Guest Post: IHS Predicts IIoT Cybersecurity Will Increasingly Be Implemented in Hardware
By Sam Lucero, Sr. Principal Analyst, M2M & IoT at IHS Technology IIoT & Cybersecurity As IIoT systems create ever more critical dependencies in plant, energy infrastructure, and transportation environments, developers and deploying organizations will turn to hardware-enabled cybersecurity to stave off proliferating cyberattacks. Although the use of secure processors in smartcard applications, such as bank cards, mobile phone SIM cards, and digital ID documents is common, IIoT developers have barely begun to adopt a hardware-enabled approach. Instead, “root of trust” technologies, such as secure key storage, cryptography, and secure boot, are handled in software on the main application processor of the device. IHS estimates that in 2015 only 9.8% of all secure processors shipped were intended for IoT applications (that is, all of IoT, not just IIoT). The challenge with this software-based approach is that security functions on the application processor share common memory resources with other functions and are therefore exposed and vulnerable to malicious attack. Hardware isolation reduces (but cannot completely eliminate) this exposure and therefore dramatically increases the security of the device. This increased security is fundamentally why bankcards, mobile phones, and now ePassports, have shifted to the use of hardware-based security. Looking Ahead A lingering question regarding the use of secure processors in IIoT applications is whether implementation will be in the form of a second coprocessor chip placed alongside the host application processor, or whether cybersecurity hardware intellectual property will be integrated directly into an application processor. (Integration of cybersecurity circuitry still achieves hardware isolation in contrast to software, although some physical security measures may become impractical.) Chip companies such as Atmel, NXP, and Renesas Electronics have adopted this integrated approach for at least some of their respective portfolios targeting the IoT. It remains to be see whether an integrated approach will be successful. While integration helps to reduce overall device bill-of-materials, it can increase cost and complexity for cybersecurity certification, relative to a “two-chip” solution. About Sam Lucero Sam Lucero is a seasoned industry analyst with over 14 years of experience analyzing telecommunications and networking technology markets. He has spent the last ten years assessing the markets for machine-to-machine (M2M) and Internet of Things (IoT) applications. Sam has established leading M2M market research programs and managed international teams of industry analysts. He has authored numerous reports, forecast databases, and topical articles covering various aspects of the M2M/IoT market opportunity and has been widely quoted in news and trade journals, from the New York Times and the Economist to CNET and Wireless Week. Furthermore, Sam has moderated, presented, and judged at a number of industry events, including CTIA and Connected World. In 2014 Sam was named one of six “Augural Analysts” for M2M by Connected World Magazine.
IIoT Bold Prediction Series Part 5: Discrete RF Manufacturers Obsolete in Three Years
What a week it has been for the connected world! As we grow closer to the end of 2015, there are plenty of movers and shakers in the IoT space, and for good reason – the excitement around the industry is palpable. In fact, it’s hard to keep a pulse on all the activity as there seems to be innovations occurring daily. Additionally, the IoT provider ecosystem itself continues to grow rapidly as the influx of companies – from device manufacturers and software vendors to IT and Cloud services as well as industry groups and regulators – continue to push the bounds of possibility not just for consumers, but businesses as well. To further add to the end of year developments in IoT, our 2016 IIoT Bold Prediction Series ends the week with a bang – after all, it’s not every day that the CEO of a company predicts the demise of its own industry! However, Kim Niederman, CEO of FreeWave Technologies, is making the bold prediction that discrete Radio Frequency (RF) technology manufacturers will be obsolete within the next three years. Prediction #5: The obsolescence of discrete RF manufacturers will occur by 2019 The catalyst that will drive this change will be the open standards in place that will eventually commoditize the market by bringing backwards compatibility and interoperability between different radio manufacturers. Large chip manufacturers are going to drive physical layer standards, meaning the chipsets themselves are going to be more ubiquitous and will make it increasingly difficult for discrete radio manufacturers to find and capitalize on business opportunities in the marketplace. Companies will continue to drive the adoption of open standards and the concept of the software-defined radio will soon become meaningless. Stay tuned for more on this bold IIoT prediction!
