Guest Post: IHS Predicts IIoT Cybersecurity Will Increasingly Be Implemented in Hardware
By Sam Lucero, Sr. Principal Analyst, M2M & IoT at IHS Technology IIoT & Cybersecurity As IIoT systems create ever more critical dependencies in plant, energy infrastructure, and transportation environments, developers and deploying organizations will turn to hardware-enabled cybersecurity to stave off proliferating cyberattacks. Although the use of secure processors in smartcard applications, such as bank cards, mobile phone SIM cards, and digital ID documents is common, IIoT developers have barely begun to adopt a hardware-enabled approach. Instead, “root of trust” technologies, such as secure key storage, cryptography, and secure boot, are handled in software on the main application processor of the device. IHS estimates that in 2015 only 9.8% of all secure processors shipped were intended for IoT applications (that is, all of IoT, not just IIoT). The challenge with this software-based approach is that security functions on the application processor share common memory resources with other functions and are therefore exposed and vulnerable to malicious attack. Hardware isolation reduces (but cannot completely eliminate) this exposure and therefore dramatically increases the security of the device. This increased security is fundamentally why bankcards, mobile phones, and now ePassports, have shifted to the use of hardware-based security. Looking Ahead A lingering question regarding the use of secure processors in IIoT applications is whether implementation will be in the form of a second coprocessor chip placed alongside the host application processor, or whether cybersecurity hardware intellectual property will be integrated directly into an application processor. (Integration of cybersecurity circuitry still achieves hardware isolation in contrast to software, although some physical security measures may become impractical.) Chip companies such as Atmel, NXP, and Renesas Electronics have adopted this integrated approach for at least some of their respective portfolios targeting the IoT. It remains to be see whether an integrated approach will be successful. While integration helps to reduce overall device bill-of-materials, it can increase cost and complexity for cybersecurity certification, relative to a “two-chip” solution. About Sam Lucero Sam Lucero is a seasoned industry analyst with over 14 years of experience analyzing telecommunications and networking technology markets. He has spent the last ten years assessing the markets for machine-to-machine (M2M) and Internet of Things (IoT) applications. Sam has established leading M2M market research programs and managed international teams of industry analysts. He has authored numerous reports, forecast databases, and topical articles covering various aspects of the M2M/IoT market opportunity and has been widely quoted in news and trade journals, from the New York Times and the Economist to CNET and Wireless Week. Furthermore, Sam has moderated, presented, and judged at a number of industry events, including CTIA and Connected World. In 2014 Sam was named one of six “Augural Analysts” for M2M by Connected World Magazine.
IIoT Bold Prediction Series Part 3: Predictive Analytics Alters Fundamental IT/OT Practices
So far, our series of IIoT Bold Predictions for 2016 has focused on the concepts of IIoT security and government’s regulatory role in the development of IoT and IIoT devices. Today, we’re changing gears a bit, with a prediction from Scott Allen, FreeWave’s CMO, which focuses on the implementation of IIoT technology into big data practices to create real-time, data-driven intelligence. Prediction #3: Predictive Analytics Alters Fundamental IT/OT Practices Predictive analytics will change the nature of industrial communication systems and networks significantly over the next five years. Certain industrial sectors have long utilized machine-to-machine (M2M) technology, like manufacturing, utilities, and oil and gas, as the backbone to operations technology. However, as IIoT communication technology continues to improve at a rapid pace, these industries will begin implementing tech and business practices designed to create data synergy that will ultimately provide predictive analytics for better decision making. There are two elements at work that will push predictive analytics to the forefront of industrial communication systems. The first is the advancement of technology. Big data companies are making serious progress with comparing data-at-rest with data-in-motion as a strong basis for predicting outcomes with maximum accuracy. As the network infrastructure advances at the access layer in ways that allow analytic applications to be executed locally while communicating globally this trend will do nothing but accelerate. The second element that will drive change is the retiring or soon to be retiring workforce that drove the implementation and use of SCADA networks. This will create a knowledge gap that will require new technology to fill – and predictive analytics will be the one that fills that gap. Although an aging workforce is not unique to the IIoT sector, the transition will be pronounced and could, without incorporating predictive analytics practices, be accompanied by some significant growing pains. Looking Ahead Sensor-2-Server (S2S) technology will begin to ease the synergy between IIoT technology and big data. Ensuring accurate data transmission, collection and analysis in critical industries is an important step along the path to a connected world. As S2S technology proliferates, companies will see a significant impact on IT and OT practices, along with the ability to converge those two silos into more efficient and streamlined decision-making.
IT Security Dynamics and the Industrial IoT
The quest to understand production and operational factors, distribute this information to business systems and people within an organization, and directly improve business processes and profitability as a result is not new. In fact, it has been embraced by companies for decades. This collection of operational information for use in information or business systems is known as IT/OT convergence. Getting IT and OT systems to work together to maximize business efficiency — while avoiding negative consequences, risks and pitfalls in the process — is a tall task. However, thanks to new technologies, this process is becoming more practical and is creating the opportunities for huge economic benefits when these two disciplines are successfully integrated. But, how does this convergence affect the security paradigm in large, geographically dispersed enterprises? Let’s Talk Security Traditionally, companies have a corporate firewall that divides the corporate IT space from OT space. With an Internet of Things (IoT) communications network, there is a need to protect the sensors and new applications on the OT side. However, even if there is a secure communication link, if the individual devices that are connected on the OT side become compromised and the threat has access to that communication link, a hacker can push malicious data, cause denial of service (DoS), or introduce malware or viruses to the entire network. There are many of ways to run into problems on the IoT front if companies are not careful in their network design security implementation. On the IT side, corporate network security typically sees many threats. Those threats require significant attention, and consequently IT organizations have numerous options and tools to use, such as intrusion detection, log monitoring, network behavior monitoring, network inspections, whitelisting, firewalls, and more. The IT space has a much different attack surface than OT because with an IT network, the company can physically secure the building and control where the data goes in and out. Data escaping the building is relatively small in comparison to the OT space. WiFi that is leaking outside the building could be a vulnerability, but there are tools and ways to lock down that type of threat, and checkpoints where the IT department can analyze the traffic going through the network. In IT, bandwidth is plentiful and the network overhead associated with security is generally not a major factor. Considering Industrial IoT Networks IIoT networks, on the other hand, can span many miles with potentially hundreds of thousands of data points. An IIoT network likely consists of small embedded devices with long lifespans, making it very efficient. However, they are generally not like the Windows operating system, which is consistently conducting massive updates. Some embedded technologies don’t allow any updates, making it essential to carefully select the best devices for a network. Having thousands of these edge devices is where organizations will begin to see IT/OT convergence – many more points in the field where threats could be coming into the IT network. Industrial organizations today are creating a connected infrastructure with IP-enabled sensors or IP/IIoT-enabled Access Gateways. The data generated by sensors at an asset location can be valuable to more than just the central control system. This might mean M2M communication with sensors talking directly to each other. It may mean that multiple systems consume the live, real-time sensor data directly from the field. It may even mean that operators connect their sensors directly to the cloud or other back office systems. If there is a way to share critical data while addressing security issues that can help provide information to key data users, then that information becomes increasingly valuable. Security Through Obscurity is Not a Solution IIoT solutions often utilize the widely deployed security technologies from the Internet to avoid the custom, one-off solutions of past industrial security, when it was used at all. IP technology makes it easier to deploy and talk to sensors, but it also makes it easier for intruders to see and snoop on valuable data streams. Security through obscurity is not a solution. There are many common attack vectors for industrial devices that become even more relevant when considering the IIoT infrastructures and fully networked, geographically dispersed projects.
