Industrial Internet Security Framework v 1.0 | Page 26

Security Framework

4: Distinguishing Aspects of Securing the IIoT

Part II: The Business Viewpoint
Effective business decision-making is an important component of industrial security programs.
Security risks, as well as the costs and benefits of different defensive postures, should be
communicated to business decision makers, especially as they are often unfamiliar with the
details of security risks and countermeasures.
IIoT system manufacturers, system integrators, owners and operators should establish and
maintain a security program that provides governance, planning and sponsorship for the
organization’s security activities. These activities should align with the overall business objectives
and risk strategy of the organization. Such a security program should keep policies, mechanisms
and associated security processes up-to-date in response to changes in business priorities and
resource availability, new risks and new protection goals.
Investment in IIoT systems and their operations must be protected against the risk of damage.
This damage may include interruption or stoppage of operations, destruction of systems, and
leaking sensitive business and personal data resulting in loss of intellectual property, harm to the
business reputation, and loss of customers. But heightened security may lead to additional
investment and greater times to deploy. It may affect user experience negatively. These
additional costs must be justified to stakeholders by reference to the business risks they are
taking and the costs saved by averting damages.
Industrial systems security engineering protects systems from errors, mischance and malice by
consistent, comprehensive and well-defined operational procedures and protection policies.
These policies must be informed by protection goals, risk strategy and business priorities with
protection mechanisms to realize them with high-assurance.
An evaluation framework enables organizations to evaluate security capabilities consistently,
communicate the capability levels meaningfully and prioritize security investments. (This
framework is used internally and is different from a security audit.)
Managing risk is an important goal of a security (and privacy) program. This often consists of
deriving an adversary model, then evolving a threat model and finally defining the security
controls and capabilities to manage the risk taking into account the lifetime of the system. These
models and decisions should consider the parties with different roles in the system (i.e.,
equipment vendor, system integrator or operator).

IIC:PUB:G4:V1.0:PB:20160926

- 26 -