Data Leakage And The IIoT

Connecting industrial equipment to the Internet offers big improvements in uptime and efficiency, but it adds security issues.

popularity

The Internet of Things has raised concerns about people hacking into home networks or using armies of bots to disrupt communications. But with the Industrial IoT, the stakes are significantly higher—and the effects can last much longer.

Security tops the list of concerns as more industrial equipment is connected to the Internet, according to numerous industry insiders. That hasn’t stopped companies connecting industrial equipment to the Internet, because there are documented gains in efficiency, uptime and quality. But it has cast a shadow over these efforts, tempering how quickly companies add that connectivity and how they implement it. This is particularly true for large companies, which have more to lose, not to mention a long history of jealously guarding their data.

coca-cola-formula-vault-700-460-fcfb22e2.rendition.584.384
Fig. 1: Safeguarding the formula for Coke. Source: Coca-Cola

There is plenty of documentation for what can go wrong. The number of cyberattacks on industry is growing as more equipment is connected to the Internet, and so is the dollar value of those attacks. A Ponemon Institute study commissioned last year by IBM concluded that the average total cost of a single data breach is $4 million, up 29% since 2013. The study found that the longer it takes to detect and contain a breach, the higher the cost. It also found that in regulated industries, such as healthcare and financial services, breaches result in the highest losses because of fines and a higher-than-average rate of lost business and customers.

Screen Shot 2017-03-19 at 7.27.36 PM
Fig. 2: Average cost of a data breach by country over three years, in millions of U.S. dollars. Source: IBM/Ponemon Institute.

That’s just the beginning, too. What isn’t measured by these kinds of studies are long-term competitive costs as thieves begin amassing data within and between vertical markets.

“If you look at individual IIoT events, they often aren’t that important,” said Michael Ford, senior marketing development manager for Mentor Graphics‘ Valor Division. “But taken together, they can create a much bigger problem for companies.”

In the past, the complexity and size of an operation generally provided safeguards against data theft or leakage. But with commonly used data mining tools, it’s now possible to separate out meaningless shop floor data and hone in on the important events, which roughly adhere the 80/20 rule. Add in multiple companies and begin correlating bottlenecks and other noteworthy industrial events, and that data suddenly becomes much more valuable to a lot of people—makers of equipment, government or industry policies, marketing groups, as well as the highest bidders within a particular industry or those looking to invest in an industry.

“It used to be that an employee would take out data they downloaded onto a USB,” said Ford. “But now a disgruntled employee can download the whole company’s data. Or worse, they can add data in. It would take a while before a company realizes all of the data is useless, or that everything is pointed to a competitor.”

Interpreting data
Correlating data is immensely valuable to companies. It can be used to improve manufacturing and industrial output by identifying recurring problems or inefficiencies. But to be really useful, several pieces need to be aligned:

• Data needs to be in a consistent format, which isn’t easy with a mix of new and old equipment.
• Companies need to be able to interpret their data and its implications, which often includes up-to-date training or hiring experts, either internally or externally.
• Data needs to be reported in a way so appropriate actions can be taken.

“A lot of customers recognize they need better visibility into their data,” said Brett Berger, principal marketing engineer at National Instruments. “Right now, there is a lot of reliance on data analysis that is primarily just simplified dashboards. That’s starting to change. Some companies are creating intelligent, cognitive algorithms that can augment and replace human interpretation. And there is a big emphasis on the growth of organized data.”

There also is a growing understanding of just how much data is really necessary. Taking 50,000 samples per channel per second from a pump may provide an incredibly detailed view of what is happening inside an organization, for example, but it’s unnecessary.

“Every channel measurement is added cost, so you want to take the smallest number that you really need,” said Berger. “It also costs money to move data and to store that data. From a customer standpoint, they might not care about all of that data. They really just want to know when a pump is going to break.”

Another benefit of having all of this data is being able to track quality issues in products. It allows companies to drill down into their supply chain to pinpoint where a problem occurred and whose responsibility it is.