IIoT Bold Prediction Series Part 4: New Networking Protocol Changes IoT Connectivity
Before we move on to the next prediction in our IIoT Predictions series, let’s take a quick look back at the first three: A major security breach of an industrial SCADA system will bring new focus to IoT security. The government will become heavily involved in the regulation of IoT and IIoT devices. Predictive analytics will alter fundamental IT/OT practices. Part of the difficulty in procuring “predictions” for something like the Internet of Things is that the possibilities are truly endless. We know that “IoT” as a concept will increasingly touch on almost every single facet of our daily lives with each passing month, so part of the excitement is being attuned to the new concepts, technologies and thought leaders that seem to pop up near daily. It is an interesting time to be both a creator and user of technology! Today’s prediction, courtesy of Brad Gilbert, director of product management at FreeWave, continues our path toward the more technical side of the Industrial Internet of Things. We know that the technology will continue to progress, but what about the “internet” side of IoT – the enabler of the comprehensive connectivity we’ve come to expect? Prediction #4: Wireless Networking Protocol will Change the Way We Think about IoT Connectivity 802.11ah is a new wireless networking protocol that has the potential to enable a range of connectivity that was previously deemed improbable to obtain – greater sensor connectivity and the potential for even faster data transmission. It is scheduled to be released in mid-2016, and Brad predicts it will garner quick adoption. Here’s the why behind it: 802.11ah Unifies GHz and sub-GHz bands with a Wi-Fi protocol Reduces the need for protocol conversions and gateways Highly congested 2.4GHz band can now be offloaded to either 5GHz or now 900MHz The essence of these features is that they provide a greater diversity for device enablement by offering more networking and frequency band options. The unification of bands reduces the potential for interference and offloads traffic from the 2.4GHz band that is used for wide-range networking needs. 802.11ah Addresses long range communication and battery operation not met with existing 802.11 standards Much needed for IIoT applications, especially those in remote and hazardous locations Better RF propagation than 2.4GHz or 5GHz frequency bands In conjunction with band unification, the new protocol will enable the extension of high-speed connectivity to rural areas without overloading cell tower traffic. It will allow devices to use less battery power by predetermining wake and doze times, and by incorporating relay access points, it will allow networking stations to transmit data more quickly, reducing the overall wake time. Chipset availability The availability of chipsets (specifically SoC technology) will enhance data transmission even further by better managing integrated components and data flow to and from different networks and IoT enabled devices. What’s next? So far, most IIoT devices have been built with traditional band usage in mind. Introducing a new and efficient networking protocol will allow for a greater diversification of device capabilities, as well as a proliferation of sensor networks at a scale that would be unachievable with current standards.
IIoT Bold Prediction Series Part 3: Predictive Analytics Alters Fundamental IT/OT Practices
So far, our series of IIoT Bold Predictions for 2016 has focused on the concepts of IIoT security and government’s regulatory role in the development of IoT and IIoT devices. Today, we’re changing gears a bit, with a prediction from Scott Allen, FreeWave’s CMO, which focuses on the implementation of IIoT technology into big data practices to create real-time, data-driven intelligence. Prediction #3: Predictive Analytics Alters Fundamental IT/OT Practices Predictive analytics will change the nature of industrial communication systems and networks significantly over the next five years. Certain industrial sectors have long utilized machine-to-machine (M2M) technology, like manufacturing, utilities, and oil and gas, as the backbone to operations technology. However, as IIoT communication technology continues to improve at a rapid pace, these industries will begin implementing tech and business practices designed to create data synergy that will ultimately provide predictive analytics for better decision making. There are two elements at work that will push predictive analytics to the forefront of industrial communication systems. The first is the advancement of technology. Big data companies are making serious progress with comparing data-at-rest with data-in-motion as a strong basis for predicting outcomes with maximum accuracy. As the network infrastructure advances at the access layer in ways that allow analytic applications to be executed locally while communicating globally this trend will do nothing but accelerate. The second element that will drive change is the retiring or soon to be retiring workforce that drove the implementation and use of SCADA networks. This will create a knowledge gap that will require new technology to fill – and predictive analytics will be the one that fills that gap. Although an aging workforce is not unique to the IIoT sector, the transition will be pronounced and could, without incorporating predictive analytics practices, be accompanied by some significant growing pains. Looking Ahead Sensor-2-Server (S2S) technology will begin to ease the synergy between IIoT technology and big data. Ensuring accurate data transmission, collection and analysis in critical industries is an important step along the path to a connected world. As S2S technology proliferates, companies will see a significant impact on IT and OT practices, along with the ability to converge those two silos into more efficient and streamlined decision-making.
