Introduction to Industrial IoT Security

Skip to content

Despite the potential of the Industrial IoT market and predictions of rapid growth, adoption rates remain low. If we are to truly realize the potential of the Industrial IoT we need to build trust in connected devices first.

Centuries-old industries that have shaped our way of life are themselves being transformed. Over the years, sectors including construction, energy, manufacturing, agriculture, and mining have become less hands-on and more reliant on new technologies. Now, the Internet of Things (IoT) is driving a fresh wave of innovation.

The connected devices that are used in these more industrial settings are collectively known as the Industrial IoT (IIoT). They may be sensors, gateways, drives, switches, cameras, or robots and they provide the intelligence and insights needed to improve efficiency and productivity, increase revenue, and unlock new opportunities. As McKinsey & Company explain: “IIoT—and digital transformation more broadly— represent a wholesale rethinking of value creation: a way to increase it, improve it, and accelerate it. IIoT helps companies acquire and analyze data, turn it into actionable insights to solve problems, and make decisions faster.” However, the potential of the IIoT should not be overshadowed by concerns about security.

The Industrial IoT

The Convergence of IT and OT

However, what makes the IIoT such an important development is that it involves the convergence of IT and OT – systems that were previously separate. The conventional IT (Information Technology) systems used to run the back office, and the OT (Operational Technology) systems used to run the production and the factory floor.

When we bring IT and OT together, we are merging different technologies and we have to find a new way to think about the opportunities – and the risks – that presents. According to the UK’s National Cyber Security Centre: “Where cybersecurity for IT has traditionally been concerned with information confidentiality, integrity, and availability, OT priorities are often safety, reliability, and availability, as there are clearly physical dangers associated with OT failure or malfunction.”

A recent study found that 61% of manufacturers have experienced cybersecurity incidents in their smart factories. In June 2021, the world’s largest meat producer JBS S.A were forced to shut down all of its US beef plants after a cyberattack. All of the company’s beef plants were forced to shut and all other JBS meatpacking facilities in the US experienced some level of disruption. It’s still unclear how many plants globally were affected by the ransomware attack, but the prospect of future attacks is already upending agricultural markets and raising concerns about attacks on critical infrastructure.

The digital transformation of construction, energy, manufacturing, agriculture, and mining industries is gathering pace. It means more of the processes that underpin these sectors are being automated and components that provide the data needed to drive efficiency and productivity are being connected to the internet. Over the next four years, analysts predict the number of IIoT devices will more than double to 36.8 billion. For asset owners and operators, that exposes them to a wide range of new threats.

Industrial IoT Security

Although production shutdown can be very costly, it is not necessarily the most damaging consequence of an IIoT cyber-attack. IIoT environments are full of dangerous equipment and hazards, that, if compromised, can risk the safety of both employees and customers. Similarly, gaining illicit access to critical infrastructure such as power grids, dams, or oil supplies can risk the health and safety of entire communities. For many in the IIoT space, the increased security challenges are already weighing on their minds. Just over half (55%) of the respondents from more than 300 industrial organizations surveyed by ARC Advisory Group and Kaspersky said they expect the use of IIoT components to have the biggest impact on the cybersecurity of their OT or industrial control systems.

These security concerns can also differ across different IIoT applications. For example, as manufacturing is expected to digitalize rapidly in the near future and transform into industry 4.0, much work has been done on establishing security vulnerabilities and producing clear guidelines and requirements for the manufacturing industry. For other applications such as smart construction or smart agriculture the risks, and therefore the solutions, are not as obvious- complicating the security journey for device manufacturers.

There are three main security challenges facing IIoT device developers that span multiple applications:     

Due to the cost of machinery many customers are looking to update their legacy devices rather than buy new. This raises significant challenges as these devices can be decades old.

Upgrading Legacy Devices

Some of the devices used in plants or factories, or even within agriculture and construction will be decades old, with proprietary software and they have been designed to meet specific requirements. As a result, they are difficult to update and secure. Adding connectivity to these machines can be risky and costly, as hardware and software solutions provider, Lantronix, explains: “That leaves a lot of useful data locked away in a massive array of equipment, like motors, pumps, factory tools, HVAC (Heating Ventilation and Air Conditioning) units, vending machines, and much more. Thus, there is a definite need to address connectivity and interoperability of legacy systems to avoid the enormous cost of replacing all existing infrastructure with next-generation equipment that can securely connect to the Internet.”

Some of the devices used in plants or factories, or even within agriculture and construction will be decades old, with proprietary software and they have been designed to meet specific requirements. As a result, they are difficult to update and secure. Adding connectivity to these machines can be risky and costly, as hardware and software solutions provider, Lantronix, explains: “That leaves a lot of useful data locked away in a massive array of equipment, like motors, pumps, factory tools, HVAC (Heating Ventilation and Air Conditioning) units, vending machines, and much more. Thus, there is a definite need to address connectivity and interoperability of legacy systems to avoid the enormous cost of replacing all existing infrastructure with next-generation equipment that can securely connect to the Internet.”

Complying with Industry Standards 

Governments and regulatory bodies recognize the risks of insecurity to organizations and citizens, and they are introducing new legislation, standards, and baseline requirements that the developers of all IoT products must comply with. For the IIoT market, there are also several industry-specific standards including NIST CSF, ISO 27000, and ENISA standards. However, the IEC62443 series, from the International Electrotechnical Commission is considered the market priority. IEC62443 defines requirements for whole industrial control systems, as well as the components that make up those systems. Ensuring a product meets the different standards can be difficult, time-consuming, and costly, especially for small businesses that lack resources and expertise or for businesses looking to ship products globally.

Governments and regulatory bodies recognize the risks of insecurity to organizations and citizens, and they are introducing new legislation, standards, and baseline requirements that the developers of all IoT products must comply with. For the IIoT market, there are also several industry-specific standards including NIST CSF, ISO 27000, and ENISA standards. However, the IEC62443 series, from the International Electrotechnical Commission is considered the market priority. IEC62443 defines requirements for whole industrial control systems, as well as the components that make up those systems. Ensuring a product meets the different standards can be difficult, time-consuming, and costly, especially for small businesses that lack resources and expertise or for businesses looking to ship products globally.

A Lack of Security Expertise

It is also hard to secure a device if you do not have access to security expertise or your team’s expertise is limited to IT. Whether you are planning to make a legacy device connected or creating a new device, security must be built into the device from the ground up and embedded into every layer. Therefore, a knowledge of IIoT hardware, software, operating systems, and application security is required. This raises significant challenges for device manufacturers who may understand the end-device security requirements but may not have specialist security expertise. Greater collaboration from the value chain is needed to bridge these knowledge gaps and allow device manufacturers to leverage security expertise from silicon vendors and system software providers.

The Importance of Trust in the IIoT

The IIoT could transform the way industries operate, making them safer, more efficient, productive, and cost-effective. It could also enable organizations to realize the potential of artificial intelligence and machine learning at the edge. However, to benefit from the advances in connected technologies we must be able to trust them and the data they generate. Despite predictions that the IIoT market will grow rapidly, there is an acknowledgment that Industrial IoT adoption, and in particular Industry 4.0 adoption remains slow. The third annual IoT Report from the UK electronics distributor Farnell found that this was primarily due to security concerns, with 32% of respondents identifying this as the main factor impacting the adoption of smart manufacturing solutions. Organizations and authorities will not be willing to put their business, revenue, and people’s safety at risk.

Build on Best Practice and Certified Components

PSA Certified, an industry-backed framework and assurance scheme, is helping to combat IoT security challenges and build trust in the IIoT. Developed by security experts from around the world, PSA Certified includes a comprehensive set of freely available resources to help you design the right size security into your IoT device. Implementing security from the chip level, starting with a Root of Trust (RoT), is crucial to device integrity and ensures that the security state can be determined across the ecosystem.

By providing multiple levels of certification for silicon, PSA Certified is simplifying the implementation of best-practice security for device manufacturers, allowing them to easily select and consume the certification of an appropriately robust chip. By building on pre-certified silicon and system software, device manufacturers can leverage security expertise from the value chain, allowing them to focus on device-level security knowing they have selected a secure foundation for their device. As well as mapping to most major legislations and standards, meeting the foundational security requirements of PSA Certified also provides a standardized baseline on which to build an IEC62443 compliant system.

