Practitioner’s Guide for Assessing the Maturity of IoT System Security

Practitioner’s Guide for Assessing the Maturity of IoT System Security

I just had an opportunity to talk Industrial cybersecurity with two leaders of The Industrial Internet Consortium (IIC) (now incorporating OpenFog) who gave an overview of the new Security Maturity Model (SMM) Practitioner’s Guide. This document provides detailed actionable guidance enabling IoT stakeholders to assess and manage the security maturity of IoT systems.

Along with the publication of the SMM Practitioner’s Guide is an update to the IoT SMM: Description and Intended Use White Paper, which provides an introduction to the concepts and approach of the SMM. This white paper has been updated for consistency with the SMM Practitioner’s Guide, including revised diagrams and updated terminology.

As organizations connect their systems to the internet, they become vulnerable to new threats, and they are rightly concerned with security. Addressing these concerns requires investment, but determining investment focus and amount is a difficult business decision. The SMM helps by enabling a structured top-down approach toward setting goals as well as a means toward assessing the current security state, taking into account various specific practices. The SMM allows an organization to trade off investment against risk in a sensible manner.

Building on concepts identified in the groundbreaking IIC Industrial Internet Security Framework published in 2016, the SMM defines levels of security maturity for a company to achieve based on its security goals and objectives as well as its appetite for risk. Organizations may improve their security state by making continued security assessments and improvements over time, up to their required level.

“This is the first model of its kind to assess the maturity of organizations’ IoT systems in a way that includes governance, technology and system management,” said Stephen Mellor, CTO, IIC. “Other models address part of what is addressed by the SMM: they may address a particular industry, IoT but not security, or security but not IoT. The SMM covers all these aspects and points to parts of existing models, where appropriate, to recognize existing work and avoid duplication.”

The practitioner’s guide includes tables describing what must be done to reach a given security comprehensiveness for each security domain, subdomain and practice and can be extended to address specific industry or system scope needs. Following each table is an example using various industry use cases to demonstrate how an organization might use the table to pick a target state or to evaluate a current state.

One example is that of an automotive manufacturer considering the possible threats interfering with the operations of a vehicle key fob. The manufacturer sets its target maturity comprehensiveness level to “1” as it considers some IT threats, such as a Denial of Service attack that may prevent a driver from opening the car door using the key fob. Over time, as new threats emerge, the manufacturer realizes it needs additional threat modeling and enhanced practices so raises its target maturity comprehensiveness level to a higher level “2.”

The practitioner’s guide contains three case studies that show IoT stakeholders how to apply the process based on realistic assessments, showing how the SMM can be applied in practice. The case studies include a smarter data-driven bottling line, an automotive gateway supporting OTA updates and security cameras used in residential settings.

The IIC designed the Security Maturity Model to be extended for industry and system specific requirements. The IIC is collaborating with various industry groups to develop industry profiles that extend the model. Industry associations interested in developing profiles are encouraged to contact the IIC. Please send an email to [email protected]

For more information about the IIC SMM Practitioner’s Guide, IIC members have prepared a webinar “Get a True Sense of Security Maturity,” which will air on March 18th at 12:00 pm for 60 minutes. Use this PIN: 12374028

The full IIC Security Maturity Model Practitioner’s Guide and a list of IIC members who contributed can be found on the IIC website.

Linux Foundation Launches Unified Open Source Framework for the Edge

Linux Foundation Launches Unified Open Source Framework for the Edge

This is another aspect of consolidation as the Linux Foundation brings several open source projects together under one umbrella. This action should coordinate development and speed access to the market. Among these announcements, I see that EdgeXFoundry the project I’ve addressed a few times before and actively backed by Dell Technologies has been morphed into the organization. An announcement by ZEDATA relative to these activities is attached below.

The Linux Foundation launches LF Edge, an umbrella organization that aims to establish an open, interoperable framework for edge computing independent of hardware, silicon, cloud, or operating systems.

Backed by more than 60 global leaders including AT&T, Samsung, Dell, HP, IBM, Intel, Huawei, Qualcomm, Red Hat and ARM, LF Edge will create a software stack that brings the best of telecom, cloud, and enterprise to ensure greater harmonization with lower latency, increased data speed, more security and scalability.

LF Edge is initially comprised of five projects that will support emerging edge applications in the area of non-traditional video and connected things that require lower latency, faster processing and mobility.

