CISA and IIoT: Time to Grab the Reigns
By Dathan Duplichen
Current momentum exists at the national level for the development of Internet of Things (IoT) security. These initiatives focus on consumer-based IoT and ignore Industrial IoT (IIoT). Consumer-based IoT security is critical in dampening the effects of malicious software globally but does not directly address the ever-present security vulnerabilities in IIoT. The Cybersecurity and Infrastructure Security Agency (CISA), in conjunction with the Department of Homeland Security, should capitalize on the existing momentum for IoT device security and make efforts to address IIoT security standardization and collaboration.
An analysis of the security risks of internet of things devices is a well-worn path. While adherence to Lee’s Sliding Scale of Cybersecurity is often overlooked, doing so would likely significantly diminish the risks associated. Lee’s scale does have limitations. Many of the recommendations are not necessarily applicable to IoT devices that fall outside the norm of consumer and enterprise networks, namely Industrial Control Systems (ICS). IoTs in ICS are a known risk, sometimes overlooked in research due to the lack of scalable solutions, and can create devastating impacts if left vulnerable.
Attempts to address IoT vulnerabilities with policy solutions at the federal level were arguably stagnant. This changed recently with President Biden’s executive order (EO) on May 12th. The EO took several significant steps towards addressing these problems. One of the critical elements of this order is the creation of a working group to establish a standardized IoT labeling system. The labeling system, while a long time coming, focuses on consumer IoT. Addressing security concerns in consumer IoT is a laudable and applicable effort in support of CISA’s goals, but fails to address the critical vulnerability of Industrial IoT, or IIoT, devices.
While the executive order section 4t explicitly addresses consumer-based IoT, a quick look at the strategy demonstrates the expandable value into other areas. Labeling of IoT devices does not only impact how consumers behave, but also manufacturers. Market research indicates a preference for more secure IoT devices. Additionally, consumers are willing to pay a premium for peace of mind.
With a standardized label, product purchasing managers can make informed decisions, thereby improving the overall security of a network. This purchasing incentive may not translate directly to IIoT for two reasons. First, due to the different types of products that IIoT purchasers are acquiring. IIoT differs from consumer devices due to their specialization, limited functionality, and often tailor-made functions. This makes standardizing security functions nearly impossible across the sector. Secondly, the age of existing IIoT systems and the rarity at which they are replaced must be considered. Even if critical infrastructure (CI) owners aimed to purchase “four-star” security devices, it would likely be years before crucial system elements are replaced. The need to “buy the latest device” in critical infrastructure does not appear to exist. Efficient functionality, or in triad terms, “availability,” is paramount. As long as availability is assured, a CI operator has a limited likelihood of replacing that device.
Labeling IIoT devices as a course of action should not be abandoned. CISA, as the principal government liaison to critical infrastructure, should use the tailwind of these new initiatives to improve the security of these devices that play vital roles in national security.
CISA capitalization on current momentum
CISA can utilize several vital ingredients from the Executive Order to directly target the IIoT challenges to CI. Namely, the development of a working group for IIoT standards, the establishment of minimum security standards for devices utilized in CI, require minimum standards in federal and contract purchasing, and the adoption of a labeling scheme that focuses predominately on the “CIA” triad geared toward device function rather than placement.
Development of a working group for IIoT standards
The previously mentioned Executive Order on Improving the Nation’s Cybersecurity establishes in Section 4(t) a working group to “identify IoT cybersecurity criteria for a consumer labeling program.” The recommendation flowed from similar recommendations published by the Cyberspace Solarium Commission’s Report. This requirement brings together the Department of Commerce (DoC), Federal Trade Commission (FTC), and others to establish these criteria. There is little that would impede creating a similar commission that focused exclusively on IIoT devices in CI.
Participants in the suggested working group will vary from the consumer IoT working group. The Departments of Homeland Security, Commerce, Transportation, and Energy all have critical roles. CISA’s Critical Infrastructure Partnership Advisory Council (CIPAC) membership would serve as an excellent starting point for sector representatives.
Creating another working group does not at its surface appear to be a novel idea; however, there is a significant difference. Existing working groups utilize best practices and information sharing continually as their overarching goal to combat emerging threats. This serves well to address problems in specific, but without a fundamental baseline, the approach will always be “whack a mole.” The recommended solution is not an ongoing working group, but instead establishes standardized minimum standards that cross technologies. This challenge is more complicated than it appears due to the diversity of devices at issue. How do you standardize these metrics? A traditional cybersecurity principle may hold the answer.
Focusing on the CIA Triad
Confidentiality, Integrity, and Availability… The CIA triad is a fundamental discussion point in the digital security community. Rather than prescribing minimum technical standards or safeguards, first, identifying which element is most critical for the device should take center stage. Members of this working group should establish levels of security based on these functions. Manufacturers can then identify the device’s primary function to determine where best to spend research funds, and purchasers can purchase based on device use. When devices are required to perform multiple functions, whichever role holds the highest priority should take precedence.
Establish minimum security standards for IIoT used in CI
These foundational standards by function could be translated into an IIoT label, capitalizing on existing momentum. With these levels by function, federal regulators could establish a minimum score required for use in CI. For example, a device where confidentiality is the primary function must have a confidentiality score of at least 3 of 4.
Government-funded purchasing and Minimum Standards
The above would pair well with the recently ordered IoT device purchasing standards established by the Internet of Things (IoT) Cybersecurity Improvement Act of 2020. The federally required minimums could map to levels in the IIoT labeling scheme. This would allow for easy compliance in purchasing. An additional consideration for the benefits of a level-based labeling program is the effect on manufacturer incentives. With levels that denote increased security, manufacturers are encouraged to exceed minimum standards through competition. Labels with pass/fail measures minimize manufacturers’ incentive to invest in security beyond a “passing standard.”
The IIoT sector is also primed for innovation. With limited product replacement, there may be little incentive to innovate. “If it works, it works.” CISA, in conjunction with DHS, could work to form an IIoT innovation group dedicated to making better mousetraps, of sorts. The business incentive for innovating on already performing equipment is low. Still, with national funding for innovation, development does not necessarily have to fit within the confines of best business practices.
CISA, through DHS, may also consider the development of an IIoT version of the Idaho National Labs, run by the Department of Energy. This location would allow for testing new technology on non-production networks to determine their security and functionality before installing in critical infrastructure. This step is essential to make sure that new devices will not impede the functioning of CI. It would also alleviate the costs associated with individual builds of redundant systems.
CISA continues to be a trusted federal organization in the cybersecurity domain. This trust as a non-partisan arbiter could capitalize on the existing momentum to secure IoT devices. Using CISA’s role of support for critical infrastructure, it could lead efforts to establish a labeling system for industrial IoT that increases ease of compliance with federal law and overall device security. A label based on levels of security by function within the CIA triad could be used to drive purchasing decisions and ease of regulation at the state and local levels. Additionally, adopting a level system will discourage a bare minimum mentality among manufacturers. Opportunities are not limited to labeling. The development of an innovation institute for IIoT could also yield results in a stagnant field. A national laboratory for IIoT would also alleviate costs associated with testing new products. CISA will continue to be the voice for critical infrastructure security at the federal level, so they must use this voice to speak now while others are listening.
The opinions expressed in this article are the opinions of the authors alone and not representative of their employers or associated entities.
About the author: Dathan Duplichen is a master’s student with FSI’s Ford Dorsey Master’s in International Policy program concentrating on Cyber Policy and Security. He is a career technology specialist for the United States Department of Defense that focuses on international cooperation in the cyberspace.