Centuries-old industries that have shaped our way of life are themselves being transformed. Over the years, sectors including construction, energy, manufacturing, agriculture, and mining have become less hands-on and more reliant on new technologies. Now, the Internet of Things (IoT) is driving a fresh wave of innovation. However, the potential of the Industrial Internet of Things (IIoT) should not be overshadowed by concerns about security.  The connected devices that are used in these more industrial settings are collectively known as the Industrial IoT (IIoT). They may be sensors, gateways, drives, switches, cameras, or robots and they provide the intelligence and insights needed to improve efficiency and productivity, increase revenue, and unlock new opportunities. As McKinsey & Company explain: “IIoT—and digital transformation more broadly— represent a wholesale rethinking of value creation: a way to increase it, improve it, and accelerate it. IIoT helps companies acquire and analyze data, turn it into actionable insights to solve problems, and make decisions faster.”  The Industrial IoT    The Convergence of IT and OT  However, what makes the IIoT such an important development is that it involves the convergence of IT and OT – systems that were previously separate. The conventional IT (Information Technology) systems used to run the back office, and the OT (Operational Technology) systems used to run the production and the factory floor.  When we bring IT and OT together, we are merging different technologies and we have to find a new way to think about the opportunities - and the risks - that presents. According to the UK’s National Cyber Security Centre: “Where cybersecurity for IT has traditionally been concerned with information confidentiality, integrity, and availability, OT priorities are often safety, reliability, and availability, as there are clearly physical dangers associated with OT failure or malfunction.”  A recent study found that 61% of manufacturers have experienced cybersecurity incidents in their smart factories. In June 2021, the world’s largest meat producer JBS S.A were forced to shut down all of its US beef plants after a cyberattack. All of the company’s beef plants were forced to shut and all other JBS meatpacking facilities in the US experienced some level of disruption. It’s still unclear how many plants globally were affected by the ransomware attack, but the prospect of future attacks is already upending agricultural markets and raising concerns about attacks on critical infrastructure.   The digital transformation of construction, energy, manufacturing, agriculture, and mining industries is gathering pace. It means more of the processes that underpin these sectors are being automated and components that provide the data needed to drive efficiency and productivity are being connected to the internet. Over the next four years, analysts predict the number of IIoT devices will more than double to 36.8 billion. For asset owners and operators, that exposes them to a wide range of new threats.  Industrial IoT Security  Although production shutdown can be very costly, it is not necessarily the most damaging consequence of an IIoT cyber-attack. IIoT environments are full of dangerous equipment and hazards, that, if compromised, can risk the safety of both employees and customers. Similarly, gaining illicit access to critical infrastructure such as power grids, dams, or oil supplies can risk the health and safety of entire communities. For many in the IIoT space, the increased security challenges are already weighing on their minds. Just over half (55%) of the respondents from more than 300 industrial organizations surveyed by ARC Advisory Group and Kaspersky said they expect the use of IIoT components to have the biggest impact on the cybersecurity of their OT or industrial control systems.   These security concerns can also differ across different IIoT applications. For example, as manufacturing is expected to digitalize rapidly in the near future and transform into industry 4.0, much work has been done on establishing security vulnerabilities and producing clear guidelines and requirements for the manufacturing industry. For other applications such as smart construction or smart agriculture the risks, and therefore the solutions, are not as obvious- complicating the security journey for device manufacturers.   There are three main security challenges facing IIoT device developers that span multiple applications:        Upgrading Legacy Devices  Some of the devices used in plants or factories, or even within agriculture and construction will be decades old, with proprietary software and they have been designed to meet specific requirements. As a result, they are difficult to update and secure. Adding connectivity to these machines can be risky and costly, as hardware and software solutions provider, Lantronix, explains: “That leaves a lot of useful data locked away in a massive array of equipment, like motors, pumps, factory tools, HVAC (Heating Ventilation and Air Conditioning) units, vending machines, and much more. Thus, there is a definite need to address connectivity and interoperability of legacy systems to avoid the enormous cost of replacing all existing infrastructure with next-generation equipment that can securely connect to the Internet.”  Complying with Industry Standards  Governments and regulatory bodies recognize the risks of insecurity to organizations and citizens, and they are introducing new legislation, standards, and baseline requirements that the developers of all IoT products must comply with. For the IIoT market, there are also several industry-specific standards including NIST CSF, ISO 27000, and ENISA standards. However, the IEC62443 series, from the International Electrotechnical Commission is considered the market priority. IEC62443 defines requirements for whole industrial control systems, as well as the components that make up those systems. Ensuring a product meets the different standards can be difficult, time-consuming, and costly, especially for small businesses that lack resources and expertise or for businesses looking to ship products globally.    A Lack of Security Expertise  It is also hard to secure a device if you do not have access to security expertise or your team’s expertise is limited to IT. Whether you are planning to make a legacy device connected or creating a new device, security must be built into the device from the ground up and embedded into every layer. Therefore, a knowledge of IIoT hardware, software, operating systems, and application security is required. This raises significant challenges for device manufacturers who may understand the end-device security requirements but may not have specialist security expertise. Greater collaboration from the value chain is needed to bridge these knowledge gaps and allow device manufacturers to leverage security expertise from silicon vendors and system software providers.    The Importance of Trust in the IIoT  The IIoT could transform the way industries operate, making them safer, more efficient, productive, and cost-effective. It could also enable organizations to realize the potential of artificial intelligence and machine learning at the edge. However, to benefit from the advances in connected technologies we must be able to trust them and the data they generate. Despite predictions that the IIoT market will grow rapidly, there is an acknowledgment that Industrial IoT adoption, and in particular Industry 4.0 adoption remains slow. The third annual IoT Report from the UK electronics distributor Farnell found that this was primarily due to security concerns, with 32% of respondents identifying this as the main factor impacting the adoption of smart manufacturing solutions. Organizations and authorities will not be willing to put their business, revenue, and people’s safety at risk.   Build on Best Practice and Certified Components  PSA Certified, an industry-backed framework and assurance scheme, is helping to combat IoT security challenges and build trust in the IIoT. Developed by security experts from around the world, PSA Certified includes a comprehensive set of freely available resources to help you design the right size security into your IoT device. Implementing security from the chip level, starting with a Root of Trust (RoT), is crucial to device integrity and ensures that the security state can be determined across the ecosystem.   By providing multiple levels of certification for silicon, PSA Certified is simplifying the implementation of best-practice security for device manufacturers, allowing them to easily select and consume the certification of an appropriately robust chip. By building on pre-certified silicon and system software, device manufacturers can leverage security expertise from the value chain, allowing them to focus on device-level security knowing they have selected a secure foundation for their device. As well as mapping to most major legislations and standards, meeting the foundational security requirements of PSA Certified also provides a standardized baseline on which to build an IEC62443 compliant system.   Realize the Potential of the IIoT With Our Ecosystem Partners  We have an ecosystem of partners that have developed products for industrial clients. Their devices have been independently evaluated and certified, so we know they were built with security in mind.  •	How the IoT is Changing Construction with Flex Our partners at Flex have been working with a London-based start-up to improve productivity in the construction industry. •	IoT Devices and the Cost of Cybersecurity with Flex Flex joins us in this episode of the #beyondthenow podcast to discuss how they approach security and why there should always be space on the bill of materials for security.  •	Eurotech achieves PSA Certified Level 1 on the ReliaGATE 10-14 Eurotech celebrated PSA Certified Level 1 on their ReliaGATE 10-14, a multiservice IoT Gateway designed for industrial applications. •	How To Navigate the Journey to Autonomous Factories, & Supply Chains Arm, a PSA Certified co-founder, examines the drivers behind the move to autonomous factories and supply chains, including the challenges and solutions that will enable this vision of the future. •	Six Key Considerations for the IIoT Start your security journey in just six steps with our handy guide to Industrial IoT security. •	Unpicking OEM IoT Security Challenges with Flex, Eurotech, and ams OSRAM In this webinar PSA Certified partners Flex, Eurotech and ams OSRAM examine 6 IoT security challenges for OEMs, including legacy devices and regulatory fragmentation, and how we can collaborate on the solutions.

Realize the Potential of the IIoT With Our Ecosystem Partners

We have an ecosystem of partners that have developed products for industrial clients. Their devices have been independently evaluated and certified, so we know they were built with security in mind.