization and International Electrotechnical Commission co-developed an IoT reference architecture, ISO/IEC 30141, that defines a common vocabulary, reusable designs and industry best practices for IoT. The Internet Engineering Task Force (IETF) and Internet Research Task Force (IRTF) have also actively created IoT guidelines. IRTF focuses on longer-term research issues related to the internet, and IETF focuses on shorter-term issues of engineering and defining standards. Within the IETF, the Lightweight Implementation Working Group has worked on several drafts pertaining to IoT security, networking and power issues. One guide, TCP Usage Guidance in the Internet of Things, explains how to implement and use the TCP in constrained-node networks, which are characteristic of IoT. An informational request for comment, RFC 8352, describes the challenges for energy-efficient protocol operation on constrained devices and the current practices used to overcome those challenges. The RFC also includes an overview of energy-efficient mechanisms available at each layer of the IETF protocol suite specified for constrained-node networks. Another IETF guide, Security Classes for IoT devices, attempts to define security classes for IoT devices. It characterizes device security by five attributes:

1. one time programmable memory (OTP),
2. firmware loader (FLD),
3. secure firmware loader (FLD-SEC),
4. tamper resistant key (TRT-KEY) and,
5. diversified key (DIV-KEY).

These attributes lead to the definition of 6 classes of devices, whose security increases with the class number.

The W3C has developed an IoT architecture and modular building blocks that, together, define a basic conceptual framework for IoT. The W3C goes further by providing an IoT Implementation Report that includes detailed implementation guidelines and functioning use cases. Another standards body, the Institute for Electrical and Electronics Engineers (IEEE), is actively developing standards for various aspects of IoT and IIoT. To date, the IEEE has developed the IEEE 2413 Standard for an Architectural Framework for the Internet of Things and is currently working on IoT standards for power distribution networks, blockchain-based data management and security. It also has a history of providing standards for critical infrastructure such as the two examples below.

1. IEEE C37.240-2014: IEEE Standard Cybersecurity Requirements for Substation Automation, Protection, and Control Systems – Provides technical requirements for substation cybersecurity and presents sound engineering practices that can be applied to achieve high levels of cybersecurity of automation, protection, and control systems, independent of the voltage class or criticality of cyber assets. Cybersecurity includes trust and assurance of data in transit, data at rest, and incident response.
2. IEEE 1547-2018: IEEE Standard for Interconnection and Interoperability of Distributed Energy Resources with Associated Electric Power Systems Interfaces – This technical specification describes the interconnection and interoperability testing between utility electric power systems (EPSs) and distributed energy resources (DERs). It provides requirements relevant to the performance, operation, testing, safety considerations, and maintenance of the interconnection. It also includes general requirements, response to abnormal conditions, power quality, islanding, and test specifications and requirements for design, production, installation evaluation, commissioning, and periodic tests.

The DoD cannot be left out of this survey either as it provides guidance for the cybersecurity of facility-related control systems via the SERDP and ESTCP programs. The Strategic Environmental Research and Development Program (SERDP) is DoD’s environmental science and technology program, planned and executed in partnership with DOE and EPA, while Environmental Security Technology Certification Program (ESTCP) is DoD’s environmental technology demonstration and validation program. The Program was established in 1995 to promote the transfer of innovative technologies that have successfully established proof of concept to field or production use. The Installation  Environmental Security Technology Certification Program (ESTCP) website is the primary external communications platform to keep DoD stakeholders, vendors and contractors appraised of RMF policy for OT systems, as well as standards, guidance and a source of tools, checklists and templates.

Well, this wraps up my survey of standards and guidance for OT and IoT systems. I am sure I left out a few. Let me know what standards and  guidance you find most useful.

And thanks to my subscribers and visitors to my site for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, PQ cryptography, risk assessment and modeling, autonomous security, digital forensics, securing OT / IIoT and IoT systems, Augmented Reality, or other emerging technology topics. Also, email chrisdaly@activecyber.net if you’re interested in interviewing or advertising with us at Active Cyber™.