LF Edge includes Akraino Edge Stack, EdgeX Foundry, and Open Glossary of Edge Computing, formerly stand-alone projects at The Linux Foundation. The initiative also includes a new project contributed by Samsung Electronics, which will create a hub for real-time data collected through smart home devices, and another project from ZEDEDA, which is contributing a new agnostic standard edge architecture.

“The market opportunity for LF Edge spans industrial, enterprise and consumer use cases in complex environments that cut across multiple edges and domains. We’re thrilled with the level of support backing us at launch, with more than 60 global organizations as founding members and new project contributions,” said Arpit Joshipura, general manager, The Linux Foundation. “This massive endorsement, combined with existing code and project contributions like Akraino from AT&T and EdgeX Foundry from Dell EMC, means LF Edge is well-positioned to transform edge and IoT application development.”

Through the formation of a software stack that brings the best of telecom, cloud, and enterprise (representing location, latency and mobility differentiation), LF Edge will help ensure greater harmonization to accelerate deployment among the rapidly growing number of edge devices slated to exceed 20 billion by 2020. In order for the broader IoT to succeed, the currently fragmented edge market needs to be able to work together to identify and protect against problematic security vulnerabilities and advance a common, constructive vision for the future of the industry.

More about LF Edge projects:

  • Akraino Edge Stack is creating an open source software stack that supports high-availability cloud services optimized for edge computing systems and applications;
  • EdgeX Foundry is focused on building a common open framework for IoT edge computing.
  • Home Edge Project, seed code contributed by Samsung Electronics, is a new project that concentrates on driving and enabling a robust, reliable, and intelligent home edge computing framework, platform and ecosystem running on a variety of devices in our daily lives.
  • Open Glossary of Edge Computing provides a concise collection of terms related to the field of edge computing.
  • Project EVE (Edge Virtualization Engine), contributed by ZEDEDA, will create an open and agnostic standard edge architecture that accommodates complex and diverse on- and off-prem hardware, network and application selections.

As the IoT increasingly trades legacy embedded devices for cloud native computing devices with greater compute power, edge and IoT developers need vendor-neutral platforms and a shared vocabulary for deploying and securing their devices. Industries including industrial manufacturing, cities and government, energy, transportation, retail, homes, building automation, automotive, logistics and healthcare all stand to be transformed by edge computing, which by its nature spans many different systems, domains, hardware and software.

Bringing Unity to the Fragmented Edge Computing Realm

Already home to several other thriving umbrella organizations – including Cloud Native Computing Foundation, LF Networking, and LF Deep Learning –The Linux Foundation provides a neutral structure for building an open source community. Under the auspices of The Linux Foundation, LF Edge will drive better, more secure development at the edge, outlining an aligned vision for the diverse and complex edge projects being built today.

LF Edge is already supported by a strong roster of industry-leading founding members: (Premier) Arm, AT&T, Baidu, Dell EMC, Dianomic Inc., Ericsson, HP Inc., HPE, Huawei, IBM, Intel, inwinStack, Juniper Networks, MobiledgeX, Netsia, Nokia Solutions, NTT, OSIsoft, Qualcomm Technologies, Radisys, Red Hat, Samsung Electronics, Seagate Technology, Tencent, WindRiver, Wipro, ZEDEDA; and (General) Advantech Co., Alleantia srl, Beechwoods Software Inc., Canonical Group Limited, CertusNet, CloudPlugs Inc., Concept Reply, DATA AHEAD AG, Enigmedia, EpiSensor, Foghorn Systems Inc., ForgeRock US Inc., Foundries.io, Hangzhou EMQ Technologies Co. Ltd., IOTech Systems Ltd., IoTium, KMC, Linaro, Mainflux, Mocana, NetFoundry, Packet, Pluribus Networks, RackN, Redis Labs, VaporIO, Vitro Technology Corp., Volterra Inc., Wanxiang Group; and (Associate) Automotive Edge Computing Consortium (AECC), Beijing University of Posts and Telecommunications (BUPT), Electronics and Telecommunications Research Institute (ETRI), Infrastructure Masons, Inc., and Project Haystack.

Supporting quotes:

“End-to-end cohesion requires big companies to come together to foster the space for industrial collaboration and emerging architectures across mobile, residential, SMB and enterprise organizations when dealing with the edge,” said Roman Shaposhnik, vice president of Product and Strategy, ZEDEDA. “This initiative provides critical leadership — not just a piece of the edge puzzle — with the ultimate output being working code.”

