In my previous post, the discussion was focused on what an IIoT solution is comprised of and I used that to provide a common starting point for continued discussion, primarily around security of IIoT solutions. As a quick refresher, IIoT solutions are comprised of components from five task areas as shown in the below graphic:
Collect – data is collected, typically from a sensor or IoT device
Store – data, once collected, is typically stored for long-term analysis
Transmit – data collected from sensors needs to be moved off of sensor devices using wireless technologies
Analyze – data is put into context. In IIoT perspectives, it is in the context of the business
Use – data, now information is put to use by companies that implemented the solution.
I don’t list security as a task area for IIoT solutions because it is not something IIoT solutions must do, but something they must have. From a business perspective, the introduction of IIoT solutions brings promises of increased value – doing more with greater efficiency and depth of understanding. However, there are risks involved in expanding into this territory comprised of information and operations technologies (IT/OT). Let’s take a look.
Risky Business
From a program management perspective, this risk is usually in the cost, schedule, and performance of a project. When building IIoT solutions, however, additional risk is buried within this solution framework and centers on the fact that these five task areas are actually complex, intricate events that have multiple sub-parts to manage and are intertwined with each other. IIoT solutions bring together previously separate industries, each with different security goals. In the above example scenario, commercial (as opposed to operations) IT gets implemented on previously unconnected vehicles and other high-value tools. Whereas previously, securing the vehicles relied mostly on physical security – vehicles are kept in a confined, usually locked area and required keys to access them – now, a bad actor can access vehicles (and your network), remotely. Introducing IT into the mix, even though the intent is to track inventory and possibly enable predictive maintenance, creates a different security focus, one that must protect against remote threats once these devices are connected to a potentially worldwide network. Sensors, and ultimately the vehicles and tools they are connected to, become accessible from anywhere you have an internet connection, opening up the possibilities of breaching security and providing valuable information. Similarly, by placing sensors on devices that reside in remote locations (i.e., away from your traditional IT architecture), access to your network may be available to actors with access to the sensors, if these devices are not secure.
Developers and implementers now need to consider security from multiple angles. Many companies working with IIoT are not adequately (if at all) focusing on security through a holistic viewpoint, though as the graphic depicts, it is one area that has an impact on every other aspect of a solution. While the graphic depicts security as what appears to be a separate function, it is really meant to be an overarching consideration that needs to be an integrated part of each of the other task areas. This also means that security needs to be part of the total design process, beginning at product conception, and not just a consideration at the end of development during testing. We begin to see that a lack of (or lackluster) security anywhere along the string of equipment and software that makes up an IIoT solution is a weakness for the entire system.
Getting There
As mentioned in my previous post, the value of an IoT solution for business purposes is different than that for consumer devices. Additionally, using IoT solutions in an industrial setting means we are forcing two previously separate systems and security thought processes together. Companies need to consider the security of IIoT solutions differently as well. Control systems require one type of focused security (think safety first) while a traditional IT-focused solution focuses on usability. Security needs to be considered holistically. Understanding that an IIoT solution is more complex than just deploying a sensor and connecting it to the internet is key because security done poorly in any one of these task areas compromises the whole system. And that erodes trust in systems, processes, and brand name, and will ultimately cost businesses money.
One of the problems facing the IoT industry (both commercial and industrial) is the fact that while parts of the industry are more mature than others, the entire ecosystem as a whole is still nascent. There is no single standard guiding the use and implementation of technology in an IoT solution much less in an industrial setting. A few organizations have begun developing security frameworks for IoT solutions worth reviewing. Two such organizations include the National Institutes of Standards and Technology (NIST) and the Industrial Internet Consortium (IIC). Both discuss security from familiar approaches (Confidentiality, Integrity, and Availability) however, they begin to dive deeper into specific actions to take when securing IoT solutions. My intent is not to go into detail on each framework (the IIC Security framework totals 173 pages) in this series. Instead, a worthwhile place to start the security discussion is from the perspective of the five tasks an IoT system should accomplish. We’ll discuss that next.