IIoT and Security: Know What You Seek

Wednesday, January 11, 2017 @ 12:01 PM gHale

EDITOR’S NOTE: The Industrial Internet of Things is on the verge of taking off, but users need to understand it is all about driving business value. It’s not just how you’re collecting data through interconnectivity; it’s why you want to do this in the first place. In Part II of this two-part series, you’ll learn what to look for and how to derive value in IIoT projects, while mitigating huge security challenges.
By Eric Byres
One of the biggest challenges is knowing how to derive value from the onslaught of data gained from adopting the Industrial Internet of Things (IIoT).

Obviously, data overload isn’t the goal, but it can easily become the byproduct of IIoT, and that can quickly stifle the process’ worth. Too much data is of little use, and can even boomerang negatively by becoming a distraction. Successfully interpreting data and translating it into useful information is a process that takes skill and analytics, but — most importantly — a clearly defined, goal-oriented strategy. Your goal mustn’t be to merely collect data. It should be to know exactly what you will do with it.

Friends or Foes: IIoT and Security
Insecure IIoT More Apparent
IIoT Security: A Holistic Approach
Monitoring a Growing Network

Bill Brown of Stanley Black & Decker shared at the 2016 IoT Tech Expo about how a focused IIoT effort improved one of his company’s service programs.

Stanley Black & Decker makes those automated sliding glass doors that you pass through as you go into your local Walmart. Prior to the IIoT deployment, predictive maintenance of the doors proved to be a challenge of “knowing when to roll a truck out, knowing when something needed to be adjusted,” Brown said. So Stanley Black & Decker launched an IIoT project to collect information from the doors. “We don’t have to wait for [the doors] to break and for somebody to call us. Now we can just look and see when something is a little out of alignment or one of the motors is getting a little hotter than the others.” The result is Stanley Black & Decker has been able to reduce its costs and improve their customer’s satisfaction with the reliability of their product.

Real Benefits, Real Risks
The Stanley Black & Decker case also highlights how IIoT can have complex security implications.

Doors are the firewalls of the physical security world — they can control who or what enters or leaves a building. And like firewalls, monitoring their activity and correlating it with other systems (like CCTV video surveillance or inventory tracking) can significantly improve security and reduce losses. So an IIoT project like the Stanley doors project that was initially designed to improve maintenance responsiveness can suddenly be integrated into other business systems in ways unforeseen by the original project team. The ability to easily integrate IIoT information into multiple systems is critical to realize the full potential of IIoT.

The first concern people have is IIoT’s interconnected nature may expose a company’s assets to new and sophisticated external attacks. This is absolutely true — the uncontrolled sharing of IIoT information brings risks. What if poor cyber security lets criminals access the door operations data? Could they use their access to plan crimes (such as knowing when a door is removed for service) or for covering up their crimes (by tampering with the logs)?

byres art

Shortly after hearing about the Stanley Black & Decker project, I was contacted by a European company that is a competitor to Stanley. They had been contacted by a major client who also wanted real-time data from store doors. Unfortunately for the European manufacturer, their systems had never been designed to be secure and they weren’t sure how to add security into their product. In the end, they chose to refuse their client’s request, impacting their relationship with this key client and losing an opportunity to improve their service and reduce costs. The bottom line is poor security design not only poses risks, it also limits opportunities.

Poor security can also inhibit the trustworthiness of the data, resulting in a garbage-in/garbage-out scenario. It doesn’t take a rocket scientist; simple tampering with insecure logs from the plant floor can give a misleading view of what is happening. And poor data management can have far more serious repercussions, including the leak of critical corporate secrets or assets.

Robust security liberates your network and greatly enhances the opportunities derived thereof. Technology is about the tools you choose and implement; security is what enables the process: Think of it as the “how” of the puzzle. As such, it must never be implemented as an afterthought. By bringing security experts to the table, you have the opportunity to expose your thoughts and architectural plans to an exclusive group of experts — but ensure they have been screened and vetted, with signed and legal guarantees of confidentiality. Through the analysis, critique, and guidance of these experts, you attain the confidence that you’ve covered your bases and solved your issues before launching the respective projects.

