June 12, 2018

Industrial IoT Security: A Matter of Life and Death

By Lloyd McCoy, manager

Industrial IoT represents one of the biggest success stories in the world of applied IoT. Unfortunately, the proliferation of sensors and smart devices in industrial environments has resulted in a parallel explosion of security vulnerabilities. What does this mean for vendors and partners involved with securing these next-generation networks?

According to IDC, the market for IoT hardware, software, services and connectivity is about $800 billion this year and expected to exceed $1.1 trillion by 2021 – that’s a growth rate of over 14 percent. IDC estimates that in 2018, over $14 billion will be spent on IoT security products worldwide at an annual growth rate of over 10 percent.

IoT vs IIoT

Industrial IoT is, simply put, the use of IoT technologies for industrial purposes. It usually refers to the sensors and devices that facilitate physical processes in industrial environments. What differentiates industrial IoT from general IoT is the prevalence of Operational Technology. OT consists of hardware and software systems that monitor and control physical equipment and processes. OT is often seen in critical infrastructures, such as water, energy and utilities. OT is literally everywhere but often lies behind the scenes.

Key differences between traditional security and industrial IoT security:

  1. There is a substantially larger threat surface being dealt with. The attack surface is expanding because the previously isolated devices in industrial and OT settings are now connected.
  2. The potential consequences of security breaches are far more serious within industrial IoT. While IT security breaches typically result in financial losses, OT security breaches could endanger human lives or cause severe environmental damage.
  3. From a traditional IT security perspective, devices are typically associated with people and passwords. In industrial IoT settings, thousands—or even millions—of sensors, devices or machines could be communicating with each other, with no human associated with them. These devices and machines could even be under management by other devices and machines, resulting in additional degrees of distance from human involvement. The resulting intrusion points and attack vectors are dramatically different in nature.
  4. In the OT environment, there is usually a real-time response requirement, which could be in milliseconds, especially in a machine-to-machine communication scenario. This also must be taken into consideration when thinking about security.

Strategies for Vendors

Security OEMs and partners should develop go-to-market strategies and messaging techniques that address industrial IoT.

It’s important to establish deep relationships with sensor and control system OEMs because they are already working with facility and infrastructure operators. Security messaging should complement or even amplify messaging around automation and efficiency.

Oh, by the way, when speaking to the threat landscape, be sure to make the distinction between industrial IoT threats and IT-related attacks. A lot of the notorious attacks discussed on the news are IT related. Being able to articulate the threats specific to industrial IoT will resonate with customers and differentiate your company’s capabilities.

Additionally, as the IT and OT worlds become more intertwined, customers will need solutions to address the vulnerabilities that might arise from this intermingling. For example, how a breach in an off-premises cloud environment might impact an OT environment.

IIoT Security Is a Must

Traditional industrial environments are evolving to become increasingly connected to the public internet and enterprise business systems and processes. The value proposition is compelling; this provides the ability to leverage analytics from sensor-driven data to deliver more productivity and performance from existing operational processes. Security in connected OT environments has its unique set of challenges, but it must be addressed. Exploration of these weaknesses will require new thinking and approaches.

The ability of industrial IoT to transform our critical infrastructure and thus, our personal lives, cannot be understated. Still, organizations must ensure security is in lockstep if industrial IoT’s full potential is to be unleashed.

Learn more about securing industrial IOT by viewing my recent webinar.

Need guidance on where to start? Learn more about how Arrow’s Market Intelligence organization can help.