The term Internet of Things is new. The Industrial IoT is even newer. However, the issues they bring are old. On June 30th, Dark Reading posted a commentary from McAfee executive Lorie Wigle, who pointed security concerns must not be allowed to obstruct the great benefits the IIoT can bring to the industrial systems.
She is right, of course. It won’t be easy. The utilities industry is a good example of the challenges that are faced. In many cases, the network architecture in power plants was established before the plants were regionally or nationally interconnected, before the Internet was used by industry and before hacking and cracking emerged as a problem. There was no reason to segregate mission-critical data.
Today, of course, network administrators face a different and far darker world. Bad guys – and bad governments – have the motive, motivation and capabilities of attacking these structures. The base Internet comingles vital and inconsequential data. Doing so in a plant – and connecting that plkant with the world at large — creates obvious and serious challenges.
What we now call the IIoT has been a part of the utilities world well before the catchy name was introduced. While the subtleties differ between plants, the overall vulnerability – and the dire possible ramifications if hackers take over – make two things absolutely necessary:
- Any IIoT standard, or sets of standards, used by the utilities industry must be built around security. These elements must be embedded from the ground up. Retrofitting a layer of security on top of an inherently insecure environment – the way in which the Internet itself has evolved — is inadequate.
To a great extent, this horse has left the barn, however: Systems have long been in place. As the telecom and enterprise industries refresh in the era of the IIoT, security must be at the center of standards efforts. The good guys simply have to work harder than the bad.
- Encryption must be at the data layer. If we can’t be entirely confident of the integrity of the network, cyber padlocks must be put around every mission-critical piece of data itself. There is no other way.
It’s axiomatic and clichéd to say that the IIoT must be secure. That makes it no less true, however.
(Photo: NRC Photo of the Shearon Harris Nuclear Power Plant, Unit 1. in North Carolina)