IIoT Bold Prediction Series Part 2: Government Regulations Coming
Yesterday, we kicked the 2016 IIoT Bold Prediction Series off with a bang! As a nice follow-up, and second iteration of the series, Tim Mester, Principal Engineer of Advanced Technology at FreeWave, presents his Industrial IoT bold prediction: Prediction #2: Government Regulations Coming for IoT and IIoT Devices Due to a major security breach or reliability failure in connected devices or systems used in the Industrial IoT space, governments will be compelled to create and enforce new regulations on all IoT (and IIoT) devices, much like what is happening with the drone industry. (Note: IoT security breaches are not unheard of, as pointed out in this recent article by Bill Montgomery and Glenn Longley’s latest prediction as the first part of the bold prediction series.) But, like drones, the barrier to entry into the IoT space has been lowered by improvements in technology. For IoT/IIoT devices, it is by the proliferation of a low power “system on chip” technology (SoC) and platforms like the Beagle Bone, Raspberry Pi and Arduino. Also, the Open Source software that is available allows developers to quickly pull products together based on these inexpensive SoC’s. Now that we can quickly have these products, how do those procuring these know that they are secure? How do they know they will be reliable and will not fail in mission critical applications? Companies that are already experienced in the M2M and IIoT space understand these issues and concerns. They take the necessary steps to ensure that they can deliver secure and robust devices to their customers. But what about the new comers? The ones that took the easy route? The ones who do not have the experience in this space? Looking Ahead As IoT/IIoT data and control becomes more sensitive and critical, concern will grow concerning the robustness of all of these devices that our lives are becoming dependent on. I believe that we will see a surge of government regulations that mandate the levels of security and reliability for IoT and IIoT devices. We are already seeing the beginning of these types of government regulations being mandated in some critical infrastructure industries and this will only perpetuate. In smart grid projects, for example, operators must take into consideration the cybersecurity reliability standards which FERC oversees. This helps operators choose a more cyber-hardened technology. On the other hand, for industries that do not have these standards in place yet, there remains a tradeoff between “secure” and “easy-to-use.” When strong cybersecurity has not been mandated, people tend to avoid the “harder-to-use” option that is typically more secure.
Announcing the 2016 IIoT Bold Prediction Series!
