Approach and Principles
In this Standard, IoT security is looked at from a comprehensive, wide-ranging perspective. Why? IoT systems consist of a multitude of different products and technologies requiring numerous procedures of managing them securely throughout their lifecycle. However, this document aims at helping to deliver the how and not only the what. Especially IT practitioners do not want to invest too much in IT security; they prefer advice that is directly actionable. IT security experts can then care about the details and customize the construction so that it finally corresponds with the concrete risk profile etc.
This document introduces several concepts for securing IoT systems:
- A Taxonomy helping to manage complexity as well as the division of labor between the parties involved along the supply-chain; the Taxonomy is the structure of the Orchestration Layer and used to organize all security measures;  the Taxonomy comprise technology and management activities,
- Zones helping to define greater areas of responsibilities that may also overlap between parties,
- Classes helping to stipulate different security solutions for technical components with different capabilities for implementing security; Classes also help to define different procedures of managing security and to stipulate compensating measures,
- Data Model is a means to understand how the IT components and the IoT system are used; this is the basis to understand how security requirements are inherited top-down and security services are provided bottom-up along the IT stack,
- A lifecycle-oriented IT stack helping to assign responsibilities and to understand dependencies, how security deficiencies are inherited and how security measures base on each other,
- A concept for and format of specifying security for IoT systems and their components.
This document aims to assist in coping with complexity. Why? IoT security is depending on correctly implementing a multitude of security measures. A single failure or deficiency can put the whole IT system at risk and compromise IT security completely. Dealing with specific issues too early and implementing point-solutions only will leave issues unsolved. Limiting the scope may result in solving single issues leaving others unchanged.
This document helps combining an overall approach (systems view) with the identification of single work areas (components and activity related view). By doing so, overarching aspects and interdependencies are being considered, and specific work areas are identified for which in turn individual, well-directed activities are stipulated.
In this way, the division of labor is supported to combine and orchestrate activities of individual parties in a way that the IoT system can become an integrated secure whole.
Deliverables of this document:
- This document provides a Security Taxonomy helping to orchestrate IT security in complex environments in the Internet of Things (IoT).
- The Security Taxonomy defines and consists of 32 areas (many of them specific for IoT).
- Major security aspects are specified for each area. The document provides structure and format for these specifications. Details are provided by an extension of this document.
The emphasis is put onto solutions not problems . It’s our aim to make these specifications
- concise and right to the point, and
- directly actionable.
Explaining the model in the following pages occupies, however, considerable space to be explained.
Zero Outage Industry Standard is convinced that it is not enough specifying security practices and measures assuming that the IoT system is secure if all involved parties adhere to them. This seems being unrealistic in the world of IoT. Especially the “things” are often not developed with a “security by design” approach and many products will most probably not be developed in line with a comprehensive secure “software development lifecycle” process. Taken this business reality into account, it is time for measures of confinement and compensation which in turn requires having an architectural approach making dependencies visible and showing ways of segregation. Generic technology- and lifecycle-related blueprints are required; appropriate security measures are then assigned to their architectural elements. This has the advantage that security gets integrated into the real-life business while speaking the language of the involved participants (engineers, developers, businessmen) and not the language of IT security experts providing their advice from the external. Engineers, developers and businessmen may have a different way of thinking and of handling things than IT security professionals. The latter will not be successful without getting the others to care for security following the core practices of their business.
The association Zero Outage Industry Standard (ZOIS) has published the ESARIS Security Taxonomy. This Taxonomy was developed for
- office IT or enterprise IT which is often simply referred to as “IT”.
Other architectures or types of “IT” emerged or became a focus of IT security, namely
- the Internet of Things (IoT) and
- operational IT / Industrial Control Systems / OT.
The latter two may merge in the future. Currently, they differ with respect to technology and lifecycle. Compared to the “traditional” office or enterprise IT, they are characterized by a different architecture. Hence, this paper presents a modified Security Taxonomy to be utilized mainly for IoT.
