Companies need to change focus, mindset on IIoT security

There are ways for companies to get an Industrial Internet of Things (IIoT) project focused while overcoming the security challenges, but it requires a culture change and a different mindset.

By Eric J. Byres January 25, 2017

The trendy industrial technology for the past year is the Industrial Internet of Things (IIoT). You can’t go to a trade show or read an industry magazine without getting overwhelmed with new IIoT products or services that promise to completely revolutionize your business.

But what exactly is the IIoT? Can it really help your company? And will it expose your plant floor to new security risks?

If you can’t answer those questions, you are not alone.

It turns out most business executives don’t understand what IIoT is either. Many don’t understand what it can (or can’t) do for their company. And even fewer have a plan detailing how they might deploy IIoT effectively. According to a 2015 Accenture survey, 36% of 1,400 business leaders admitted their senior managers have fully grasped the implications of IIoT. Added to that, 7% developed a comprehensive strategy for IIoT with matching investments.

There are enough real-world IIoT deployments happening that allows the careful engineer can separate hype from reality. Companies that have successfully rolled out IIoT projects have discovered it really does have the potential to unlock tremendous value in their manufacturing chain.

Like all new technologies, IIoT is not without its challenges. According to a survey of IIoT experts conducted by Convetit, a company that organizes on-line advisory boards and think-tanks for Fortune 500 companies, the top four challenges of IIoT are:

  • The interoperability of different silos and systems
  • The resistance to organizational change
  • Problems implementing IIoT into existing processes, and
  • Increased security risks.

Manage any of these poorly and an IIoT project can hinder rather than help a company.

For every IIoT success story, there have also been some very insecure IIoT projects. Good or bad, the same issues and solutions show up again and again. There are ways, however, to get an IIoT project focused while overcoming the security challenges facing IIoT implementations.

Rethinking IIoT

The Internet of Things (IoT) is a term first coined in 1999, and it defines our era of connected devices. It has most recently been characterized by the explosive rate of the interconnectivity between intelligent objects that are "network-connected" in order to enable information sharing.

It isn’t a revolutionary concept in and of itself—most have been interacting for years with some of the most useful, disruptive, and life-altering connected devices such as the smartphone. Other popular examples of IoT consumer-related goods include home light/temperature controls and wearable biometric devices.

In the industrial world we have been connecting smart devices for decades—network connected remote terminal units (RTUs), programmable logic controllers (PLCs), and human-machine interfaces (HMIs)—are nothing new. What has changed is the depth of integration, its complexity, and the range of devices available. Until recently, most plant data stayed on the plant floor. Any "connectivity" was largely between controllers, input/outputs (I/Os), and operator stations.

What has changed with the IIoT is massive amounts of industrial data can now flow either up into the corporation and "the cloud" or down into increasingly "smart" field devices. Information previously locked into proprietary databases on a plant floor server can now end up accessed by corporate applications around the world.

Perhaps most important, information doesn’t have to only flow up from the plant floor to management. It can simultaneously flow in multiple directions from multiple sources to different "data consumers." At one major U.S. automotive parts manufacturer, measurements from field sensors in hydraulic presses are now being combined with feedback from customers to get better understanding of the indicators of premature product failure.

This interconnectivity requires new ways of looking at how the entire company can effectively integrate and use all the data available in our industrial process. And it requires new ways of understanding how our industrial processes can use the data available from other business units and the end customer to create a safer and more reliable product.

"IIoT is the new label for something which has actually been developing for decades: The growing interconnectivity of ‘cyber’ devices which control physical systems," said Steven C. Venema, chief security architect, Polyverse Group.

Fear of change

The unprecedented scale of information exchange means IIoT is often a transformative process for businesses. Unfortunately, transformations of the workplace often result in deep-seated concerns in staff at all levels. These include macro reasons such as the natural fear of change to delaying factors ranging from the excessive review of possible risk elements to the confusion concerning the actual technologies and protocols to be used.

Consider the daily status meeting, a feature of manufacturing management for over a century. When an IIoT project is deployed, companies find their daily meetings miss huge opportunities to change operations in real time as new information comes in. A meeting format that is more responsive to real time information is often needed. Yet some staff will be reluctant to give up a meeting they have attended for decades.

For an IIoT project to achieve its full benefit, it needs to address these concerns up front. Questions like, "How will this information get routed to the decision-makers? What systems will they use to evaluate it? If something dramatic changes, who gets told? How do we make sure the right people can access the information?" all need answers before the IIoT project is launched. Businesses must strategize with a clear outlook regarding why, what and how their specific organization will implement IIoT technologies.

Not the Field of Dreams

"If you build it, they will come" is not a model for successful IIoT rollouts—but it’s a frequent stumbling block for many companies. When creating an IIoT infrastructure, companies gain the most value by creating it with the end in the mind. Prepare with the skillsets needed to securely implement IIoT in existing processes and to effectively interpret the resulting data. IIoT infiltrates the entire company; it’s a mentality as much as it is a tool. A company culture must be such that it embraces—rather than resists—such a huge organizational overhaul.

As the foundation of such a strategy, it’s often wise to find a platform for alliances. You can enlist the help of organizations which provide the platform for experts to convene on a variety of subjects; these external experts can engage online with your company’s team, either for short timeframes of intense discussion or more routinely over a longer timeframe.

Tom O’Malley, founder and chief executive of Convetit, has seen companies struggle to align their visions with their IIoT strategies. "Lots of folks are trying to figure out why," O’Malley said. "What is your business hoping to gain? Why should senior management decide to implement IIoT? Why is IIoT the optimal strategy?"

It’s essential to interact with IIoT experts whose successes are relevant to your industry; these experts demonstrate by example, explaining their own pitfalls and triumphs to ensure you make the right decisions and to encourage you toward the types of projects which produce real value.

Above all else, remember IIoT is all about driving business value. It’s not just how you’re collecting data through interconnectivity; it’s why you want to do this in the first place.

Eric J. Byres is a leading expert in the field of industrial control system (ICS) and Industrial Internet of Things (IIoT) security. This content originally appeared on ISSSource.com. ISSSource is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media, Control Engineeringcvavra@cfemedia.com

ONLINE extra

See additional stories from ISSSource about the IIoT linked below.

Learn more about successful IIoT deployments with the technical report "The Industrial Internet of Things: Secrets for Unlocking Business Value in the Digital Future."

Original content can be found at www.isssource.com.