The Industrial Internet Reference Architecture and Security Framework


The Industrial Internet Consortium (IIC) is a non-profit, industry group that is investigating and proposing the standards needed for a successful deployment of the Industrial Internet of Things (IIoT). The IIoT is the application of IoT in sectors of the economy requiring industrial control such as manufacturing, utilities, and energy systems.

The IIC added Working Groups in 2017 to address the challenges of changing technology. These working groups “coordinate and establish the priorities and enabling technologies of the Industrial Internet in order to accelerate market adoption and drive down the barriers to entry.” There are currently 19 Working Groups and teams, broken into 7 broad areas: Business strategy and solution lifecycle, liaison, marketing, security, technology and testbeds.

GrammaTech is a member of the IIC. We see value in contributing to industry standards where it fits in our areas of expertise and encouraging industry-led standards and recommendations for IIoT in general. Two areas I’ll discuss today is the IIC reference architecture and the security framework.

Industrial Internet Reference Architecture

The Industrial Internet Reference Architecture is a comprehensive architectural template to help developers and software architects design and build their industrial IoT systems based on industry recommended approaches. The reference architecture also helps establish a common architectural approach across the IoT ecosystem.  Consider, for example, the implementation view of the reference architecture. This implementation view, shown below, is likely familiar to developers:

IIC Reference Architecture - Implementation view

Figure 1: The Industrial Internet Reference Architecture functional view.

The reference architecture goes beyond the implementation view to include business, usage and functional viewpoints of an IIoT system, from edge devices to platform to enterprise. Another interesting area is the security working group and the Industrial Internet of Things Security Framework and specifically how GrammaTech products can help organization field safe and secure IIoT products.

Industrial Internet of Things Security Framework

The IIC security framework “initiates  a  process  to  create  broad  industry  consensus  on  how  to  secure  Industrial Internet of Things (IIoT) systems.” The framework is comprehensive and covers aspects outlined in the reference architecture including various viewpoints; business, functional and implementation. The framework also covers various aspects of security including physical, roots of trust, identification, access control, integrity protection and monitoring, etc.

The framework doesn’t delve into software development practices in detail. The framework uses the term “trustworthiness” as an umbrella term for safety, security, reliability, resilience and privacy. These five characteristics have the most effect on how much trust can be placed on a deployed IIoT system. There is a role for software tools such as GrammaTech CodeSonar in increasing trustworthiness, section 3.3 of the framework states: “Rigorous software development practices can help developers identify and eliminate potential safety issues and security vulnerabilities”.

The annex of the framework is more specific on tools and practices as part of risk-based development method. Approaches such as the Cyber-Security Maturity Model (C2M2) and the NIST Cybersecurity Framework are mentioned. Annex C, in particular, calls out secure software development and static analysis as example techniques for software integrity – a topic we’ve discussed in detail in previous posts.

The Role of Static Analysis Tools in Improving Safety and Security of IIoT Systems

Static Application Security Testing (SAST) tools like GrammaTech’s CodeSonar provide critical support in the coding and integration phases of development. Ensuring continuous code quality, both in the development and maintenance phases, greatly reduces the costs and risks of security and quality issues in software. In particular, it provides some of the following benefits:

  • Continuous source code quality and security assurance
  • Tainted data detection and analysis to uncover complex security vulnerabilities
  • Third-party code assessment of source and binary code
  • Secure coding standard enforcement

This topic is covered in much more detail in our whitepaper “A Four-Step Guide to Security Assurance for IoT Devices.”


The IIC reference architecture, test beds, and various working groups are helping define a common approach to IIoT systems through consensus and known best practices. GrammaTech is a member of the IIC to contribute to the community in our areas of expertise in security, static analysis, system hardening, and autonomic computing. The security framework in particular is of interest as it relates to many of the topics we’ve covered in the past. Static analysis continues to play an import role in improving quality, security and safety in IIoT systems. 

Interested in learning more? Read our white paper "How Static Analysis Protects Critical Infrastructure from Cyber Threats."

Read the Guide