The year 2015 is soon coming to an end as the year 2016 looks to be ushering in exciting new ways in which the Internet of Things (IoT) is changing our way of life. It’s easy to see these transformations taking shape on the consumer side (home automation, smart appliances, connected cars, personal computers, smart devices, etc.), but what will 2016 hold for the Industrial IoT (IIoT) space? (Note: Go here for a quick rundown on the difference between consumer IoT and industrial IoT) 2016 IIoT Bold Prediction Series As stated in our introductory blog post (Are We All on the Same Industrial IoT WaveLength?), we at FreeWave Technologies are thrilled for the future of the IIoT and what it means for the entire business ecosystem. That is why we are excited to present the “connected world” community with a bold prediction in IIoT each day this week – aptly named the 2016 IIoT Bold Prediction Series! We of course encourage everyone to contribute your perspectives and experiences – whether in response to our predictions or a submission of your own – to help advance the dialogue around the emergence of the industrial internet. Our first bold prediction in the series comes from Glenn Longley, Regional Manager of Energy Markets at FreeWave: Prediction #1: Major Security Breach of Industrial SCADA System Brings New Focus to IoT According to Longley, “There will be a major security breach of an industrial SCADA system in 2016, which will drive industrial organizations to shift more of a focus on IoT and newer, more secure communication systems.” If you may not already know, cyber attacks against supervisory control and data acquisition (SCADA) systems are not new. In fact, Homeland Security Magazinereported earlier this year that “Cyber attacks against industrial targets—including power plants, factories and refineries—increased 100 percent in the past year, according to a new study conducted by computer technology company Dell.” Additionally, IT World Canada reported on a new InfoSec survey by the SANS Institute in 2015 where, “Both the degree of uncertainty and the rising number of known incidents are red flags calling for the dedication of greater resources to monitoring, detecting and analyzing anomalous activity in control system networks.” The survey also found that only 65 percent said vendor qualification of security technologies and solutions to be either highly important or mandatory. So with a proliferation of new cyber attacks seemingly happening more frequently, Longley explains how this widespread issue will impact IoT adoption in industrial businesses in the coming years: “Each company is different in how it handles the influx of IoT and the resulting IT/ OT convergence. With the merging/blending of Information Technology (IT) and Operations Technology (OT), the firewall that separates the two becomes more complicated and less well-defined. Traditionally, each was a separate entity; however, with IP-enabled devices and blending of technologies in enterprise networks, that dividing line becomes less clear. IT and OT professionals themselves might put a different emphasis on security, but in 2016, the two will need to come together (more than ever before) to prioritize security in their quest to create end points for all of their field assets. Therefore, security will ultimately be the limiting factor on how much IIoT is deployed.”
IT Security Dynamics and the Industrial IoT
The quest to understand production and operational factors, distribute this information to business systems and people within an organization, and directly improve business processes and profitability as a result is not new. In fact, it has been embraced by companies for decades. This collection of operational information for use in information or business systems is known as IT/OT convergence. Getting IT and OT systems to work together to maximize business efficiency — while avoiding negative consequences, risks and pitfalls in the process — is a tall task. However, thanks to new technologies, this process is becoming more practical and is creating the opportunities for huge economic benefits when these two disciplines are successfully integrated. But, how does this convergence affect the security paradigm in large, geographically dispersed enterprises? Let’s Talk Security Traditionally, companies have a corporate firewall that divides the corporate IT space from OT space. With an Internet of Things (IoT) communications network, there is a need to protect the sensors and new applications on the OT side. However, even if there is a secure communication link, if the individual devices that are connected on the OT side become compromised and the threat has access to that communication link, a hacker can push malicious data, cause denial of service (DoS), or introduce malware or viruses to the entire network. There are many of ways to run into problems on the IoT front if companies are not careful in their network design security implementation. On the IT side, corporate network security typically sees many threats. Those threats require significant attention, and consequently IT organizations have numerous options and tools to use, such as intrusion detection, log monitoring, network behavior monitoring, network inspections, whitelisting, firewalls, and more. The IT space has a much different attack surface than OT because with an IT network, the company can physically secure the building and control where the data goes in and out. Data escaping the