The Internet of Things (IoT) is one of the most significant trends in technology today. A melding of innovations in the fields of computing and communication, IoT and its “smart” devices are poised to revolutionize not only user-machine interaction but also the way in which machines engage with one another.
Already we are beginning to see the permeation of the Internet of Things into various market sectors. One vertical where we see this diffusion the most is in industry. Indeed, energy, healthcare, automotive, and other industries are beginning to grapple with the Industrial of Internet of Things (IIoT), where devices such as sensors, robots, mixing tanks, and insulin pumps are becoming increasingly more connected. As noted in a blog post by Lane Thames, a security research and software development engineer at Tripwire, this subset of IoT holds much promise for the future.
“The Industrial Internet of Things will drastically change the future, not just for industrial systems, but also for the many people involved,” Thames explains. “If we can achieve the full potential of the Industrial IoT vision, many people will have an opportunity to better their careers and standards of living as a result of countless value creation opportunities.”
Thames goes on to identify how IIoT could create a number of new “smart” paradigms, such as smart power grids and smart healthcare, as well as lead to the development of new manufacturing ecosystems that are driven by self-aware, autonomic machines.
Clearly, the Industrial Internet of Things can have a bright future. But as Thames rightly warns, “the devil is in the details”. Devices that can connect to one another and over the web potentially threaten our Industrial Control Systems (ICSs), security consultant Larry Vandenaweele has observed. Those systems are vital to the operation of the utilities, energy, and nuclear sectors. More specifically, as business requirements necessitate that industries move beyond “smart” devices merely as a means of control, they might run into obstacles as they seek to incorporate IIoT into their office environments.
There are numerous challenges that industries could face when implementing IIoT. Here are five that stand out in particular.
Key Challenge #1: Settling on Device Capabilities
Jeffrey Caldwell, chief architect of security who oversees the research and development for ICS and infrastructure security solutions and product offerings at Belden Inc., feels that one of the most fundamental challenges involved with IIoT today is the different set of device capabilities available to manufacturers and process control operators.
“Many solutions and opportunities for machine-to-machine (M2M) interconnectivity and communication are available, and more are being brought to market on a regular basis,” observes Caldwell. “When deploying IIoT technologies, we must therefore think over the a few questions. What information should be collected? How should information be stored? How can the information best be analyzed? And what decisions should be made based on the analysis?”
While an analysis of economic value and ROI can assist industries in deciding where to incorporate IIoT technologies, the challenge of settling on capabilities extends all the way up to device manufacturers. Joel Langill, an operational security professional and industrial control system cyber security consultant with nearly 35 years experience in industrial automation and control developing, as well as the founder of the information sharing website SCADAhacker.com, explains that some manufacturers are still trying to catch up to the complex demands of IIoT things.
“The real risk to what I call ‘manufacturing integrity’ is when products and services that may be well suited for a typical office setting are presented as solving the same problems in a manufacturing environment without completely understanding the associated requirements (environmental, hazardous areas, reliability and availability of services, etc.),” explains Langill. “At the end of the day, the final control components (controllers, sensors, actuators, etc.) that bridge the cyber-physical space are still based on technologies that are not common within most IT architectures. Though Ethernet (Notice I did not say TCP or UDP.) is becoming more prevalent than in prior decades, Windows platforms are almost non-existent because they lack the most basic of operational requirements.”
When it comes to navigating the Industrial Internet of Things, not only must individual industrial enterprises carefully consider where they would like to implement IIoT, but also manufacturers must clearly define operational requirements and understand the capabilities of the technologies they wish to create. This necessitates a deep comprehension of the real-time production equipment to which the devices would ultimately be applied.
Key Challenge #2: Supply Chain Concerns
Functionality is not the only focus that manufacturers will need to address in the coming years. Cost and industrial reliability will also play a part as early adopters vie to make the transition to IIoT. As embedded systems increasingly make their way into enterprises, the onus will be on manufacturers to maintain the integrity of their supply chains.
