From data to processes: Securing the Industrial IoT
The major differences between enterprise IT and the Industrial IoT and the implications for businesses.
While the major differences between enterprise IT and the Industrial IoT are well known, I find that many clients want to explore the detailed implications for their businesses. I often use a chart (pictured below) as a starting point to illustrate the important distinctions that should inform both development and management approaches, and I thought I’d dive into some of the specifics that I usually share in client meetings.
The fundamental difference is that enterprise IT is concerned with protecting data, while the IIoT is focused on physical processes, such as manufacturing operational or energy grids. So, while the security objectives for data are privacy and confidentiality, the IIoT is concerned with maintaining the integrity of systems.
In a sentence, enterprise IT security is all about protecting assets, while IIoT security extends past that goal to also protect ongoing industrial operations.
This has significant implications for how businesses need to approach cybersecurity in three core areas:
First, availability. While a 99% uptime is an acceptable threshold for enterprise IT, it’s a starting point for the IIoT, insomuch that even the slightest hiccup in a process management system could leave ships at sea without navigational tools, or industrial robots without commands for what do to next.
An increase from 99.9% to 99.999% uptime would reduce downtime during a year from 8.76 hours to 5.25 minutes, so you can imagine the importance of such improvements.
Second, system life. The average lifetime of an IT system is between 3 to 10 years, though the expected functional lifetime of industrial equipment can be far longer, often as much as 25 years. It’s far easier (and less costly) to swap out a new multipoint control unit (MCU) in a computer than, say, replace the automated components of a functioning assembly line.
This means that IIoT cybersecurity has to be far more robust and flexible, which is easier said than done, however, as many of the standard tools for IT system maintenance, such as logging and forensics, are not an inherent component of IIoT controls.
Third, patching, which is related to system life. With enterprise IT, patching is normally connected on a predetermined schedule, driven in large part by update releases, which means the least disruptive timing can be chosen to execute that work. Security patches to IIoT systems can be far more opportunistic, or driven by necessity, which runs the risk of interrupting operations. They can also be a long time between planned updates.
Taken together, the differences between IIoT and enterprise IoT cybersecurity are profound.
ABB brings these tools (and others) to bear on IIoT cybersecurity, and partners with customers on such platforms as ABB Ability, which helps ensure our clients’ systems are protected throughout their productive lives.