The concept of IoT has changed a lot since the term was coined more than 20 years ago. Today, IoT refers to anything that can transfer data over a network, including the internet, without human direction or intervention.
Automation has been the driving force behind the development of IoT. Indeed, the ability to transform household appliances and electric lights into so-called smart home systems has been available at the consumer level for more than 40 years. Today, security systems, environmental controls, motion sensors, video doorbells, door openers and locking systems are ubiquitous, managed by smartphone apps that harness data transmitted through internet and cellular networks.
The evolution of industrial control
Industry has long had a requirement to measure and control pressure, temperature and flow, among other processes. In response, industrial control systems (ICSes) have emerged to help manufacturers and other businesses manage their production systems.
Programmable logic controllers (PLCs) were the first devices with the capability to monitor and control the various elements associated with these manufacturing processes. PLC-based systems quickly evolved into distributed control systems (DCSes) that focused on high reliability by employing numerous control loops, thus reducing reliance on centralized controllers. The controllers used in DCSes form cyber-physical systems where physical mechanisms are controlled by computer systems and algorithms.
An element often found in ICSes is a control system architecture known as supervisory control and data acquisition (SCADA). These SCADA architectures provide operators with the framework they need to monitor operational technology (OT), as well as remotely manage the disparate controllers overseeing the manufacturing process.
OT differs from IT. Where IT refers to the hardware, software and communication systems for processing information in an enterprise, OT covers the management of ICSes. OT systems do not generate data used in enterprise management. In addition, OT has traditionally existed outside the firewall. Security was primarily handled by physically limiting who could access the systems overseeing the manufacturing process.
Looming IIoT security risks
Industrial IoT (IIoT) is the offshoot of IoT that focuses on industrial control. Controllers, instruments, sensors and other data acquisition devices are networked together to monitor and control industrial processes. IIoT uses internet technology and protocols — both cloud-based and on premises — to optimize how manufacturing processes are automated and managed. In essence, it’s the unification of OT and IT.
The convergence of IoT and IIoT offers numerous benefits, among them increased productivity, improved communications and the availability of real-time data. However, it’s important to remember the potentially serious IIoT security risks that come with these benefits. Here are a few of the most significant.
Data security. The placement of ICSes on the public internet represents a tremendous risk. Security for these systems has traditionally depended upon organizations physically limiting access to the hardware and software that oversee the manufacturing process. With IIoT, that layer of physical security is eliminated. Privacy is another consideration. Much of the data most at risk is information about people: their personal and financial information and other forms of personally identifiable information (PII) that can be used for identity theft and other forms of fraud.
Network security. IIoT encompasses the most critical infrastructure sectors, among them the electrical power grid, telecommunications and finance — along with their respective supply chains. As a result, these segments attract interest from a wide variety of bad actors, including nation-states and individual criminals, intent on causing disruption and stealing data, including PII and intellectual property.
Finally, companies need to pay attention to how their IIoT devices use wireless technologies, such as Bluetooth, 4G LTE and, eventually, 5G, each of which has its own security issues. Even older 2G and 3G technologies may still be in use.
Nation-state risks. Because IIoT systems are often less secure than enterprise systems, they are an attractive target for nation-state actors who attempt to exploit the multiple entry points and bridges into these important environments. It doesn’t take much effort to imagine the impact on a city and its population if electrical service was interrupted as a result of a malicious attack.
Supply chain risks. Regardless of how well a given IIoT device is designed and secured, its individual components pose a significant security risk. Many of the parts needed to build IIoT devices are sourced from outside of the United States, and there is no guarantee that these components haven’t already been compromised by the time they are made part of the finished device.
Don’t ignore IIoT security
It is axiomatic that, with respect to internet security, remedies follow threats. A breach is detected; the underlying vulnerability is identified and eliminated; and the situation is monitored to ensure there are no further incursions.
That approach isn’t sustainable when it comes to critical IIoT security for systems that might manage water, air traffic control or other critical infrastructures. Companies don’t have the weeks or months necessary to detect and remediate gaps in their IIoT security. The risks are just too high and the outcomes too severe.