Some thoughts on security and safety concerns in industrial IoT

Security is always stated as one of the main concerns about industrial IoT implementations. Of course, all systems need to be secure, so what’s new here? 

a) Unlike the world of ‘personal’ IoT, industrial IoT systems often control devices that can endanger life or provide access to secure areas. Security breaches in personal IoT systems, such as DOS (Denial of Services) attacks created by hacking into thousands of devices and causing them to contact a website, are well known – but here the result was loss of service on some major websites. IIoT systems need greater security due to the higher impact risk.

b) The industrial IoT brings together the worlds of IT (Information Technology) and OT (Operational Technology). In the world of OT, the devices, sensors and software to control and monitor plant and equipment used to be physically separated from any outside connection or interference. This meant that security – while very high – could be less sophisticated than in IT systems, where many users can access the system(s). In ‘closed’ OT systems, there is a secure connection to each device or sensor to provide control and access data. In ‘open’ IT systems, lots of users can log-on so different levels of access control need to be provided. Aspects such as authorisation and authentication of the user, and the integrity and confidentiality of the data being accessed must be considered. The IT and OT worlds also differ in other ways; for example, in OT systems safety, resilience and reliability are paramount and the timescales for device interaction may be extremely short (‘real time’) which has implications for authentication etc..

c) Not only are the characteristics of OT and IT different, but the communications standards and protocols are also different – and numerous. IT engineers and professionals will be familiar with TCP/IP, Ethernet, HTTPS, the OSI seven layer model and W3C protocols and standards. IoT requires a whole range of different standards and protocols such as MQTT, ZigBee and ISA95 (from the process controls industry) overseen by organisations such as oneM2M, the OPC, ITU, and the IIC.

d) Industrial IoT combines IT and OT at massive scale – provided by billions of devices connected through the Internet using cloud computing and data storage. Yet it must work within the different requirements and constraints of IT and OT.

The good news is that several standards bodies such as the IIC, NIST and OPC, and major IIoT players like Amazon, IBM and Microsoft, are devising standards, methods and protocols with cybersecurity in mind. With this approach, IoT systems can be developed to be secure at every level and meet the stringent requirements of industrial use.