“Most IIoT solutions today are optimizing factory machines to improve asset performance management,” said David Park, vice president of worldwide marketing at Optimal+. “However, the beneficiary of ‘process analytics’ is the company that owns the factory, not necessarily the company whose logo is on a product. Many brand owners are now leveraging ‘product analytics’ in addition to ‘process analytics’ in order to proactively track the key performance indicators (KPIs) of the products manufactured in their supply chain. This is especially important when a part is manufactured on multiple factory floors, and factory A delivers 95% yield but factory B only delivers 90%. Product analytics can tell the OEM why this is happening and identify the steps needed to resolve the issue. In addition, product analytics allows the brand owner to have confidence that every product shipped is of consistent quality, an essential requirement for autonomous vehicles where defect rates will need to be in the parts-per-billion range.”

The retrofitting problem
But the IIoT has some unique challenges. Unlike data centers, where equipment is changed out on a regular schedule—or autonomous vehicles, which are leveraging brand new production equipment—much of the IIoT involves retrofitting machinery and industrial flows that have been in place for as long as a century. Connectivity typically is built on top of an existing industrial system, rather than architected into the system from the start. And that’s where problems can creep in.

“It’s retrofitted and incremental,” said Scot Morrison, general manager of Mentor’s embedded runtime solutions. “Security is a primary theme because the IIoT is about connectivity and open connectivity. People think about what needs to be processed locally for performance and security, and if it’s in the cloud, can they restrict it to the country of origin? So there are layers of data policies being added.”

Connectivity is seen as a way of maximizing uptime and throughput in industrial operations, which could range from GE’s business of providing thrust as a service on jet engines to milling or grinding as a service. Until recently, the strategy was to build a firewall around a plant to restrict access. But with retrofitted connectivity, that no longer works because customers and partners need real-time access to data moving between the end customer and the service provider.

“This is a complex problem, and retrofitting makes it more complex,” said Morrison. “And if you’re doing add-on security, that degrades over time. If there’s an issue with equipment, we find they shut down security in that equipment and they don’t always turn it back on because maybe it impacts performance. The thinking is, ‘Let’s hope we don’t get hacked. We’ll keep the periphery as well-guarded as possible.”

But in the industrial world, a successful hack is one that goes unnoticed. If the breach is discovered quickly, the damage is significantly lower.

One industry source noted that a large petrochemical company is seeing attempted hacks every day. In the past, this used to happen about once a month, the source said.

Putting the pieces together—securely

So what can be done to combine improve efficiency and reliability of industrial operations?

The first is to create a single data type. This may sound counterintuitive, because different file formats are harder to crack than a single file format. But the reality is that a single format is more useful for companies to see what’s going on as well as to secure. The question now is which one and which standard.

NI introduced its Test Data Exchange Stream (TDMS) to capture information at the time of test or simulation. Earlier this year, the company also uncorked its Industrial IoT Lab, whose stated purpose is to bridge operational technology with information technology.

There also is IPC-1782, which establishes minimum requirements for manufacturing and supply chain traceability. And for anything related to the defense industry, there are International Traffic in Arms Regulations (ITAR).

In addition, SEMI is working in the semiconductor supply chain to improve the automation of packaging facilities. But the semiconductor industry is much farther along in factory automation and connectivity than many other industries, in part because of the success of Moore’s Law and the relentless march to improve efficiency. Most other industries move much more slowly.

Conclusion
The IIoT continues to gain ground in large industrial operations, far less so in midsize and smaller companies. But how well connectivity is implemented, and what kinds of new risks are added through that connectivity, are still being assessed.

In a PowerPoint presentation, there are plenty of benefits associated with metrics that can identify quality problems quickly, prevent downtime due to equipment malfunctions or after-the-fact maintenance, and improve the overall efficiency of industrial flows. In the real world, there are tradeoffs to connectivity involving security, which can range from a total breach of company data to a slow leak, which experts say is more common.

Individual industries and industrial groups are taking steps to shore up these problems, but it will take time. No two industries are alike, and old habits—and in some industries, regulations—about sharing data can impede these efforts. Still, progress is being made on all fronts because the companies involved have deep enough pockets, a good business reason to continue to invest, and a growing library of information about what can go wrong.

Related Stories
Smart Manufacturing Gains Momentum
Problems remain for legacy infrastructure, but adoption will continue to grow as gaps are identified and plugged.
IoT Security Risks Grow
Experts at the table, part 2: Mirai, Shodan, and where the holes are in security; establishing a chain of trust from a solid root; how to future-proof security.
The Week In Review: IoT (Mar 17, 2017)
FTC won’t regulate IoT; Evrythng raises money; embedded world news.