IIoT Grows, But So Do Risks

Things are coming together for the Industrial Internet of Things, but security is a huge and growing issue.


By Jeff Dorsch & Ed Sperling

After years of fitful progress, Industrial Internet of Things technology is gaining adoption on the factory floor, in the electrical power grid, and other areas that could do with greater amounts of data analysis and insights from a connected ecosystem.

AT&T, General Electric, IBM, Verizon Communications, and other large enterprises are actively engaging in IIoT and helping companies, big and small, implement IIoT on their own, as part of a general embrace in the Internet of Things construct, according to industry analysts and executives. But connectivity, and all that it brings, comes at a price.

Emil Berthelsen, IoT research director at Machina Research (acquired last November by Gartner), said IIoT is seeing more traction now. “It’s finally really being adopted by the enterprises that are looking at it,” he notes. “A lot of the enterprises, particularly in manufacturing industries and so on, have seen IoT almost as a direct evolution from their SCADA connections, their machine-to-machine connections, their telemetry. They’ve seen it as a nice, slow, progressive evolution, and haven’t realized until very recently the dynamics of IoT as compared to machine-to-machine [communications].”

That realization is becoming much more widespread. “They are definitely moving from what I would call the pure monitoring and remote management of machines to looking much more at the efficiencies in terms of performance and automation of the machinery itself,” said Berthelsen. “What else can we do with this connected environment that we now have through IoT? What we’ve seen before is very much a monitoring and remote management operational environment, and right now we see a much more data-driven organization. There is much more digital transformation going on, and much more looking at the data, which is allowing them to do further analytics, further analysis, and really look at operational performance enhancements based on data rather than real-time monitoring.”

This falls into the realm of predictive maintenance, which has become one of the hot growth drivers for IIoT. Manufacturers are tying their programmable logic controllers into operational technology legacy systems, providing a point of convergence for these two worlds.

Security issues
The good and bad of this convergence is that it depends on the Internet to be effective. That makes it easy to set up and move data, but it also greatly increases security risks. Until recently most industrial operations relied almost exclusively on perimeter security. Many of them still do. In effect, that provides a well-guarded entry point into a physical industrial operation as well as its data. But when machinery—especially a control system—is connected to the Internet, that approach falls apart.

“There has never been a focus on industrial control systems for shop floor and manufacturing,” said Sean Peasley, partner at Deloitte Cyber Risk Services. “There are controls in place, but they are managed by people on the operations side who are just trying to keep the shop floor running. But as the cybersecurity space has evolved, even when companies invest tens of millions of dollars—and in the U.S. government’s case, billions of dollars—adversaries are still able to get in and steal IP. What is needed is vigilance in monitoring capabilities, and resilience to provide business continuity. That includes everything from disaster recovery to war gaming if something happens so you can get up and running to normal business.”

There is no simple formula for making this work because every industrial operation is different.

“In IT, they may have a CIO or a CISO (chief information security officer),” said Peasley. “In the plant, there may be a COO, plant manager and engineering group. They may have dealt with security controls, but typically they’re at the mercy of the plant operator and it’s not likely this has all been thought through end-to-end. If they’ve done a risk assessment, they may comply with ISO standards, but they still need a risk-based approach with a longer-term view. It’s easy enough to get into an environment or to get to an insider. So they have to think about higher risk than what they’ve done so far, and it has to be a multi-year program.”

This is easier said than done, however.

“There are two larger problems that have to be dealt with,” said Robert Lee, CEO of Dragos, and a national cybersecurity fellow at New America. “First, there are not enough security experts. There are about 500 people in the United States with security expertise in industrial control systems. There are only about 1,000 worldwide. And second, most people don’t understand the threats that are out there because they never existed in the industrial space. So what they’ve been doing is copying and pasting industrial control solutions into their ICS systems.”

Lee noted that there is no simple solution to securing IIoT systems. It requires tracking signatures, setting a baseline, identification of anomalies, and behavioral analytics. The latter piece is the most critical, because it requires a deep knowledge of an industry. “Petrochemical is different than another industry. With industrial control systems, you have to assume at the end of the day that the perimeter will fail. A security architecture and passive defenses make it defensible, but it will be humans that ultimately make it defensible.”

