As already noted in this book, the concept of securing cyber-physical systems is a superset of what we normally understand by cybersecurity and information security.
To properly represent the scope of IIoT security, the term trustworthiness is used (NIST-CPS) (IIC-IISF). A working definition of trustworthiness for CPS, according to NIST-CPS, is:
Trustworthiness of an IIoT system is an important stakeholder expectation. To make an IIoT system trustworthy, security characteristics of both IT and OT domains must be combined (IIC-IISF). As shown in Figure 2.6, the key characteristics of a trustworthy IIoT system combine the elements of IT trustworthiness (privacy, security, reliability, and resilience) and OT trustworthiness (safety, reliability, security, and resilience). All references to IIoT security in this book are founded on this concept of IIoT trustworthiness:
In an organization, risks are perceived quite differently by the enterprise IT and OT teams. A balanced consideration between OT and IT is needed to ensure the trustworthiness of IIoT systems. The control and data flows, in the case of IIoT, may span across multiple intermediaries. Trust should also permeate across the system life cycle, involving various actors and functional entities, starting from hardware and software component builders, system and platform builders, and the supply chain, all the way to the operational users. Chapter 7, Secure Processes and Governance, further elaborates on this critical concept.
In the subsequent sections of this chapter, we shall analyze the industrial big data flows, discuss the various IIoT architectural patterns, and subsequently develop a simplified 4-tier security model as a practical foundation for IIoT trustworthiness.