Last time we’ve devoted an issue of our monthly newsletter to the Internet of Things was almost a year ago. Looking back now, we can already spot a number of significant changes in this field that happened during the year 2016. Perhaps, the most profound one is that the industry has finally gone past the “peak of inflated expectations” and started thinking less about making everything smart and connected and more about such down-to-earth things as return of investment, industry standards or security concerns.
An obvious consequence of this is the growing divide between the “consumer” and “industrial” segments of the IoT. Consumers are becoming increasingly disillusioned about the very concept of “smart home”, because the technology that has promised to make their lives easier simply does not live up to the expectations. Remember the guy who spent 11 hours fixing his Wi-Fi kettle? User experiences like that, combined with inconvenient mobile apps and a complete lack of security or privacy in those smart devices make more and more people want to go back to the good old “analog” teapots and light bulbs.
The industrial IoT segment, however, continues to grow steadily. With all the new companies rushing to the market, it’s quickly becoming crowded, which inevitably leads to mergers and acquisitions, forming partnerships and growing ecosystems – in other words, the IIoT market is finally showing the signs of maturity. By the way, let the term “industrial IoT” not confuse you: IIoT is not limited by just industrial applications; it is going to expand into various market sectors. In fact, we cannot even define a clear border between the “consumer" and “industrial” IoT just by looking at their applications: although your car is definitely a consumer device, many aspects of the technology that make it connected are undoubtedly industrial.
So nowadays, the divide between the consumer and industrial IoT is not between market segments and definitely not in hardware or protocols, but rather in the way those systems are handling the information they are collecting. IoT is no longer just about connecting things over the Internet, but about collecting, storing, analyzing and (last but not least) securing the data those things are producing. Because of the nature of information collected by smart consumer devices and industrial sensors is completely different, they require different technologies to manage them, to protect them from risks and to ensure their compliance.
Consumer IoT products like thermostats or fitness trackers tend to collect relatively small amounts of data, but this information is very personal and sensitive by nature. So, as soon as we sort out the basic security requirements and prevent hackers from building botnets from webcams, the biggest priority is compliance with data protection regulations. Industrial devices like sensors or controllers, on the other hand, usually produce massive streams of data, which must be collected, stored, processed and analyzed in real-time to provide better visibility into a manufacturing process, to make your car self-steering or to save a patient from hypoglycemic shock. These use cases, of course, demand completely different technologies, like cloud computing and Big Data analytics to efficiently handle such huge amounts of information quickly and reliably. And, of course, they face a completely different set of security risks.
As we once discussed in a webinar on industrial control system security, Operational Technology security experts have traditionally had completely different priorities with regards to cyber-security vs safety and process continuity, relying more on physical network isolation and proprietary protocols to protect their control and data acquisition systems. With IIoT, however, the situation changes completely – new smart industrial sensors are utilizing the same protocols or even the same hardware as consumer products. They are also communicating over the public Internet, wide open for potential hacking attacks. And although leaking sensor data probably does not constitute a serious security problem, manipulating the data or even the sensors themselves definitely does. By disrupting manufacturing process control, a hacking attack can not only lead to a loss of very real products, but also to equipment damage and even human casualties.
This is why, before embracing the new IIoT technologies for all the great business benefits they bring, OT specialists have to radically rethink their approaches towards cyber-security. The problem is further complicated by the fact that most industrial sensors do not have enough computing power to have any security functionality built into them – so existing OT security solutions developed for Windows-based SCADA environments won’t help much.
A popular approach nowadays is to use special IoT gateways to manage large numbers of devices centrally and to perform initial processing and protocol conversion before sending the collected data to the cloud. These gateways are the most obvious points to integrate security functions as well, providing services like identity and authentication, data integrity and threat protection. Many vendors are already taking the development of such secure gateways even further by offering complete platforms integrating device management and security with the possibility to run authorized third-party software and to integrate legacy devices into the IIoT.
However, traditional approaches like air gapping industrial networks by means of unidirectional gateways, deployment of endpoint protection solutions and, of course, real-time security analytics all have their place in a well-designed layered security infrastructure. After all, if done right, security is not a liability, but a valuable business opportunity.