So just how many attacks are there? It’s difficult to tell. Metrics are generally based on how many instances there are of known malware installers. Lee said the number is probably about 3,000 per year. But the sources of those attacks may be more widespread than one might expect because each region has a different signature. Once each is identified, companies can find traces of hackers from those regions, but they generally have to be looking for them. So while Russian and Chinese hackers are considered the culprits in the United States and Europe, those are the ones that have been identified. India, meanwhile, has focused on Pakistani hackers, which may or may not have attacked companies in the United States and Europe.

The value of data
One of the reasons security has become such a big issue for the IIoT is that the data within these companies is extremely valuable and highly exposed. While industrial data has always been valuable, illicitly tapping into it generally required someone to be physically present. The IIoT changes that equation.

“In a factory, there were limitations on access to data,” said Scot Morrison, general manager of embedded runtime solutions at Mentor, a Siemens Business. “It was limited by depth of the data, how far out you were, how many layers there were, and the frequency of updates. That limited analysis. On average, only about 5% of that data was analyzed, but at least they had it. By connecting everything you enable better data analysis, but you also increase the security risks.”

Historically, that data was also split between analog and digital data, and being able to pull it all together was limited by the sheer volume and the fact that it was in different formats. But the IIoT has changed that. “Security is a bigger issue than ever. Being connected makes it possible to go deeper and deeper into that data.”

In some highly competitive industries, such as petrochemicals, security is considered a requirement.

“Certain industries are more willing to pay than others,” said Ron Lowman, strategic manager for IoT at Synopsys. “But it’s really a Wild West of what they need to support at a minimum, particularly in the IIoT.”

In other slices of the IIoT, there is huge resistance to paying for security because it has never been included in the budget.

“Security is a big issue when it comes to quality,” said David Park, vice president of marketing at Optimal+. “We can track the provenance of any device. But it often depends on who the customers are. In many cases people are not willing to pay unless there is a cataclysmic event.”

And making matters much worse, the most successful attacks in the IIoT go unnoticed.

“Most attacks don’t get detected, which is the number one objective if you’re an adversary,” said Paul Kocher, chief scientist in Rambus’ Cryptography Research Division. “If you’ve recognized you’ve been breached, the attacker already messed up. The ones that get detected are the ones that either have business models that necessitate detection, like financial fraud, or they’re amateurish and unlucky or working on such a scale that they’ve can’t hide. If you look at what gets caught, there’s an awful lot that clearly is not being reported on.”

Benefits grow
Despite security issues, though, there are distinct advantages to connectivity. It allows companies to see how equipment is being used and updated, and it allows them to improve uptime through predictive analytics about failures. On top of that, there are enough success stories that companies see this as a necessary step to remaining competitive.

“Industrial IoT (previously referred to as M2M) has been around for quite a while,” said Simon Arkell, general manager of software platforms and analytics at Greenwave Systems. “What is currently driving exponential Industrial IoT adoption is the change in cost and openness for connectivity, computation, and the adoption of industry solutions that solve actual problems. Applications like predictive maintenance and asset optimization are available at a fraction of the cost and can be applied to assets in a reusable format because they have been utilized successfully by others. There is a real ROI associated with these solutions in terms of reductions in unplanned downtime, supply chain optimization, and more optimal use of expensive assets.”

A number of standards also have been introduced to provide some structure to this connectivity. Among them:

• The Industrial Internet Consortium’s Industrial IoT Connectivity Framework
• OPC Foundation’s OPC Unified Architecture (UA)
• Open Connectivity Foundation’s OIC Specification 1.1
• OASIS’ MQTT v3.1.1. Many of the Cloud vendors, such as IBM, Microsoft, and Amazon have adopted MQTT as the lightweight messaging protocol for their IoT Cloud. MQTT is gaining much popularity because of its simplicity and ubiquity. MQTT is small enough to run on a tiny Arduino board and powerful enough to support large IIoT device installations.
• The Linux Foundation just announced the launch of EdgeX Foundry. According to the website, “It’s an open-source project to build a common open framework for Internet of Things (IoT) edge computing and an ecosystem of interoperable components that unifies the marketplace and accelerates enterprise and Industrial IoT.” This will be interesting because the group focuses on the edge vs. the whole IIoT stack.

