Friends or Foes: IIoT and Security

Wednesday, January 4, 2017 @ 12:01 PM gHale

EDITOR’S NOTE: This is the first in a two-part series written by industry security expert, Eric Byres, discussing the growing Industrial Internet of Things and cyber security.

By Eric Byres
If I had to pick the trendy industrial technology for this past year, the award would have to go to the Industrial Internet of Things (IIoT). You can’t go to a trade show or read an industry magazine without getting overwhelmed with new IIoT products or services that promise to completely revolutionize your business.

But what exactly is IIoT? Can it really help your company? And will it expose your plant floor to new security risks?

If you can’t answer those questions, you are not alone.

Insecure IIoT More Apparent
IIoT Security: A Holistic Approach
Monitoring a Growing Network
IoT Attack Scare: Is Industry Ready?

It turns out most business executives don’t understand what IIoT is either. Many don’t understand what it can (or can’t) do for their company. And even fewer have a plan detailing how they might deploy IIoT effectively. According to a 2015 Accenture survey, 36 percent of 1,400 business leaders admitted their senior managers have fully grasped the implications of IIoT. Added to that, 7 percent developed a comprehensive strategy for IIoT with matching investments.

Fortunately, there are starting to be enough real-world IIoT deployments where the careful engineer can separate hype from reality. Companies that have successfully rolled out IIoT projects have discovered it really does have the potential to unlock tremendous value in their manufacturing chain.

However, like all new technologies, IIoT is not without its challenges. According to a survey of IIoT experts conducted by Convetit, a company that organizes on-line advisory boards and think-tanks for Fortune 500 companies, the top four challenges of IIoT are the interoperability of different silos and systems, the resistance to organizational change, problems implementing IIoT into existing processes, and increased security risks. Manage any of these poorly and your IIoT project can hinder rather than help your company.


Last year I facilitated a team of experts focused on solving these IIoT challenges for Fortune 500 companies. I have heard about some amazing IIoT success stories. I have learned of some scarily insecure IIoT projects. Through them all, I have seen the same issues and solutions showing up again and again. In this series, I’ll share some ways you can get your IIoT project focused and at the same time, overcome the security challenges facing IIoT implementations.

Rethinking IIoT
The Internet of Things (IoT) is a term first coined in 1999, and it defines our era of connected devices. It has most recently been characterized by the explosive rate of the interconnectivity between intelligent objects that are “network-connected” in order to enable information sharing. It isn’t a revolutionary concept in and of itself — most of us have been interacting for years with some of the most useful, disruptive, and life-altering “connected devices;” the smartphone reigns as one of the most obvious examples. Other popular examples of IoT consumer-related goods include home light/temperature controls and wearable biometric devices.

In the industrial world we have been connecting smart devices for decades — network connected RTUs, PLCs, and HMIs are nothing new. What has changed is the depth of integration, its complexity, and the range of devices available. Until recently, most plant data stayed on the plant floor. And any “connectivity” was largely between controllers, I/O, and operator stations.

What has changed with IIoT is massive amounts of industrial data can now flow either up into the corporation and “the Cloud” or down into increasingly “smart” field devices. Information previously locked into proprietary databases on a plant floor server can now end up accessed by corporate applications around the world.

Perhaps most important, information doesn’t have to only flow up from the plant floor to management. It can simultaneously flow in multiple directions from multiple sources to different “data consumers.” At one major U.S. automotive parts manufacturer, measurements from field sensors in hydraulic presses are now being combined with feedback from customers to get better understanding of the indicators of premature product failure.

This “massive interconnectivity” requires new ways of looking at how the entire company can effectively integrate and use all the data available in our industrial process. And it requires new ways of understanding how our industrial processes can use the data available from other business units and the end customer to create a safer and more reliable product.

“IIoT is the new label for something which has actually been developing for decades: The growing interconnectivity of ‘cyber’ devices which control physical systems,” said Steven C. Venema, chief security architect, Polyverse Group

Fear of Change
The unprecedented scale of information exchange means IIoT is often a transformative process for businesses. Unfortunately, transformations of the workplace often result in deep-seated concerns in staff at all levels. These include macro reasons such as the natural fear of change to delaying factors ranging from the excessive review of possible risk elements to the confusion concerning the actual technologies and protocols to be used.

Consider the daily status meeting, a feature of manufacturing management for over a century. When an IIoT project is deployed, companies suddenly find their daily meetings miss huge opportunities to change operations in real time as new information comes in. A meeting format that is more responsive to real time information is often needed. Yet some staff will be reluctant to give up a meeting they have attended for decades.

For an IIoT project to achieve its full benefit, it needs to address these concerns up front. Questions like “How will this information get routed to the decision-makers? What systems will they use to evaluate it? If something dramatic changes, who gets told? How do we make sure the right people can access the information?” all need answers before the IIoT project is launched. Businesses must strategize with a clear outlook regarding why, what and how their specific organization will implement IIoT technologies.

Not the Field of Dreams
“If you build it, they will come” is not a model for successful IIoT rollouts — but it’s a frequent stumbling block for many companies. When creating an IIoT infrastructure, you gain the most value by creating it with the end in the mind. Prepare with the skillsets needed to securely implement IIoT in existing processes and to effectively interpret the resulting data. IIoT infiltrates the entire company; it’s a mentality as much as it is a tool. A company culture must be such that it embraces — rather than resists — such a huge organizational overhaul.

As the foundation of such a strategy, it’s often wise to find a platform for alliances. You can enlist the help of organizations which provide the platform for experts to convene on a variety of subjects; these external experts can engage online with your company’s team, either for short timeframes of intense discussion or more routinely over a longer timeframe.

Tom O’Malley, founder and chief executive of Convetit, has seen companies struggle to align their visions with their IIoT strategies. “Lots of folks are trying to figure out why,” O’Malley said. “What is your business hoping to gain? Why should senior management decide to implement IIoT? Why is IIoT the optimal strategy?”

If you want to learn more about successful IIoT deployments download a copy of the technical report “The Industrial Internet of Things: Secrets for Unlocking Business Value in the Digital Future.”

It’s essential to interact with IIoT experts whose successes are relevant to your industry; these experts demonstrate by example, explaining their own pitfalls and triumphs to ensure you make the right decisions and to encourage you toward the types of projects which produce real value.

Above all else, remember IIoT is all about driving business value. It’s not just how you’re collecting data through interconnectivity; it’s why you want to do this in the first place. In Part II, you’ll learn what to look for and how to derive value in IIoT projects, while understanding and mitigating the vast amount of security challenges.

Eric J. Byres is a leading expert in the field of industrial control system (ICS) and Industrial Internet of Things (IIoT) security. Eric is the inventor of the Tofino Security technology. He now provides technology and market guidance to companies entering the IIoT market, as well as security policy guidance for established companies involved in the operation of critical infrastructures.

Leave a Reply

You must be logged in to post a comment.