The main advantages of such a Taxonomy are as follows.
- The Taxonomy helps managing the complexity of IT security and provides an overview which is easy to understand and to work with.
- The overview or synopsis of all security aspects is essential to verify completeness and dependencies and to achieve an integral mutually supporting whole.
- The Taxonomy and descriptions of all its areas are also a means for communicating, negotiating and agreeing security issues between parties.
- The Taxonomy is an important means for managing the supply chain and assigning responsibilities. It helps managing the division of labor to ensure that security issues are actually dealt with.
Other advantages become clear when considering how this Taxonomy is used in practice:
- The Taxonomy shows several areas. Each of them defines and covers a specific area in which IT security needs to be observed. Thus, the Taxonomy helps navigating through the world of IT security and facilitates communication.
- For each area in the Taxonomy, major challenges are described, and security objectives are derived from them. This is based on a clear definition of the subject of each area and the description of possible dependencies to other areas.
- For each area in the Taxonomy, security standards shall exist. Each security standard (such as concepts, technical guidelines, procedural instructions, hardening specifications etc.) is assigned to one area in the Taxonomy. All standards are labeled accordingly so that their scope and general subject is already clear from this assignment.
- Security standards are additionally organized in a pyramid. Security standards lower in the hierarchy provide details about the security standards above them. The assignment to Taxonomy areas and related labeling eases the use of the standards. This is also the basis for managing a high number of documents (security standards). The split into many documents is needed in order to make the security standards specific for a defined target group. This in turn helps utilizing them.
Additional information is given in “The ESARIS Security Taxonomy (for Office or Enterprise IT)“.
The ESARIS Security Taxonomy is successfully used in IT businesses for which it has originally been designed for. But architectures like the Internet of Things (IoT) require a slightly different sketch. A modified Taxonomy is presented in this paper. It is worth noting that both security taxonomies provide an “IT view”. They shall be understandable by any IT expert even if he or she does not have detailed knowledge and experience in IT security. This is because
- IT service providers, manufacturers, vendors etc. are organized according to IT architecture (components) and IT Service Management activities.
- IT security needs to be observed during design, implementation, provisioning and maintenance of IT and/or IT services.
- The topic “cooperation between parties in the supply chain” can explicitly be added. This covers interfaces between the user organizations and the IT service provider on the one hand and the IT service provider and suppliers/ manufacturers/vendors on the other. The term interface incorporates defining activities for both parties.
- Consequently, a classification and organization schema such as the Security Taxonomy of Zero Outage Industry Standard should be based on the structure of IT and ITSM. The related principle “Secured by definition” is described in detail in a paper available on the Zero Outage website. The principle is to integrate IT security management and IT service management.
The Taxonomies comprise technology areas on the one hand and areas related to IT Service Management (ITSM) activities and central IT security services on the other hand. This is because:
- IT Service Management (ITSM) is the core and skeleton of IT service provisioning. IT security needs to be reflected there. Refer to above.
- Activities relating to design, implementation, provisioning and maintenance of IT security measures shall be applied to all different products, components and technologies.
- Activities relating to design, implementation, provisioning and maintenance of IT security measures should be standardized as much possible to reduce costs (taking advantage of economies of scale) and to raise quality through utilizing tried and tested methods to all different products, components and technologies as far as possible.
As a result, the Taxonomies comprise two groups of areas: one relating to technologies and one relating to enhanced ITSM activities supplemented by some central IT security services or activities.
 For sure, a detailed and appropriate analysis of the environment and its challenges with respect to information security is the basis and starting point for any security specification. However, practitioners are primarily expecting solutions and concrete advice. It is the aim of Zero Outage Industry Standard to deliver concrete best practices.
 ESARIS Security Taxonomy – Synopsis, Scope and Content; Zero Outage Industry Standard, Release 1 about Security, February 2017, zero-outage.com/security 
 Eberhard von Faber: Methods: “Secured by definition” and the utilization of quality management principles; published on zero-outage.com in November 2019