Regarding the Industrial Internet Consortium, Arkell said, “Connectivity and security seem to be the primary objectives, which is fitting, since these are two of the top issues facing IIoT implementers. Although the founding members are very large companies, the members range from individuals, academia to government organizations. It’s important that the major players, led by the Steering Committee, agree on big IIoT standards or they will never become standards. It is in the best interest of the whole industry to have the large players working together on standards. If they do, everyone will benefit — large and small. Security, connectivity standards, and analytics architecture are the top three things holding back the IIoT, probably in that order. Security will stop an industry dead-in-its-tracks because of fear and uncertainty. This is especially true for IIoT because many industrial systems have never been connected to the Internet, so being connected to a network opens them up to security concerns.”

Once connected, companies need to learn how to communicate and handle machine data. This is where connectivity standards play a crucial role. “If you choose proprietary communication protocols it can lock you out of leveraging a wider array of platforms and flexible device management options,” Arkell noted. “In IIoT, one organization may own the industrial device, but many organizations have access to different systems in that device. This needs to be modeled and addressed when designing authorization and permission frameworks. Assuming IIoT connectivity is the means to delivering sensor data, the biggest challenge then becomes how to architect for analytics. Analytics can happen at many points in an IIoT architecture because there are many architectural tiers from which machine data travels (from device to cloud). The success of IIoT analytics won’t be dumping data to the cloud and analyzing it. It will be the combination of real-time edge and cloud analytics working in harmony. Edge analytics is one of the newer technologies for IIoT. This is because the processing power at the edge (gateway and device) is now capable of handling analytics and maybe even more importantly, required to make real-time decisions at the point of data ingestion.

Another impediment to IIoT adoption is market fragmentation. There are few vendors offering end-to-end solutions, and even those solutions are not equal from one market to the next. On top of that, some of these industrial operations were set up as much as a century ago. Each is unique, and data formats that have been added into those systems vary greatly.

So while standards will help, they won’t solve everything. The International Organization for Standardization (ISO), ISO/IEC JTC 1, and various consortia are working on IoT standards, according to Machina Research’s Berthelsen. “The issue is that the IoT is so wide, so big,” he said. “An overall, encompassing standard – I don’t think we’ll get there.”

Related Stories
Data Leakage And The IIoT
Connecting industrial equipment to the Internet offers big improvements in uptime and efficiency, but it adds security issues.
Smart Manufacturing Gains Momentum
Problems remain for legacy infrastructure, but adoption will continue to grow as gaps are identified and plugged.
IoT Security Risks Grow
Experts at the table, part 2: Mirai, Shodan, and where the holes are in security; establishing a chain of trust from a solid root; how to future-proof security.
IoT, Architectures, And Security
ARM CTO Mike Muller discusses how markets and technology are changing in a very candid one-on-one interview.


Bob McIlvride says:

Hi Jeff,

I have a couple of questions about the article that I was wondering if you could clarify.

You said, “Manufacturers are tying their programmable logic controllers
into operational technology legacy systems, providing a point of
convergence for these two worlds.” As I understand it, programmable
logic controllers (PLCs) are typically an integral part of OT legacy
systems. What is the point of convergence you are referring to?

Rober Lee of Dragos said, “…So what they’ve been doing is copying and
pasting industrial control solutions into their ICS systems.” Isn’t an
ICS an industrial control system? Or did he mean something else?

in advance for any help you can offer in clarifying these two minor
questions for an otherwise very clear and insightful piece.

Best regards,

Bob McIlvride

Leave a Reply

(Note: This name will be displayed publicly)