In the past few years, it seems as though the Internet of Things (IoT) has been touted as a cure for many of our everyday ills. At the end of 2015, nearly 20 percent of all U.S. households with broadband connections owned at least one smart home product, according to the research firm Parks Associates. The company says that during the next decade, that number is projected to jump to 66 percent. While much of what we consider to be IoT is by and large consumer-facing products, the real opportunity lies in Industrial Internet of Things (IIoT) — referred to as Industry 4.0 and the Connected Factory by some.
Vikas Butaney’s Cisco blog post is a statement of not only the importance of resiliency and latency, but also the need for security and connectivity requirements when discussing industrial machines and networks. The convergence of physical security and Internet security is inevitable, so leaders will have to work towards the protection of assets (equipment, data, and employee life) in a way that has not previously been explored.
Thus far, industrial networks have been more focused on delivering a signal. There is a significant difference between industrial applications and enterprise products, chiefly that enterprise products aid in security and connectivity requirements. Enterprise products on the whole deal primarily with data protection in data centers, which means their focus is on confidentiality and bandwidth issues. On the other hand, the IIoT is not focused on uptime and availability rather than data loss. Communication between the network and equipment is paramount to mission-critical operations. Also, security breaches in IIoT is not about stealing data but about maliciously affecting the physical acts of equipment. Thus, the efficiency of safely operating machines/robots is far more important because possible failures through malicious cyber attacks are a credible fear.
Latency is key in IIoT – optimize uptime of equipment, ensure maintenance is managed efficiently, and secure and validate the return on investment in bought or leased infrastructure. Therefore, in order to protect against malicious attacks, you need to control what messages travel through machines. There is a controller that is talking to a machine, so you need to design network systems so that the messages from these systems are delivered to the equipment in two to 10 milliseconds. Industrial protocols on SCADA and programmable electrical equipment are designed for latency. What these things are not designed for is security and Internet connectivity, so protection is a must to ensure that only authorized commands can get to the lower layers. Latency requirements don’t allow enterprise products to work and run machines. IT wants everything to be IP. A lot of the industrial protocol has IP over it.
Fragmentation is a real problem in the IIoT space, as most enterprise-focused products and vendors are fragmented. It’s not only the solution that is fragmented, but also the actual business use case. When you bring together the physical world, technology, sensors that detect, people that manage and use equipment, and an industry that is largely nascent, you have a dangerous but also an opportunistic space that will grow. With the introduction of cloud computing, the problem gets even worse because infrastructure expands beyond confines of a company’s walls. These current problems could help any attacker to carry out processes with malicious intent.
Where’s the Budget?
While the issue of IIoT security is known, a big problem is where is the money in the budget for adding IIoT security? Gartner predicts, by 2020, more than 25 percent of identified attacks on enterprises will involve the IoT, but spending levels will remain no larger than 10 percent of the total IT budget. The question that will soon be asked is how will companies create budgets to secure their equipment? The solution for protecting equipment may lie in safety budgets. Every company must invest in their safety budgets, so tapping into this budget may signify a real shift in how companies and vendors approach IIoT. Today, cyber isn’t a part of that budget.
At this stage in IIoT development, interoperability – although clunky, proprietary, resource-intensive, and largely controlled by vendors – is very important. Although open-sourced platforms are still open to manipulation, it’s needed to create industry standards that can be expanded as necessary. Another perspective may be to have the government create standards similar to Presidential Policy Directive 21. The directive identifies key industries that are being asked to standardize and protect critical infrastructure. Countries like Germany understand the need for this investment, and are on pace to define IIoT standards well ahead of the U.S.
Enterprises have a real opportunity to save money, improve quality of service, and innovate new business models if some of the fog on IIoT is lifted and the industry can standardize technology. While IIoT will create actual value and a real economic upside, the reality is that it will change the physical world for companies in ways that are not yet fully understood. However, what is known is that, as of yet, there is no homogeneous security technology that can protect all IT and OT assets. Therein lies an opportunity.