This challenge is not lost on Patrick Miller, a Managing Partner at Archer Energy Solutions and a trusted independent advisor dedicated to the protection and defense of critical infrastructures around the globe.
“Particularly where IIoT elements are used within critical infrastructure, I anticipate that supply chain concerns will arise in respect to politics, public opinion, and other perspectives,” predicts Miller. “To get ahead of this potential source of resistance, organizations must consider how they can best maximize transparency and standardization in the manufacturing process. They will need to build devices according to an agreed-upon open standard that can be evaluated independently in an effort to confirm that only the expected hardware, software, or firmware is included.”
Key Challenge #3: Security
Integrally tied to the components of IIoT devices are the steps that researchers have taken to secure them. As noted by Ron Carr, President and Managing Member of Access Control
Technologies LLC (ACT), as well as a Business Development Partner for Tripwire with over 40 years of experience in pipeline SCADA communications, this problem affects not only manufacturers and process control operators but also pipeline control operators.
“Any ‘thing’ or device that is controlled by network communication that ‘faces’ the Internet is vulnerable to being hacked,” he observes.
IIoT devices are in no way exempt from this. For example, according to Carr, “the brief period of time it takes to plug in a laptop (that has an internet connection) to a flow computer in order to download a software upgrade is all it takes to upload malicious malware such as BlackEnergy or Stuxnet.”
To protect against these and other threats, industrial enterprises should consider how they could integrate an advanced cyber threat protection solution into their network.
Key Challenge #4: Bridging the Gaps that Divide Us
Security is a significant concern when it comes to implementing IIoT. However, as with any new technology, technical problems are ultimately no match for issues that divide people and prevent us from working and adapting together.
“Perhaps the hardest challenge to overcome is that of breaking silos between different disciplines and departments,” notes Gary Mintchell, an industry-leading writer on automation, control, software, manufacturing, marketing, and leadership. “The famous ‘IT/OT Convergence‘ that has been discussed for many years must happen. Control engineers must upgrade their skills so that they in the very least understand networking and security. And IT engineers and architects must understand the difference between business processes and manufacturing processes.”
That is not to say that any of those steps are easy. However, forging new channels of collaboration will benefit the overall enterprise in terms of productivity, profitability, customer service, and sustainability. As Mintchell rightly states, “leaders must step up their game to show the way.”
Key Challenge #5: Safety
The fifth and final key challenge enterprises face when implementing IIoT is safety. This concern relates to how the deep integration of connected devices and physical controls are introducing new methods of attack.
Tim Erlin, a Director, Security, and IT Risk Strategist responsible for Solutions and Strategy at Tripwire, elaborates: “There have been safety regulations for many, many years, of course, but they rarely consider how a logical attack might affect a physical result. We’ve seen the start of these ‘kinetic cyberattacks’ with Stuxnet and the German steel mill, but the IIoT drives a growing attack surface. The equation simply isn’t the same as it has been for IT security, and we’ll need to adapt.”
Fortunately, industrial enterprises can leverage the new collaboration channels between IT and OT to their advantage in response to that obstacle.
“We must appeal to the history and experience of the OT space and operators,” recommends Erlin. “IT security should start incorporating safety into their threat modeling and begin consulting with the OT security teams on how to do so. This isn’t a case where one group has all the answers. It’s truly an opportunity for convergence.”
The key challenges of implementing IIoT might seem daunting. However, the problems associated with device capabilities, supply chain concerns, security, divides between people, and safety all ultimately demonstrate the extent to which departments, entire enterprises, and manufacturers must work together to navigate this new trend in technology going forward. In every case, there is a course of action available to industries; it’s simply up to them how they would like to proceed.
If you work for an industrial enterprise and you would like to learn more about how you can protect your enterprise industrial network, please click here to read Belden Inc.’s blog post on five steps enterprises can take to benefit from IIoT.
Alternatively, you can learn more about the state of ICS Security here: