Introduction to Industrial IoT Security

Despite the potential of the Industrial IoT market and predictions of rapid growth, adoption rates remain low. If we are to truly realize the potential of the Industrial IoT we need to build trust in connected devices first.

Centuries-old industries that have shaped our way of life are themselves being transformed. Over the years, sectors including construction, energy, manufacturing, agriculture, and mining have become less hands-on and more reliant on new technologies. Now, the Internet of Things (IoT) is driving a fresh wave of innovation.

The connected devices that are used in these more industrial settings are collectively known as the Industrial IoT (IIoT). They may be sensors, gateways, drives, switches, cameras, or robots and they provide the intelligence and insights needed to improve efficiency and productivity, increase revenue, and unlock new opportunities. As McKinsey & Company explain: “IIoT—and digital transformation more broadly— represent a wholesale rethinking of value creation: a way to increase it, improve it, and accelerate it. IIoT helps companies acquire and analyze data, turn it into actionable insights to solve problems, and make decisions faster.” However, the potential of the IIoT should not be overshadowed by concerns about security.

The Industrial IoT

Industrial IoT Security

Although production shutdown can be very costly, it is not necessarily the most damaging consequence of an IIoT cyber-attack. IIoT environments are full of dangerous equipment and hazards, that, if compromised, can risk the safety of both employees and customers. Similarly, gaining illicit access to critical infrastructure such as power grids, dams, or oil supplies can risk the health and safety of entire communities. For many in the IIoT space, the increased security challenges are already weighing on their minds. Just over half (55%) of the respondents from more than 300 industrial organizations surveyed by ARC Advisory Group and Kaspersky said they expect the use of IIoT components to have the biggest impact on the cybersecurity of their OT or industrial control systems.

These security concerns can also differ across different IIoT applications. For example, as manufacturing is expected to digitalize rapidly in the near future and transform into industry 4.0, much work has been done on establishing security vulnerabilities and producing clear guidelines and requirements for the manufacturing industry. For other applications such as smart construction or smart agriculture the risks, and therefore the solutions, are not as obvious- complicating the security journey for device manufacturers.

There are three main security challenges facing IIoT device developers that span multiple applications:     

Upgrading Legacy Devices

Some of the devices used in plants or factories, or even within agriculture and construction will be decades old, with proprietary software and they have been designed to meet specific requirements. As a result, they are difficult to update and secure. Adding connectivity to these machines can be risky and costly, as hardware and software solutions provider, Lantronix, explains: “That leaves a lot of useful data locked away in a massive array of equipment, like motors, pumps, factory tools, HVAC (Heating Ventilation and Air Conditioning) units, vending machines, and much more. Thus, there is a definite need to address connectivity and interoperability of legacy systems to avoid the enormous cost of replacing all existing infrastructure with next-generation equipment that can securely connect to the Internet.”

Complying with Industry Standards 

Governments and regulatory bodies recognize the risks of insecurity to organizations and citizens, and they are introducing new legislation, standards, and baseline requirements that the developers of all IoT products must comply with. For the IIoT market, there are also several industry-specific standards including NIST CSF, ISO 27000, and ENISA standards. However, the IEC62443 series, from the International Electrotechnical Commission is considered the market priority. IEC62443 defines requirements for whole industrial control systems, as well as the components that make up those systems. Ensuring a product meets the different standards can be difficult, time-consuming, and costly, especially for small businesses that lack resources and expertise or for businesses looking to ship products globally.

A Lack of Security Expertise

It is also hard to secure a device if you do not have access to security expertise or your team’s expertise is limited to IT. Whether you are planning to make a legacy device connected or creating a new device, security must be built into the device from the ground up and embedded into every layer. Therefore, a knowledge of IIoT hardware, software, operating systems, and application security is required. This raises significant challenges for device manufacturers who may understand the end-device security requirements but may not have specialist security expertise. Greater collaboration from the value chain is needed to bridge these knowledge gaps and allow device manufacturers to leverage security expertise from silicon vendors and system software providers.

The Importance of Trust in the IIoT

The IIoT could transform the way industries operate, making them safer, more efficient, productive, and cost-effective. It could also enable organizations to realize the potential of artificial intelligence and machine learning at the edge. However, to benefit from the advances in connected technologies we must be able to trust them and the data they generate. Despite predictions that the IIoT market will grow rapidly, there is an acknowledgment that Industrial IoT adoption, and in particular Industry 4.0 adoption remains slow. The third annual IoT Report from the UK electronics distributor Farnell found that this was primarily due to security concerns, with 32% of respondents identifying this as the main factor impacting the adoption of smart manufacturing solutions. Organizations and authorities will not be willing to put their business, revenue, and people’s safety at risk.

Build on Best Practice and Certified Components

PSA Certified, an industry-backed framework and assurance scheme, is helping to combat IoT security challenges and build trust in the IIoT. Developed by security experts from around the world, PSA Certified includes a comprehensive set of freely available resources to help you design the right size security into your IoT device. Implementing security from the chip level, starting with a Root of Trust (RoT), is crucial to device integrity and ensures that the security state can be determined across the ecosystem.

By providing multiple levels of certification for silicon, PSA Certified is simplifying the implementation of best-practice security for device manufacturers, allowing them to easily select and consume the certification of an appropriately robust chip. By building on pre-certified silicon and system software, device manufacturers can leverage security expertise from the value chain, allowing them to focus on device-level security knowing they have selected a secure foundation for their device. As well as mapping to most major legislations and standards, meeting the foundational security requirements of PSA Certified also provides a standardized baseline on which to build an IEC62443 compliant system.

Realize the Potential of the IIoT With Our Ecosystem Partners

We have an ecosystem of partners that have developed products for industrial clients. Their devices have been independently evaluated and certified, so we know they were built with security in mind.