How security can be the linchpin of Industrial IoT evolution

Opinion by Will Culbert

Will Culbert delves into the Industrial Internet of Things, touching on how digital technology may define industrial control operations and maintenance almost as much as the physical engineering itself.

The UK is on the brink of a fourth Industrial Revolution, exemplified by Philip Hammond's recent keynote at Future Decoded. Large scale investment and interest in the UK is based around the capability to evolve and play a leading role in the next global wave of technology innovation – the Internet of Things.

The Industrial Internet of Things, IIoT, incorporates machine learning and Big Data technology, harnessing sensor data, machine-to-machine (M2M) communication and automation technologies that have existed in industrial settings for years.

The driving philosophy behind the IIoT is that smart machines in collaboration with human knowledge and programming have the potential to transform business models, service delivery, industrial control efficiency, reliability – ultimately our daily lives.

However, when considering the scale, severity and individual impact of operations involved in internet enabled industrial controls, it is fundamental for organisations and governments to ensure security is at the heart of both the implementation and education around the technology.

Navigating in the connected age

In the foreseeable future, digital technology may define industrial control operations and maintenance almost as much as the physical engineering itself, with abstract advantages to cost savings, efficiency improvements and speed of reaction when an issue occurs.

The opportunities on the horizon are increasingly encouraging institutions to adopt more and more connected solutions into their operational approach. This is not a brand-new concept and industrial control operators have been continuing to understand and utilise the solutions over the past few years. However devoted attention must be made by leading technology providers, governments and industry bodies to educate the market and ensure that the security backhaul and infrastructure of these organisations is effective. We have seen throughout 2016 the increasing sophistication, complexity and tenacity of attacks made on industrial control operators, many enabled through unsecure IIot solutions and systems.

A recent Kaspersky Lab research study uncovered that in total, 188,019 hosts have ICS components available via the internet, identified in 170 countries. A large proportion (92 percent, or 172,982) of remotely available ICS hosts have vulnerabilities within them.

This Kaspersky Lab research study hosts worrying statistics and hackers have exemplified the variety of elusive techniques they have in their roster to hack into systems. The international headline story of the Ukraine power grid hack, was another example of a hack enabled through comprising employee credentials. However, what is key to note is that these systems were accessed remotely and the identification, resolution and prevention of these hacker's entry into the system through this method could have been identified and quarantined at an earlier stage.

The vulnerabilities in these connected systems, are widely available and apparent to hackers and are being specifically targeted based on this factor. The unnamed water utility referred to by Verizon as the Kemuri Water Company (KWC) was hacked earlier this year, profoundly due to poor security architecture, with internet-facing systems plagued by high-risk vulnerabilities, and outdated operation technology (OT) systems that had been more than ten years old.

The need for industry and governmental standards

The aggressive momentum of both media coverage and attack frequency is highlighting a strong desire from the market for a unified industry-led standard in relation to the security and implementation requirements for IIoT. Progress has notably taken shape with the evolution of the government cyber-security apparatus and infrastructure such as National Cyber Security Centre and GCHQ. Both are designed to evolve the education and responses that the UK has to cyber-crime threats.

The vitality of consortiums and government-run initiatives such as these are crucial to the overall progression of the market and the procedures and processes organisations should look to implement, to ensure they are as secure as possible. It is going to be impossible to evolve and progress the adoption and success of these solutions without industry standards and knowledge hubs. Industry standards can drive technology providers and governments alike, to evolve and constantly improve on knowledge and recommended codes of practice for organisations on this scale.

Unique and specialised consortiums are starting to reach the wider market on a global scale, which is making a positive impact on the market, irrelevant of competitive bias or seclusion. At this stage the IoT and IIoT market is so large and undeveloped, that potential competing organisations are laying down their competitive edge in this market to evolve a set of practice standards that can benefit the future.

A key example of this is the Industrial Internet Consortium that is a global body that brings together companies of all sizes to create a forum where multiple stakeholders can exchange ideas and embark on joint projects, to collectively progress the viability of IIoT solutions.

Synergy between governments and technology providers

It is apparent that steps are being made to develop the general standards and security policies behind the IIoT, however we must ask ourselves are we moving fast enough? With attacks being made consistently and an influx of technology providers bringing connected solutions to market, there must be a call for closer synergy between governments, technology and security providers. This synergy could bring to market unified standards and processes that are enforced by governments to Industrial control operators.

On a granular level, certain techniques must be encouraged when considering integrating connected solutions in this sector. For example, it is fundamental to monitor and manage any access to a corporate network and have the capabilities to control, identify and limit access dependent on the user and their behaviour.

Without effective security processes, as touched upon above, that are built into the IIoT solutions from the core, we will continue to put national infrastructure and the public at risk.

Contributed by Will Culbert, director of solutions engineering, Bomgar

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop