ISHG reports cyber-secure communications depend on deployment—not just protocols

The Industrial Security Harmonization Group (ISHG) released April 14 its joint industry perspective, “Secure deployment of industrial communication protocols: a risk-based approach”, which reports that cyber-secure communications aren’t determined by protocols alone, but by how they’re deployed and managed in real-world environments.

ISHG consists of four standards development organizations (SDO), including the FieldComm Group, ODVA, OPC Foundation and Profibus/Profinet International (PNO). Their shared mission is to reduce complexity for users, and promote consistent, effective cybersecurity practices in industrial automation systems.

ISHG’s members collaborate regularly to align security concepts across Ethernet and non-Ethernet communication protocol technologies. They report that industrial communication protocols are the backbone of modern automation, enabling seamless connectivity between devices, systems and applications in process and factory environments. However, many widely used protocols were originally developed without cybersecurity as a primary design consideration.

ISHG reports joint work by its members challenges the simplistic binary classification of protocols as “secure” or “insecure.” Instead, it recommends a more practical and realistic approach with several essential characteristics, including:

• Security is context-dependent, and relies on how protocols are configured, where they’re deployed, and their operational environments.
• Built-in security features aren’t sufficient alone, so even advanced protocols require correct implementation and maintenance.
• Compensating controls are essential, which means that network architectures, segmentation (zones and conduits), monitoring and physical safeguards play a critical role, especially for legacy and non-Ethernet systems.

ISHG adds this deployment-focused perspective aligns closely with emerging regulatory expectations, including those outlined in the European Union’s (EU) Cyber Resilience Act (CRA) for hardware and software products and NIS2 for entities and organizations for operations.

In fact, the SDOs also reported on their cybersecurity approaches, models and expertise in several recent whitepapers, including:

• “FAQ on industrial Ethernet security concepts” by Joakim Wiberg of ODVA, which breaks down the essential concepts behind secure, industrial Ethernet, and covers device certificates, PKI, trust lists, and harmonized certificate management workflows. It shows how ISHG can help users simplify and strengthen security across automation systems.
• “A harmonized, initial device identifier (IDevID) profile for industrial automation devices” by Randy Armstrong of the OPC Foundation, introduces a harmonized IDevID profile for IA devices based on IEEE 802.1AR for defining globally unique device identities and aligned cryptographic algorithms. Its goal is seamless interoperability across manufacturers, SDOs and solution providers, enabling secure, scalable and consistent authentication in modern automation environments.
• “Human user authentication in OT environments” by Frank Fengler of ABB and FieldComm Group, explores how industrial automation is adopting secure and practical human-user authentication, highlights key challenges of bringing authentication and authorization into OT environments, outlines enabling technologies, and presents real-world use cases.