“As devices play more important roles in our everyday lives, the edge computing is one of the key driving forces for a new computing paradigm within the IT industry,” said Seunghwan Cho, executive vice president of Samsung Research, the advanced R&D arm of Samsung Electronics’ device business. “As Samsung is one of the leading open source contributors at LF Edge, we’ll be in the forefront of realizing and accelerating edge computing, which can provide assistance to a wide array of fields, including Home Edge, Industrial, and Mobile Edge Computing (MEC).”

“The Linux Foundation has created the perfect vehicle for collaboration and coordination across the diversity of LF Edge projects,” said Matt Trifiro, former chair of the Open Glossary of Edge Computing and chief marketing officer, Vapor IO. “We see the the Open Glossary playing a vital role in fostering a shared understanding that accelerates innovation. We look forward to working with the all of the LF Edge projects to cross-pollinate terminologies and harmonize the lexicon.”

“We are thrilled by the progress of Akraino Edge Stack so far and excited to see the Linux Foundation deepen its commitment into edge computing,” said Oliver Spatscheck, former Akraino Board chair and assistant vice president at AT&T Labs. “The launch of LF Edge will accelerate edge innovation and drive real business value by bringing a diverse set of edge players under one roof.”

“LF Edge will create a comprehensive and coordinated set of foundational open source tools to enable developers to accelerate time to value in creating IoT and Edge computing solutions,” said Jason Shepherd, former governing board chair of EdgeX Foundry, and IoT and Edge Computing chief technology officer at Dell Technologies. “We look forward to continuing to foster IoT interoperability within the EdgeX community in addition to collaborating across LF Edge projects to develop de facto-standard APIs for intelligent interactions between the application and infrastructure planes within the broader edge ecosystem.”

In further news, ZEDEDA Announces Project EVE, Partners with The Linux Foundation to Develop an Open On-Prem Enterprise Edge Computing Architecture

Open source Project EVE (Edge Virtualization Engine) chartered to create open, agnostic edge architecture targeting on-premise, cyber-physical enterprise edge

Joins LF Edge, The Linux Foundation’s new umbrella organization to establish an open, interoperable framework for edge computing independent of hardware, silicon, cloud, or operating system.

Project EVE establishes a lightweight virtualization engine and open APIs for IoT edge gateways and edge servers with built-in security for enterprise applications including industrial automation, clean energy, retail and beyond

Embraces zero-trust as the de-facto method for securing on-prem edge devices

“Open source is the ideal approach for enabling app developers to navigate the crowded, diverse, multi-vendor edge that exists in the enterprise today,” said Roman Shaposhnik, Co-Founder and VP Product & Strategy, ZEDEDA. “By accelerating the development of cloud-native edge applications, Project EVE is paving the way for the next generation of edge applications in enterprises — from robotics to AI to predictive analytics and automation.”

Industrial Internet Consortium and OpenFog Consortium Unite

Industrial Internet Consortium and OpenFog Consortium Unite

Consolidation is the name of the game for the past few years in the automation and controls market. We’ve seen companies on the acquisition trail. Not limited to for-profit companies, industry alliances and organizations have been consolidating as well. A few years ago it was Fieldbus Foundation and HART Communication Foundation joining to form FieldComm Group. Now we have consolidation in the Industrial Internet of Things space. This no doubt signals growing maturity of the market and technologies.

The Industrial Internet Consortium (IIC) and the OpenFog Consortium (OpenFog) announced January 31 that they have finalized the details to combine the two “largest and most influential” international consortia in Industrial IoT, fog, and edge computing. Effective immediately, the organizations will work together under the IIC umbrella to drive the momentum of the industrial internet, including the development and promotion of industry guidance and best practices for fog and edge computing.

This action brings OpenFog members into the IIC at a time when their complementary areas of technology are emerging in the mainstream. The first formal meeting of the unified organization will be held in Raleigh, N.C., from February 11-14.

The IIC, now incorporating OpenFog, also announced that the IIC Steering Committee, which guides the strategic direction of the organization, has elected two OpenFog principals:

· Ron Zahavi, Chief Strategist for IoT Standards, Azure IoT, Microsoft. Mr. Zahavi is focused on IoT standards and consortia and also leads Microsoft’s Worldwide IoT Architecture Community. Mr. Zahavi has extensive experience in all aspects of technology management and solution delivery, 18 of those related to IoT solutions. Matt Vasey, Microsoft director, AI and IoT business development, will serve as the alternate to Mr. Zahavi.

