Steve Jobs famously referred to a computer as the bicycle of the mind. For those who don’t know the story, he was referring to a study about the efficiency of movement of different species. The condor was initially ranked the most efficient, using the least energy to travel a kilometre, while humans fell towards the bottom of the list. However, when the tests were re-run by a curious researcher, with a human on a bicycle, the efficiency results placed humans head and shoulders above any other species at the top of the list. Referring to computers as bicycles of the mind, Steve Jobs eloquently summarised the force multiplying abilities that the pairing of the right tool with a problem can have.
We have continued to see this evolve and unfold in our personal lives and in our workplaces, with the rise of cheaper more powerful hardware, Software as a Service, Cloud Computing Capabilities, and new ventures taking advantage of Big Data and Machine Learning.
We have seen how technology and computers have enhanced so many aspects of our lives, and the industrial and operational sectors are no different. The things we take for granted, such as running water, uninterrupted electricity supply, full shop shelves (well, maybe not at Christmas), have all taken advantage of evolutions in technology over the last 50 years, to provide quicker, more cost-efficient services.
The rise of widespread ethernet connectivity, the all mighty Internet Protocol (IP), and cheaper hardware has had a profound impact on the industrial and operational landscape. In the last 10 years, these industrial and operational technologies have gone from relative obscurity, known only by the organisations using them, to widely publicised and documented technologies, often appearing at conventional IT security conferences alongside their enterprise counterparts.
We are now well and truly into the next generation of industry and industrialisation. And this is no better captured than with the rise of the Industrial Internet of Things (IIOT). IIOT is a great term, conjuring up images of Amazon Echos and other shiny plastic devices housing small processors, which control and run our critical and operational infrastructures. But if we strip back the IOT gloss surrounding it, at a principle level IIOT really isn’t doing anything different to what we have seen over the last twenty years – unifying communication protocols, increasing connectivity, and providing greater access to data and insights, while blurring the lines of responsibility. What IIOT can do differently however, is speed up the timescales of change and open the door to any department (or individuals) to experiment with these technologies.
While it comes with definite security concerns and issues, it is clear that we cannot ignore the growth of industry 4.0 and IIOT, and organisations’ eagerness to adopt it. More teams want to take advantage of this new technology and the innovation and insight it promises. It is cheaper, does exactly what they want (and so much more), empowers them, and gives greater access to data insights that aren’t confined to legacy historians. The organisations that ignore the creep of IIOT into their industrial environments will find out before long that these have been put in without their knowledge or blessing.
When I consider the changing landscape that IIOT technologies bring about, there are three main areas I see as being repeat offenders and giving security teams the most grief.
Appropriate Security by Design
Secure by design has always conjured up the image of security engineers painstakingly designing and perfectly architecting networks and systems to come up with a Van Gough of security perfection. The reality is that we aren’t regularly going to have this luxury.
One of the key tenants of effective security by design is in understanding, not locking down. What this means is striving to understand all the variables, such as the people who will be using the system, the processes it will support (and be supported by), the wider network interactions and the data it will require (and generate). Ultimately the secure by design principles rest on being informed about how the system will operate, the requirements placed upon it, and the constraints that need to be considered.
The attraction to IIOT from a business perspective is the time it takes from the inception of an idea, to testing and exploring it, to deploying it and seeing the benefits. It can be procured cheaply, fitted by individuals, and often doesn’t go through the same commissioning routes that more traditional Operational Technology (OT) assets and systems do.
So how does Security by Design fit into the new landscape? What these systems do today, and the risks they expose, are likely to change more rapidly than conventional OT assets. The underpinning principles and requirements of the approach don’t change, but organisations need to be prepared that their well understood approach to security architecture, risk assessments, and design choices, need to take into account the fluid levels of complexity and variability that these new IIOT systems will introduce.
The Maze of Ownership
A crucial step that sounds simple, but is often elusive, is confirming and establishing ownership of these new technologies, and what this entails. Too senior, and the nuanced and granular understanding of the technology and considerations can become diluted. Too junior, and the authority to make informed decisions can become lost.
When we consider the challenge of establishing ownership for IIOT systems and data, we often find there is rarely just one owner in the operational ecosystem. Establishing ownership starts to look like an exhausting effort. By articulating the risks, demonstrating the impact and ways forward, and investing time across the different disparate teams and ownership quagmire, there is a way to draw all of the disparate threads together.
When we refer to ownership, we need to get the business to consider it. This is not just from the perspective of who owns (or who gave the money for) the asset, but must also include the network the device will sit in, the users, the maintenance requirements (including patching and backups), the data that it will use or generate, third party access and requirements, and incident response activities.
More than ever before in an operational environment, ownership is a consortium. Once this ecosystem of ownership is established, it provides the platform and the means to share and articulate the risks. Moreover, it also develops innovative approaches to addressing these, using a security-informed, but business and process-defined approach.
Visibility for All
From a technical standpoint, this is probably one area that has seen the greatest growth in productised offerings into the operational security communities over the last decade. Industrial Intruder Detection Systems (IDS) and networking monitoring, as well as asset inventorying systems are everywhere, and at the heart they all provide a similar function – to give you visibility into what actually is on your network, and what it is doing!
While this element of visibility is crucial, I am referring to visibility of the issues, the emerging threats, and the risks across the organisation in this case. Alongside this comes visibility of the business drivers, the benefits to teams, and the need that often sits behind the adoption of these IIOT technologies.
One of the attractions to IIOT and Internet of Things (IOT) tech, is that it can be deployed quickly, with little complex configurations. This means that implementing teams aren’t necessarily confined by the usual integration and setup restraints of older technology. This technology sneaks in everywhere and is often kept quiet to avoid the lengthy protracted debate it prompts, or because different departments don’t know they need to share this information.
It is because of the ability of IIOT technologies to be deployed in this manner that business-wide visibility of security, IIOT risks, and the correct processes are a must. Don’t let “I didn’t know” become the reason that devices sneak onto your critical network. Get in front of the issue with all teams by making it clear who they need to involve if they want to explore these technologies, the process for commissioning these, and the risks that can come about if this information isn’t shared.
Following in the footsteps of Steve Jobs’ earlier analogy of the computer as the bicycle of the mind, IIOT could be considered as the motorbike equivalent of industrial innovation and efficiency. On the one hand, it provides far greater mobility, flexibility, speed, and opportunities for adventure. However, it also comes with greater risks than we are used to, takes time to learn, get comfortable with and understand how to handle it properly, and as such, different precautions must be taken.
Much like moving from a bicycle to a motorbike, the three elements touched on in this blog all require a huge investment of time. Becoming proficient, slick, and competent doesn’t happen overnight (as much as we want it to). These three items pose the greatest challenge to organisations as they tackle the challenge of more IP-enabled, data-hungry smart devices creeping into their networks.
But, by being aware of the new side to an old challenge they bring, and tempering these with solid communication, cross departmental networking, and proactive (and positive) engagement, organisations can leverage the benefits of these new technologies.
Want to find out more…..
If you’d like to find out more about our experience in the design, development and deployment of devices, simply click on the link below.