Professional Documents
Culture Documents
(HTTP://WWW.TRIPWIRE.COM/STATE-OF-
SECURITY/)
News. Trends. Insights.
(HTTP://WWW.TRIPWIRE.COM/STATE-
OF-
SECURITY/CONTRIBUTORS/DAVID-
BISSON/)
43 361 56
http://www.tripwire.com/stateofsecurity/featured/5keychallengesfortheindustrialinternetofthingsiiot/ 1/10
5/1/2016 5KeyChallengesfortheIndustrialInternetofThings(IIoT)
TheInternetofThings(http://www.tripwire.com/stateofsecurity/securitydataprotection/securityhardening/the
internetofthingswhysecurityneedstobethefutureofiot/)(IoT)isoneofthemostsignificanttrendsin
technologytoday.Ameldingofinnovationsinthefieldsofcomputingandcommunication,IoTanditssmart
devicesarepoisedtorevolutionizenotonlyusermachineinteractionbutalsothewayinwhichmachines
engagewithoneanother.
AlreadywearebeginningtoseethepermeationoftheInternetofThingsintovariousmarketsectors.One
verticalwhereweseethisdiffusionthemostisinindustry.Indeed,energy,healthcare,automotive,andother
industriesarebeginningtograpplewiththeIndustrialofInternetofThings(IIoT),wheredevicessuchas
sensors,robots,mixingtanks,andinsulinpumpsarebecomingincreasinglymoreconnected.Asnotedina
blogpost(http://www.tripwire.com/stateofsecurity/securitydataprotection/securityhardening/theinternetof
thingswhysecurityneedstobethefutureofiot/)byLaneThames,asecurityresearchandsoftware
developmentengineeratTripwire,thissubsetofIoTholdsmuchpromiseforthefuture.
TheIndustrialInternetofThingswilldrasticallychangethefuture,notjustforindustrialsystems,butalsofor
themanypeopleinvolved,Thamesexplains.IfwecanachievethefullpotentialoftheIndustrialIoTvision,
manypeoplewillhaveanopportunitytobettertheircareersandstandardsoflivingasaresultofcountless
valuecreationopportunities.
ThamesgoesontoidentifyhowIIoTcouldcreateanumberofnewsmartparadigms,suchassmartpower
gridsandsmarthealthcare,aswellasleadtothedevelopmentofnewmanufacturingecosystemsthatare
drivenbyselfaware,autonomicmachines.
Clearly,theIndustrialInternetofThingscanhaveabrightfuture.ButasThamesrightlywarns,thedevilisin
thedetails.DevicesthatcanconnecttooneanotherandoverthewebpotentiallythreatenourIndustrial
ControlSystems(ICSs),securityconsultantLarryVandenaweele(https://twitter.com/lvandenaweele)has
observed(http://www.tripwire.com/stateofsecurity/offtopic/beyondthebasicsoficssecuritygettingitright
fromthestart/).Thosesystemsarevitaltotheoperationoftheutilities,energy,andnuclearsectors.More
specifically,asbusinessrequirementsnecessitatethatindustriesmovebeyondsmartdevicesmerelyasa
meansofcontrol,theymightrunintoobstaclesastheyseektoincorporateIIoTintotheirofficeenvironments.
TherearenumerouschallengesthatindustriescouldfacewhenimplementingIIoT.Herearefivethatstandout
inparticular.
JeffreyCaldwell,chiefarchitectofsecuritywhooverseestheresearchanddevelopmentforICSand
infrastructuresecuritysolutionsandproductofferingsatBeldenInc.(https://twitter.com/beldeninc),feelsthat
oneofthemostfundamentalchallengesinvolvedwithIIoTtodayisthedifferentsetofdevicecapabilities
availabletomanufacturersandprocesscontroloperators.
Manysolutionsandopportunitiesformachinetomachine(M2M)interconnectivityandcommunicationare
available,andmorearebeingbroughttomarketonaregularbasis,observesCaldwell.WhendeployingIIoT
technologies,wemustthereforethinkovertheafewquestions.Whatinformationshouldbecollected?How
shouldinformationbestored?Howcantheinformationbestbeanalyzed?Andwhatdecisionsshouldbemade
basedontheanalysis?