· Mung Chiang, John A. Edwardson Dean of the College of Engineering, Purdue University. Dr. Chiang was previously the Arthur LeGrand Doty Professor at Princeton University and founded the Princeton EDGE Lab in 2009. The Lab bridges the theory-practice gap in edge computing/networking research by spanning from proofs to prototypes. Dr. Chiang received the 2013 Alan T. Waterman Award for his contributions to networking R&D.

“This agreement brings together the two most important organizations shaping the Industrial Internet of Things. The combined organization offers greater influence to members, more clarity to the market, and a lower-risk path to the future for end users. We will be the center of gravity for the future of Industrial IoT systems across industry verticals,” said Stan Schneider, CEO of Real-Time Innovations (RTI) and Vice Chair of the IIC Steering Committee. “We welcome the experience and vision that Ron Zahavi and Mung Chiang bring to our Steering Committee.”

“We are excited to take the first steps toward integrating the OpenFog Working Groups, Testbeds and Use Cases with those of the IIC,” said Matt Vasey, OpenFog chairman and president, and director, AI and IoT business development, Microsoft. “Our membership is highly motivated to contribute at every level to continue the advancement of fog technology in the Industrial Internet.”

Following are additional quotes from IIC Steering Committee Members

“We are looking forward to our continued work at the IIC strengthened with the addition of OpenFog. The combined organization will cover the edge to cloud continuum and leverage the international diversity of its members, regional committees and testbeds.” Ron Zahavi, Chief Strategist for IoT Standards, Azure IoT, Microsoft, IIC Steering Committee Member

“The OpenFog Consortium and the Industrial Internet Consortium coming together marks a major step in the evolution of IoT and embedded AI. The complementary strengths of the two organizations now jointly serve global industry in the most exciting era of these technologies.” Dr. Mung Chiang, John A. Edwardson Dean of the College of Engineering, Purdue University, IIC Steering Committee Member

“Building out the IIoT ecosystem is essential to ensuring quick market adoption. A significant amount of data is processed at the edge in a majority of IoT solutions being deployed. Joining our memberships as well as our technical edge and fog expertise is a force multiplier for the guidance that we are creating for the IoT industry.” Wael William Diab, Senior Director, Huawei Technologies, IIC Steering Committee Secretary

“ABB’s digital approach recognizes the importance of all elements of an IIoT stack, from the edge to the cloud, from the sensor, the automation system, and the IoT analytics, as well as the importance of open standards to ensure interoperability. As an IIC member since early days and an IIC Steering Committee member, ABB sees a great value in joining forces between the Industrial Internet Consortium and the Open Fog consortium.” Dr. Christopher Ganz, ABB Group VP Service R&D, IIC Steering Committee Member

Podcast 182 Companies on the Move Winners and Losers

Another Podcast. Sponsored by Ignition from Inductive Automation and the 23rd Industry Forum from ARC Advisory Group. (See banners.) Stuff happening. Siemens (cyber security, growing digitally). Emerson (growing and acquisitions). GE (divesting Digital). ABB (divesting power grid). Rockwell (new product with PTC). Keep an eye on IT companies with powerful compute packages for OT–Dell Technologies and Hewlett Packard Enterprise.

https://oembed.libsyn.com/embed?item_id=8005328

Industrial Internet Consortium And OpenFoG Consortium Join Forces

Industrial Internet Consortium And OpenFoG Consortium Join Forces

Consolidation is not only a corporate phenomenon these days. It has hit the non-profit technology development sector, too. One situation, not sure if this one is the case but it’s a common thing, is that companies join many of these consortia. Resource commitment begins to creep upwards. Then they notice similarities between two organizations. They press for merger to reduce these commitments.

I’m not sure this is the case, but here are two organizations with much overlap pursuing similar goals. Makes a lot of sense to come together.

The Industrial Internet Consortium (IIC) and the OpenFog Consortium (OpenFog) announced that they have agreed in principle to combine the two consortia in Industrial IoT, fog, and edge computing. The move will bring OpenFog members into the IIC organization at a time when their complementary areas of technology are emerging in the mainstream.

The combined memberships will continue to drive the momentum of the Industrial Internet including the development and promotion of industry guidance and best practices for fog and edge computing. The organizations expect the details to be finalized in early 2019.

“This is great news for the industry. Both organizations have been advancing the IIoT, fog, and edge computing, and their members represent the best and the brightest in their fields. It makes sense to merge their expertise and work streams to continue providing the IIoT, fog and edge guidance that the industry needs,” said Christian Renaud, Research Vice President, Internet of Things, 451 Research.

