With the advent of Industrie 4.0 and incredible growth potential around the Industrial Internet of Things (IIoT), there is a paramount need for information availability, advanced analytics, and connected and scalable systems in the operational technology (OT) realm. Given security’s role as an enabler of functional goals, do manufacturers, owners and operators have a holistic, strategic framework to assess, prioritize and implement security capabilities within an integrated environment?
Legacy infrastructures, and their operators, have long relied on the concept of an “air gap,”
—a physical separation between IT/OT environments—to prevent (or contain) the spread of malware that typically and historically originates in IT environments. The growing industry consensus dispelling the air gap myth has many OT owners/operators responding with knee-jerk reactions and implementing a variety of security measures. These reactions come not only from the pressure to realize functional goals and remain an industry leader, but also from the ever-increasing barrage of security vendors and advertised solutions.
While many proven IT-grade security controls and capabilities can be adapted for use within OT, enterprises and specifically security practitioners should question the efficacy of technology without an overarching strategy in place. With this in mind, Accenture Technology Labs developed an IIoT security capability matrix (see Figure 1), which considers aspects unique to an integrated IT/OT environment. One dimension spans the architectural layers of an integrated environment, while the other spans high-level cybersecurity activities.
Figure 1: IIoT security capability matrix
Each cell highlights activities and outcomes integral to a holistic security strategy. As an example, third-party risk assessments are common practice within OT environments and are typically performed across the architectural spectrum. Similarly, counterfeit device detection is a vital step towards securing the hackable edge. Counterfeit devices, potentially deployed as a result of insider and/or upstream threats, may possess backdoors and hardware trojans, too.
The chart depicts certain capabilities that will resonate with IT practitioners, while other capabilities will make more sense to those in OT. A well-known challenge is that security practitioners often don’t factor OT environments into consideration, while OT operators may not always prioritize security concerns. Our IIoT security capability matrix provides a common platform, which IT/OT practitioners (both security and operational) can use to communicate more effectively with each other and then implement the desired solutions and capabilities.
We highlight three cells where IT best practices can be applied. As the IIoT matures, we may need to revisit this assumption. Numerous activities and outcomes are listed in the capability matrix; however, the intent is not for this matrix to be exhaustive, or a binary measure of success in terms of overall security posture. Instead, it serves as a starting point for enterprises and security practitioners to assess their security maturity level and implement capabilities more effectively. More importantly, it raises the question: To secure IIoT environments, are we asking the right questions?
Once enterprises ask the right questions, then they will be better prepared to evaluate vendor capabilities and determine alignment with the IIoT security capability matrix.
To learn more about strengthening your company’s IIoT security posture, please contact firstname.lastname@example.org