building is relatively small in comparison to the OT space. WiFi that is leaking outside the building could be a vulnerability, but there are tools and ways to lock down that type of threat, and checkpoints where the IT department can analyze the traffic going through the network. In IT, bandwidth is plentiful and the network overhead associated with security is generally not a major factor. Considering Industrial IoT Networks IIoT networks, on the other hand, can span many miles with potentially hundreds of thousands of data points. An IIoT network likely consists of small embedded devices with long lifespans, making it very efficient. However, they are generally not like the Windows operating system, which is consistently conducting massive updates. Some embedded technologies don’t allow any updates, making it essential to carefully select the best devices for a network. Having thousands of these edge devices is where organizations will begin to see IT/OT convergence – many more points in the field where threats could be coming into the IT network. Industrial organizations today are creating a connected infrastructure with IP-enabled sensors or IP/IIoT-enabled Access Gateways. The data generated by sensors at an asset location can be valuable to more than just the central control system. This might mean M2M communication with sensors talking directly to each other. It may mean that multiple systems consume the live, real-time sensor data directly from the field. It may even mean that operators connect their sensors directly to the cloud or other back office systems. If there is a way to share critical data while addressing security issues that can help provide information to key data users, then that information becomes increasingly valuable. Security Through Obscurity is Not a Solution IIoT solutions often utilize the widely deployed security technologies from the Internet to avoid the custom, one-off solutions of past industrial security, when it was used at all. IP technology makes it easier to deploy and talk to sensors, but it also makes it easier for intruders to see and snoop on valuable data streams. Security through obscurity is not a solution. There are many common attack vectors for industrial devices that become even more relevant when considering the IIoT infrastructures and fully networked, geographically dispersed projects.
IIoT Top News: Manufacturing Today and Tomorrow
The age of manufacturing is moving past the dusty, oversized, broken-down warehouse located on the edge of town and into industrial 4.0. This new technological revolution is changing the way manufacturing operates within the digital sphere. Nowadays, manufacturers can track production status, machine functionality and operational flow with sensors, automation and wireless IIoT solutions. That’s why this week’s top news is dedicated to manufacturing of today and tomorrow, realizing this industry is evolving with the digital revolution. This is an exciting time for manufacturing, with more innovation integration happening across the board than in the last twenty years. As the IIoT starts to take center stage in many shop floors, new digital upgrades will require a new plan of action to deploy wireless pilot projects for automation and control. Now with the rise of smart machines in manufacturing, this industry has to shift from a product oriented world to a services market. Sensors that tell you why it is not working or machines ordering products independently when supplies run low are all examples of this new industry 4.0 revolution in action. Naturally this technological movement began in Germany back in 2011, where twenty-two percent of their GDP comes from manufacturing, this compared to only twelve percent of the GDP in the US. Although, a recent report by Cisco finds that the majority of manufacturers are not capitalizing on this digital push. It is true most manufacturers do see the importance of the digital transformation on their shop floors, but the problem comes with the implementation of those new technologies without disrupting the current production process. As manufacturers digitize, it is vital to first find the correct infrastructure to implement the IIoT, and then to adapt a new model to incorporate the technology to the main business plan. So what does the future hold for manufacturing? As some companies adapt to this digital age, it is true manufacturing can now create digital prototypes, use 3D printers and operate remotely with sensors and wireless monitoring. Being able to collect data in real-time utilizing cloud-based IIoT solutions will be the key to succeeding in manufacturing going forward. Yet, according to Information Age 2016 top predictions, “Manufacturers will have to start thinking and acting more like software companies, leveraging the software applications they build into their products as a driver to reduce manufacturing costs, increase product innovation, and capture new revenue streams.” Furthermore, IoT, data analytics, cloud, and other wireless technologies have the potential to drastically improve manufacturing. The trick, as we march to the beat of this new technological revolution, will be to look at examples of how early adaptors have grasped the IIoT. It’s understandable with everyone shouting about the IIoT, it is easy to get overwhelmed. So stop thinking about all things connected and focus on what infrastructure will support your growing digital needs on the shop floor, and then your plan of