Consumer-facing Internet of Things (IoT) devices, from smart refrigerators to Internet-connected lightbulbs, have proliferated rapidly in recent years. The same is true of Industrial Internet of Things (IIoT) devices designed to improve efficiency and productivity in the manufacturing sector.
While IoT devices are very visible because of the role they play in consumers’ daily lives, IIoT technologies have received less attention because they are only used within industrial settings.
With projections estimating that $6 trillion will be spent on IIoT solutions over the course of the next five years, rapid growth in IIoT devices is set to continue.
This will bring a range of new security threats that may affect, not just the critical infrastructure where they are deployed, but also the Internet users and online firms that rely on secure networks and manufacturing processes.
The sheer scale of sensors and number of IoT and IIoT devices currently being deployed provides a much larger attack surface, with many more potentially vulnerable devices than ever before for attackers to target.
These risks have manifested in a series of serious security incidents. For example the “Industroyer,” or “Crash Override,” malware that was used to crash the Ukrainian electric grid in 2015, or the massive Mirai botnet of compromised IoT security cameras and routers that was used to launch several distributed denial-of-service attacks in 2016.
Not only are attacks like these larger and more damaging than many pre-IoT cyberattacks because of their scale and physical system consequences, they have also proved much harder to mitigate.
Furthermore, security standards and requirements are highly fragmented by region and country as governments have started regulating IoT technologies in very different and sometimes conflicting ways. This creates challenges for manufacturers and developers who are trying to create and deploy these services for a global market.
For instance, Japanese regulation aimed at strengthening the security of IoT devices has explicitly legalised hacking those devices to uncover vulnerabilities in the hope that this will lead to more security research being focused on these technologies. But that activity is largely forbidden in the USA, where unauthorised access to a computer is illegal.
Meanwhile, Australia has explored using an IoT security rating system to assess devices, and the UK has released a voluntary IoT security code of practice.
A further complicating factor is the fact that few - if any - of them recognise the significant differences between IIoT and IoT technology.
Few existing regulations recognise the significant differences between IIoT and IoT technology, therefore they fail to take into account the unique challenges posed by the IIoT ecosystem.
IIoT devices are located in industrial settings rather than commercial ones and they typically facilitate structured machine-to-machine connections rather than ad-hoc people-to-people or people-to-Internet connections.
For instance, IIoT sensors are used to monitor machine performance in factories and provide predictive diagnostics that connect maintenance and production processes, therefore avoiding unplanned downtime. This increases the likelihood of malfunctions and bugs going undetected for extended periods of time.
IIoT devices have very different longevity and reliability expectations. While IoT devices are typically designed to last between two and five years, IIoT technologies are designed to last for anywhere from ten to 30 years and withstand harsh industrial environments.
Continuity of service is crucial for IIoT devices. More reliability, less downtime and more stringent availability requirements make IIoT services even more challenging to update because any kind of configuration change requires an outage which may lead to unacceptable business interruptions or loss of revenue.
IIoT systems must also be able to coexist with legacy systems and support proprietary protocols, while IoT devices are typically based on open standardised protocols.
There are also economic challenges to securing the IIoT ecosystem. The IIoT supply chain is complex, making it difficult to secure and difficult to assign clear liability to various stakeholders for vulnerabilities introduced at different stages of the supply chain.
Third party conformity assessment of IIoT device components as well as a periodic inventory of deployed IIoT technologies is important to ensure that only trusted devices are installed and operational.
IIoT technologies hold tremendous promise to boost productivity and efficiency in our critical infrastructures, but that promise will only be realised if some of the challenges facing manufacturers and technology providers are addressed.
A lack of harmonised global standards for IIoT security has hindered the adoption and deployment of many of these options. Aligning IIoT system-level requirements across manufacturers is difficult because of an ever-changing set of uncoordinated cybersecurity standards, guidelines, and regulations.
Many countries are in the process of developing their own security standards for IoT devices and critical infrastructure. But in many cases, existing security standards have not been designed with the complexities of IIoT devices in mind.
It is essential that industry stakeholders work together to help add appropriate global security standards to address the existing technical and economic challenges.
It is also important for companies and academic institutions to begin forging partnerships to develop a strong pipeline of professionals in this area, as well as instigating internal training programmes to cultivate cybersecurity awareness and skills within IIoT firms. Initiatives like these will help meet the growing demand for managing IIoT systems in Australia and globally.
Michael Regelski is Chief Technology Officer at Eaton Corp. He recently addressed the IEC Cybersecurity Council in Sydney advocating for a global standard that provides consistency for manufacturers.