Allow us to draw your attention to a new document, published by the European Networks and Information Security Agency (ENISA), called “Baseline Security Recommendations for IoT in the context of Critical Information Infrastructures.” It’s worth noting not only because our experts contributed to it, but also because it addresses one of the key issues repeatedly raised during the annual cybersecurity conference: the lack of universal cybersecurity standards for industrial automation, including information security standards for industrial Internet-of-Things (IIoT) devices. ENISA put forth recommendations, not requirements, but they represent a real step forward in the unification of security policies and practices.
The document’s intended audience includes not only vendors and users of IoT devices designed to be used at critical infrastructure facilities, but also various European Union agencies that develop information security policies. That means sooner or later, the recommendations will be standardized, with or without modifications. Our specialists contributed most to the sections dealing with development of unified security policies as part of the IoTSEC (ENISA IoT Security Experts Group) working group.
This document represents one of the most comprehensive attempts to date to summarize the knowledge on industrial automation security. It includes the threat model for the IIoT and measures for mitigating the associated risks. If you are looking for practical advice, you might be especially interested in “Annex A: Detailed Security measures / Good practices,” which describes the real procedures. To read the full text, visit ENISA’s site.
To learn more about Kaspersky Lab efforts aimed at protecting critical infrastructure, please visit the Kaspersky Industrial Cybersecurity page.