Building In Security, Robustness
As my second door manufacturer learned, the best IIoT systems are those designed with security and robustness in mind. They include elements such as automated failback features, an increased tolerance for short-term failures, and security monitoring within the system operations plan.
Brown of Stanley Black & Decker explains his company’s IIoT deployments couldn’t be cloud centric — they needed to be able to work on premise. “If the Internet connection goes down, your system still needs to function.”

Experts such as the Chief Security Architect of Polyverse Corp., Steven C. Venema, recommend reviewing the ISA/IEC 62443 standards (formerly known as ISA99) as a preliminary roadmap toward partitioned architectures for the ICS/SCADA domain. “Partition your equipment and systems designs,” Venema said, “to allow security components to be updated on a faster cycle than other operational components.” As “the complete security life-cycle program for industrial automation and control systems,” ISA/IEC 62443 consists of 11 standards and technical reports, introducing the concepts of zones (groupings of logical or physical assets that share common security requirements based on criticality, consequence, and other such factors; equipment in a zone should share a strong security level capability) and conduits (paths for information flow between zones). ISA/IEC 62443 standards provide requirements based on a company’s assessment of cyberattack risks and vulnerabilities.


In your IIoT security checklist, strategize accordingly so you can ensure and implement the following proactive and protective measures:
• Design security in from the start. Never leave it as an afterthought.
• Enlist expert help. Fuse a team of senior management and security specialists who can communicate and work together to design protective strategic measures that work seamlessly with the plant’s (and whatever products or services therein) functionality and features.
• Compartmentalize IIoT solutions into security zones to prevent the spread of malware throughout the plant. In tandem, integrate security best practices during each phase of the developmental process on the plant floor.
• Monitor your IIoT system continuously to understand vulnerabilities and manage emerging threats. It essential to detect issues as early as possible.

IIoT shouldn’t be a raw or experimental practice. It must be designed reliably and with evolving security systems that are punctually followed and updated. Otherwise it’s no different than installing a burglar alarm system in your house… and never bothering to turn it on.

As Vimal Kapur, president of Honeywell Process Solutions, said, “IIoT is an evolution… it is moving legacy systems into the new age of technology to take advantage of everything [that] new technology and connectivity have to bring.” –

Gaining Access to Information
At its core, IIoT is a strategy toward quicker solutions, grounded on perspective; it is a new way of examining an old problem. We’ve always had the data — test results, analytics, asset management information, and maintenance information — but it’s often been inaccessible, overlooked, or obscured in the operating procedures.

If we can get our security strategy right, we have an opportunity to rethink the way the industry integrates the data buried in the manufacturing process.

The leading businesses of the digital future will be the ones embracing the challenges and opportunities of IIoT, harnessing this competitive advantage to enjoy faster growth and sustainable success.

If you want to learn more about successful IIoT deployments download a copy of the technical report “The Industrial Internet of Things: Secrets for Unlocking Business Value in the Digital Future.”

The adoption of IIoT provides immediate benefits, such as improved reliability and reduced downtime. Simultaneously, it also enables long-term benefits by establishing a platform for continuous development, offering a greater return on investment due to an influx of information quantity and quality.

By creating a forward-thinking company culture, by maintaining corporate focus, and by designing IIoT systems with appropriate security measures, your business can overcome the obstacles and strategically implement IIoT best practices to gain an immense competitive advantage in the digital future.
Eric J. Byres is a leading expert in the field of industrial control system (ICS) and Industrial Internet of Things (IIoT) security. Eric is the inventor of the Tofino Security technology. He now provides technology and market guidance to companies entering the IIoT market, as well as security policy guidance for established companies involved in the operation of critical infrastructures.

One Response to “IIoT and Security: Know What You Seek”

  1. […] (ICS) and Industrial Internet of Things (IIoT) security. This content originally appeared on ISSSource.com. ISSSource is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE […]

Leave a Reply

You must be logged in to post a comment.