A trust anchor can be implemented in either software or hardware; the choice calls for a trade-off between the complexity and level of assurance. Compared to software-based trust, tamper-resistant hardware provides better trust performance, as it provides a RoT with the secured storage of secrets. Hardware-based trust consumes less power (IIC-IISF), which is an important consideration for resource-constrained environments. These benefits, however, come at the cost of complexities in managing firmware and crypto library updates. Hardware-based security is more rigid, and often involves static implementation. In some instances, due to a lack of update capability, hardware vulnerabilities may last throughout the life of the device. In recent years, innovations in trusted computing have significantly addressed some of these limitations.

Software-based trust is used in many IT systems. It provides a lower level of assurance, and as such, it should be carefully considered...

Endpoint or device identity is a foundational building block in any trust model. Identity is a prerequisite for performing authentication, authorization, secured asset management, remote monitoring, management, and maintenance. Identification and Authentication Control is one of the seven foundational requirements in IEC 62443, and associates four assurance levels to it. These assurance levels correlate to the risk profiles of endpoints in a given IIoT use case:

The consequences of an infection in firmware or the boot process can be drastic, and often times, hardware replacement is the only option for failure recovery.

Measuring the device boot process enables the validation of its integrity and asserts that a device has powered up in a known good state. Given that devices may not be rebooted for long periods of time in OT environments, both static and dynamic integrity assurance of the runtime need to be implemented. The boot process initializes the main hardware components and starts the operating system.

Trust must be established in the boot environment before trust in any other software or executable program can be claimed. So, the booted environment must be verified and determined to be in an uncompromised state.

The primary firmware used to initialize the system is called the Basic Input/Output System (BIOS). (Author's note: Although the term BIOS is prevalent in the "computer world", to specify firmware...

Integrating robust trust mechanisms during the operations phase is crucial for industrial endpoints, which are expected to run uninterrupted for extended periods. Firmware is the most fundamental piece of code that runs on any device and interfaces directly with the hardware. It is important to ensure that the firmware and software are updated on a regular basis, to incorporate security bug fixes. 

Although the consequences of loading an infected firmware are typically irreversible, it is important to secure the update process for both software and firmware. In this section, we shall delve into secure update processes, and the mechanisms to establish endpoint trust during the operations phase.

The integrity of data is the very basis of data-driven business operations. Any compromise in the integrity of context-sensitive data can potentially compromise the entire IIoT value chain. Common examples of endpoint data include raw data, configuration and log files, secrets, software libraries, and binary executables. These can be classified into:

Integrity verifications enable the detection of any intended and malicious or unintended alterations in the data. The CRC checksum has traditionally been used to verify data integrity; however, the modern threat environment demands more advanced integrity controls, because an attacker can modify the checksum to match their changes to the data.

DAR integrity can be achieved by securely storing the secrets in hardware/TPM, or by using specialized software-enabled stores...

A practical acknowledgement of the information world is that vulnerabilities can be minimized, but their 100% eradication is only as real as catching the horizon. When the probability of an exploit cannot be totally eliminated, a practical prevention technique is to contain the impact of the exploit. Isolation techniques implemented in the hardware, software, and virtualized environments allow for minimizing the impact from an attack by a separation of territories.

To provide the reader with deeper insights into various isolation techniques, some of the common options are discussed in the following sections.

IIoT endpoints deployed as field devices can be exposed to extreme weather conditions, and are vulnerable to theft, hardware tampering, vandalism, and so on. Physical security mechanisms are discussed in greater detail in Chapter 5, Securing Connectivity and Communications. The interested reader may also refer to existing guidelines on endpoint physical security. Physical and Environmental Protection of NIST SP 800-53 (NIST-PE) provides information on methods for physical protection, access control, and monitoring. The Industrial Internet Security Framework (IIC-IISF) can also be referred to, to obtain detailed guidance on this topic.

Cybersecurity countermeasures have traditionally been reactive; in other words, the vaccine comes only after the virus has infected the system. The countermeasure typically follows the evaluation and remedy of a security incident. Cryptographic measurements and controls (to create trusted IIoT ecosystems) and anomaly detection functions address this reactive behavior. Host intrusion detection (HID) and host intrusion protection (HIP) are examples of dynamic integrity attestation controls to proactively secure an endpoint.

In IT environments, network and application blacklisting policies are commonly used. Whitelisting is more common in OT environments. But, when new exploits of zero-day vulnerabilities are detected, these policies are updated after the fact. AI/machine learning allows us to dynamically update blacklisting and whitelisting policies, based on anomalous behavior.

Machine learning extensively uses mathematical models based on historic...

For IIoT end users, equipment owners, and operators, it is crucial to ensure that the endpoint is adequately tested for security conformance. For device manufactures and OEMs, it is crucial to ensure that their equipment is trustworthy, in terms of both hardware and software. Often, time-to-market pressures and accelerated development cycles compete with adequate security testing. However, security verifications should be integral to the product development life cycle. While some vulnerabilities may still escape, proper security testing can significantly reduce their number. The sooner a vulnerability is detected in the product life cycle, the lower the cost of its repair, which also improves operational savings and brand reputation.

Some of the security test approaches for embedded systems include:

The various industry standards and references relevant to industrial endpoint security are provided in Table 4.3:

Table 4.3: Standards and references related to industrial endpoint security

This chapter covers the essential dimensions of IIoT endpoint security. It establishes an working definition of IIoT endpoints and discusses various use-case specific considerations for securing them. A real-world case study is cited to illustrate the vulnerabilities of typical industrial device endpoints. In this chapter the reader also finds an elaborate treatment of the endpoint security enabler technologies which spans the silicon, software and processes. The increasing use of machine learning and the importance of testing and certifications using industry standards have also been discussed in this chapter.

Chapter 5, Securing Connectivity and Communications, focuses on the next level of the 4-tier IIoT security model.