[Whitepaper] Integrating Security Into the IoT Strategy in the New Converged Environment
Consumers want their work, home and mobile devices to communicate together to provide information that was previously not available from isolated systems. This desire is at the root of the Internet of Things (IoT). The rise of IoT started when consumers began to interconnect devices — ranging from personal computers, smartphones, tablets and wearables, to home appliances and home security systems — via the cloud, so that valuable personal and work information could be easily accessed, no matter what the users were doing or where they might be located.
Similarly, commercial and industrial organizations want to gather information across sensors, devices and control systems, often in different locations, in order to provide more intelligence about the operational status of the overall manufacturing process and to make better decisions about operations and maintenance. Hence, the emergence of the Industrial Internet of Things (IIoT), which by definition is an extension of IoT for industrial applications, such as plant floor control and maintenance.
IIoT is one of the fastest-growing innovation sectors across all segments (consumer and commercial) of the IoT market. Most of this growth has been due to significant developments in IoT, networking and big data analytics technologies that improve productivity and efficiency in the operational environment. In the operational environment, IIoT devices generally are network-ready sensors, controllers, actuators, drives and operator displays providing a stream of data, often to the cloud, for big data analytics. However, IIoT devices have not caught up with the security needs in this highly networked, interconnected world.
This paper is aimed at providing guidance to help organizations, IoT and IIoT solution providers, and the industry at large to better understand this new converged environment. It is also intended to improve the planning, designing, implementing and deployment of IoT devices, while ensuring that security is integrated into the IoT strategy across all levels of the organization.
In the mid-1990s, organizations began interconnecting their control systems to improve productivity, maintenance and safety. Some of this interconnectivity was to the internet via sensors, endpoint devices, human-machine interfaces (HMIs), and programmable logic controllers (PLC) or remote terminal units (RTU) connected to gateways — the precursors to IoT. While this interconnectivity helped improve reliability and efficiency, security was not a key consideration in the planning, design and implementation of networked control systems. The lack of adequate security planning resulted in increased attack surfaces and successful cyberattacks across many industries. In addition to the lack of security, there often was a lack of adequate collaboration between the OT (the term “OT” didn’t exist at that time) and IT organizations.
As you might suppose, the situation is more complicated today than it was in the 1990s or even in the early 2000s. Companies want to speed up and increase the connectivity between IT and OT to advance business productivity even more. There have been numerous demonstrations of improved productivity and cost savings using IIoT methodologies. However, security has not been a major consideration throughout this digital transformation. At the same time, hackers (individual or state-sponsored), malware writers, and criminal rings are now explicitly eyeing these environments for malicious damage and financial extortion.
As various papers, conferences, meetings and actual customer experience have shown, there are still substantial gaps in understanding between the IT and OT environments as to what constitutes a comprehensive cybersecurity plan for the entire organization. As your organization goes through the digital transformation caused by the integration of IT and OT and the increased connectivity in your operational processes, we hope this paper will provide you with some basic information and guidance to help you better plan your IT and OT security policy, governance and framework.
In this paper, we cover several important topics, including the new digital transformation and what it means to your organization in terms of general business and security challenges. We then discuss the security challenges for IIoT and the basic cybersecurity framework necessary for IT/OT integration. Finally, we provide recommendations on which technologies to use and how to select the right security vendor to help your organization thrive amid the new converged environment.
- IT/OT Convergence and Cybersecurity
- General Business Challenges
- General Security Challenges
- Security Challenges for IIoT
- Best Practices for the IT/OT Environment
- Cybersecurity Framework
- Technologies to Consider
- Choosing a Security Vendor
Richard Ku has over 23+ years of hands-on experience working in the hi-tech and security industry in a number of leading roles, as individual contributor and management. Currently served as Sr. Vice President of Product and Services Management for Trend Micro Enterprise and Small Business Foundation Security Product and Services.
Joe Weiss, PE, CISM, CRISC, ISA Fellow, IEEE Senior Member, MD ISA99, is an industry expert on control systems and electronic security of control systems, with more than 40 years of experience in the energy industry. Mr. Weiss spent more than 14 years at the Electric Power Research Institute (EPRI) where he led a variety of programs including the Nuclear Plant Instrumentation and Diagnostics Program, the Fossil Plant Instrumentation & Controls Program, the Y2K Embedded Systems Program and, the cyber security for digital control systems.