action will seem a bit more manageable. Hope you enjoy this week’s reading. As always, tell us what we missed! Enabling Manufacturing Transformation with the IIoT (PTC) This push for IIoT is transforming the way manufacturing operates and functions as a whole. PTC suggests that, “As these innovations and pilot projects begin to emerge as broadly deployed best practices, the industry will start to see the emergence of business model transformation and the visions of Industries 4.0 and Smart Manufacturing will start to become a reality.” Machine Learning (The Economist) As manufacturing becomes digitized, the industry has to adjust from being a product focused world to a services market, with smart machines installed on the shop floor. The Economist believes that, “For many manufacturers—in Germany and beyond—the principal sticking-point in making this digital leap is often cultural.” Survey: Manufacturers’ Digital, Service Capabilities Lagging (Manufacturing.net) Manufacturers see the need for adding more digital components to the shop floor, but recent CISCO report finds that many manufacturers are still not capitalizing fully on the IIoT. “One challenge is on the technology side, making sure that the right infrastructure is provided,” said Dirk Slama of Bosch Software Innovations. “The second challenge I would see is more on the organizational level, to make sure that you somehow help your organization move towards these new business models.” The Factory Future (Manufacturing Today) The future of manufacturing will depend on the industries abilities to incorporate real-time results with their wireless IIoT solutions. Manufacturing Today has stated that, “More manufacturing will need to be able to harness all that data via the cloud to meet demands from customers and potentially legislators to fully track the entire lifecycle of their products—from creation to disposal of ideally recycling.” Manufacturing’s Digital Future (Industry Week) The digital future of manufacturing will incorporate the data analytics, cloud and many other wireless IoT solutions. Industry Week believes that, “Many companies are leveraging interconnectivity to improve their own factory productivity, the factory-floor blocking and tackling of reducing downtime, cutting costs, reducing cycle time, improving OEE, etc.
Today’s IIoT Security Challenges
For decades, Supervisory Control and Data Acquisition (SCADA) systems have played a significant role in industrial operations. Industries like oil and gas, electric power/smart grid, agriculture and utilities have implemented SCADA systems and networks to collect data and automate processes, and are always looking to automation systems for more effective ways to operate. The ability to collect more data from geographically dispersed field assets in remote locations has driven the need for enhanced communication technologies. With the emergence of continuously improving wireless machine-to-machine (M2M) technologies, networks have more access to data points than ever before. The number of sensors and data points collected will continue to rise dramatically with improved connectivity. This collected data helps operators improve operational decisions, save manpower and, in many instances, keep employees safe by avoiding dangerous environments. Today, industrial network operators are increasingly implementing end-to-end Internet Protocol (IP) connectivity or the Internet of Things (IoT), enabling more capabilities at the edge of these networks. This does not make SCADA systems obsolete by any means; it opens the door to greater possibilities of enabling new applications and analytics with every single data point being captured in the system. So What’s the Security Tradeoff? There are many implications for the concept of a completely connected enterprise in terms of network security. Critical infrastructure projects are only as reliable and secure as the technology serving them. Security, therefore, will ultimately be the limiting factor on how much IoT technology is deployed. With security, the traditional trade-off is either “easy to use” or “secure”— but not both. We often consider a third tradeoff as well of features, though in most cases, operators are not willing to trade off features, but it is certainly part of the equation. An operator striving for an Industrial IoT (IIoT) network must look at SCADA security, the convergence of Operations Technology (OT) and Information Technology (IT), and make a thorough assessment of what will allow them to achieve a secure data communications network. Some of the top security challenges for the IIoT today include: With more data being transported than ever before, it’s important not only to secure assets, but to secure the communication link itself. Traditionally, SCADA systems have been on the outside of a firewall from the corporate IT network. Newer SCADA systems that use Ethernet devices are more security focused with measures such as VPN, secure sockets, encryption and dedicated log-ins on the devices. One Final Thought There are many benefits to the concept of a completely connected IoT system, but this also implies more crossover between IT and OT systems. Companies need to prioritize security in their quest to create end points for all of their field assets. Some industries, like the smart grid, are already experiencing mandates that ensure a more cyber-secure network. With others, however, it is still up to the organization to make security a top priority.