“The Industrial Internet Consortium, now incorporating OpenFog, will be the single largest organization focused on IIoT, AI, fog, and edge computing in the world. Between both of our organizations we have a remarkable global presence with members in more than 30 countries,” said IIC President Bill Hoffman. “This agreement will help accelerate the adoption of the IIoT, fog and edge computing.”

The Industrial Internet Consortium is the world’s leading membership program accelerating the Industrial Internet of Things. The OpenFog Consortium was founded to advance fog computing and address bandwidth, latency, and communications challenges associated with IoT, 5G, and AI applications.

“We’re excited by the growth and advancement of fog technologies–from a technology, standards and general awareness standpoint—since our launch nearly three years ago,” said Matt Vasey, OpenFog chairman and president, and director, AI and IoT business development, Microsoft. “During that time, it has increasingly become apparent that we share so much synergy with the efforts of the IIC that it just made sense to bring the two consortia together. The resulting combination of memberships, resources and shared knowledge will only further the growth of the technologies, including fog, that will support IIoT ecosystems.”

The Industrial Internet Consortium is a program of the Object Management Group (OMG).

OpenFog was founded in November 2015 and today represents the leading researchers and innovators in fog computing.

Gaining Trust In Your Data Systems

Gaining Trust In Your Data Systems

Digitalization breeds the need for data and connected devices. Trusted connections and data are required for success. Siemens invited a diverse group of press, analysts, podcasters, and bloggers to Munich this week (November 26-28) to discuss cybersecurity and the Charter of Trust.

I will use the words of Siemens below to discuss the rationale for the Charter of Trust. However the idea is that if users cannot trust their data and connections, they will never go further into digitalization and therefore not realize the anticipated benefits.

Some of the analysts and others in the conference had trouble understanding how something seemingly vague and not specifically standards-based would work. I think they missed the point. First, standards are good, but they take a long time to develop. What was needed was not another new standard. What is needed is for many companies to agree to a set of principles and then commonly work toward them for the mutual benefit of the industry, users, and society.

Eva Schulz-Kamm, Global Head of Government Affairs at Siemens AG, and Rainer Zahner, Global Head of Cybersecurity Governance at Siemens told us the digital world is changing everything. Billions of devices are connected by the Internet of things. That holds great potential for everyone, but also great risk. The risk of exposure to cyber-attacks. The risk of losing control over the systems that run our infrastructures. Cybersecurity is therefore crucial to the success of our digital economy – because only if the security of data and networked systems is guaranteed will people actively support the digital transformation. Then explained why Siemens has initiated the Charter of Trust.

Siemens’ 171 years of experience have also shown that the best way to make a lasting difference isn’t as one company, but as an industry – not only as one nation, but as part of a global community. In modern history, competitor businesses have forged standards together that have carried the world from one industrial revolution to the next – including the unfolding digital transformation of industry. Countries without clear-cut geopolitical alliances have come together to forge cross-border agreements that grow trade and advance peace.

It’s in this spirit that Siemens launched the Charter of Trust earlier this year at the at the Munich Security Conference, a longstanding forum for business and government leaders to discuss geopolitical issues. Since then, several more global companies saw the value of the Charter of Trust, and signed on. These companies committed to create the first-of-its-kind global alliance focused on answering a very important question: How do we secure critical infrastructure – from our factories to our power grids – in the digital age?

We also are carrying an important message together: that when we talk about security today, it isn’t just about diplomacy and resolving military conflicts – it is increasingly about cyber attacks that seek to undermine our democratic and economic values.

The Charter of Trust then begins with these three goals:

  • protecting the data and assets of individuals and businesses;
  • preventing damage to people, businesses, and infrastructures;
  • building a reliable basis for trust in a connected and digital world.

“We know at the outset that a one-size fits all approach won’t work. We have instead agreed to 10 principles – from ensuring the highest levels of responsibility for cybersecurity within every company, to securing supply chains, products, and working with governments. Together, we will develop and continuously improve coordinated strategies and shared standards to protect critical infrastructures, public facilities and private companies.”

Charter of Trust members: The AES Corporation, Airbus, Allianz, Atos, Cisco, Dell Technologies, Enel, IBM, Munich Security Conference, NXP Semiconductors, SGS,. Deutsche Telekom, Total and TÜV SÜD.