Developing Regulatory Security Frameworks for IIoT: Experts’ Perspectives on Responsibilities and Challenges

Developing Regulatory Security Frameworks for IIoT: Experts’ Perspectives on Responsibilities and Challenges

Developing a regulatory security framework is essential for protecting connected systems in the ever-evolving landscape of the Industrial Internet of Things (IIoT). During the recent IIoT World ICS Cybersecurity Day, experts discussed the shared responsibility among stakeholders—vendors, manufacturers, end-users, and regulatory bodies—in building and enforcing these frameworks. Sander Rotmensen, the head of Internal Startup—cybersecurity for OT at Siemens, and Ellen Boehm, SVP of Global IoT Strategy & Operations at Keyfactor, answer the audience’s questions about regulatory challenges, compliance standards, and strategies for effective IIoT security.

The Shared Responsibility for Enforcing IIoT Security Regulations

Question: In an underregulated and rapidly changing environment, in your opinion, who bears the foremost responsibility for developing or enforcing the regulatory security framework in the IIoT landscape? Vendors, manufacturers, government regulatory bodies, operators, end users, etc.?

Answer:

“It’s a combination. Vendors must ensure that products are secure at release and throughout the product lifecycle. Manufacturers, end-users, operators, and integrators must operate products securely—updating firmware, changing passwords, etc. Government regulatory bodies could help by establishing regulations that create baseline security standards for all parties.”

Applicability of ISA/IEC 62443 Standards to Software Companies

Question: When I looked at the list of ISA/IEC 62443 certified companies, they are all hardware-based (controllers, switches, edge devices). There are no software companies listed. Does this standard apply to software-only companies?

Answer:

“The ISA/IEC 62443 standard covers both software and hardware; therefore, software products are also affected by these regulations.”

Adapting OT Equipment to Cyber Resilience Regulations

Question: Will there be issues for OT equipment manufacturers like Siemens adapting to the Cyber Resilience Act (CRA) without compromising operational efficiency and, equipment stability and reliability?

Answer:

This was addressed during the session – https://www.youtube.com/watch?v=36P8YRihBtk. Manufacturers like Siemens continue to work on balancing compliance with maintaining operational efficiency and reliability.

The Importance of Cybersecurity for Motor Engineers

Question: Could you explain more about why motor engineers must dive into cybersecurity?

Answer:

“As more assets become connected, the potential cybersecurity risks increase if they are not managed and updated appropriately. All connected devices have software that must be updated securely and remotely at scale. It is crucial to protect that code and control who has access to the devices.”

The Rise of Platform as a Service (PaaS) in IIoT

Question: Will Platform as a Service (I’m thinking of data platforms here) rise?

Answer:

“Yes, an example of PaaS would be Siemens Insight Hub. Product companies often leverage PaaS solutions to integrate into their offerings without reinventing the wheel. Outsourcing some ‘aaS’ infrastructure is common, allowing companies to focus on their domain expertise.”

Ensuring Compliance in OT Environments: Defense in Depth and Best Practices

Question: How can companies effectively secure their OT environments, especially when following regulations and compliances? My role as an OT security expert is challenging as I adapt to various standards like ISA62443, IEC62443, and NIST800. Clients always expect a fully secured facility with zero threats after significant investment.

Answer:

“There are many ways to secure OT environments, and some of the standards you’ve already mentioned are great resources. At Siemens, we use and recommend the ‘Defense in Depth’ principles. For further details, visit Siemens’ industrial cybersecurity page. Staying up-to-date with the latest standards and prioritizing based on risk assessments is critical. For instance, Keyfactor provides guidance on IEC62443 compliance, which can be found here.”

Steps to Achieving Successful ICS Security Compliance

Question: Could you please provide a brief overview of the current challenges and steps for successful ICS security compliance?

Answer:

“This overview focuses on NIS2 in Europe, but the step-by-step process outlined on page 19 of this Siemens webinar handout is insightful. Self-assessment and continuous monitoring are crucial for starting the compliance journey, as detailed in this Keyfactor blog post.”

Conclusion

The IIoT landscape is rapidly evolving, requiring collaboration across vendors, operators, and regulators to ensure secure environments. With experts highlighting shared responsibility, the importance of compliance, and evolving standards, it’s clear that a unified approach is essential for safeguarding connected systems. As regulations like NIS2 and the Cyber Resilience Act gain traction, companies must adapt without compromising operational efficiency.

Related articles:

• Navigating Regulatory and Technological Shifts in IIoT Security
• Compliance versus Security: Managing Risk in an Evolving Digital World