WhileananalysisofeconomicvalueandROIcanassistindustriesindecidingwheretoincorporateIIoT
technologies,thechallengeofsettlingoncapabilitiesextendsallthewayuptodevicemanufacturers.Joel
Langill(https://twitter.com/SCADAhacker?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor),
anoperationalsecurityprofessionalandindustrialcontrolsystemcybersecurityconsultantwithnearly35years
experienceinindustrialautomationandcontroldeveloping,aswellasthefounderoftheinformationsharing
websiteSCADAhacker.com(https://scadahacker.com/),explainsthatsomemanufacturersarestilltryingto
catchuptothecomplexdemandsofIIoTthings.
http://www.tripwire.com/stateofsecurity/featured/5keychallengesfortheindustrialinternetofthingsiiot/ 2/10
5/1/2016 5KeyChallengesfortheIndustrialInternetofThings(IIoT)
TherealrisktowhatIcallmanufacturingintegrityiswhenproductsandservicesthatmaybewellsuitedfora
typicalofficesettingarepresentedassolvingthesameproblemsinamanufacturingenvironmentwithout
completelyunderstandingtheassociatedrequirements(environmental,hazardousareas,reliabilityand
availabilityofservices,etc.),explainsLangill.Attheendoftheday,thefinalcontrolcomponents(controllers,
sensors,actuators,etc.)thatbridgethecyberphysicalspacearestillbasedontechnologiesthatarenot
commonwithinmostITarchitectures.ThoughEthernet(NoticeIdidnotsayTCPorUDP.)isbecomingmore
prevalentthaninpriordecades,Windowsplatformsarealmostnonexistentbecausetheylackthemostbasic
ofoperationalrequirements.
WhenitcomestonavigatingtheIndustrialInternetofThings,notonlymustindividualindustrialenterprises
carefullyconsiderwheretheywouldliketoimplementIIoT,butalsomanufacturersmustclearlydefine
operationalrequirementsandunderstandthecapabilitiesofthetechnologiestheywishtocreate.This
necessitatesadeepcomprehensionoftherealtimeproductionequipmenttowhichthedeviceswould
ultimatelybeapplied.
Functionalityisnottheonlyfocusthatmanufacturerswillneedtoaddressinthecomingyears.Costand
industrialreliabilitywillalsoplayapartasearlyadoptersvietomakethetransitiontoIIoT.Asembedded
systemsincreasinglymaketheirwayintoenterprises,theonuswillbeonmanufacturerstomaintainthe
integrityoftheirsupplychains.
ThischallengeisnotlostonPatrickMiller(https://twitter.com/patrickcmiller),aManagingPartneratArcher
EnergySolutions(http://www.archerenergysolutions.com/)andatrustedindependentadvisordedicatedtothe
protectionanddefenseofcriticalinfrastructuresaroundtheglobe.
ParticularlywhereIIoTelementsareusedwithincriticalinfrastructure,Ianticipatethatsupplychainconcerns
willariseinrespecttopolitics,publicopinion,andotherperspectives,predictsMiller.Togetaheadofthis
potentialsourceofresistance,organizationsmustconsiderhowtheycanbestmaximizetransparencyand
standardizationinthemanufacturingprocess.Theywillneedtobuilddevicesaccordingtoanagreedupon
openstandardthatcanbeevaluatedindependentlyinanefforttoconfirmthatonlytheexpectedhardware,
software,orfirmwareisincluded.
IntegrallytiedtothecomponentsofIIoTdevicesarethestepsthatresearchershavetakentosecurethem.As
notedbyRonCarr,PresidentandManagingMemberofAccessControl
TechnologiesLLC(ACT),aswellasaBusinessDevelopmentPartnerforTripwirewithover40yearsof
experienceinpipelineSCADAcommunications,thisproblemaffectsnotonlymanufacturersandprocess
controloperatorsbutalsopipelinecontroloperators.
AnythingordevicethatiscontrolledbynetworkcommunicationthatfacestheInternetisvulnerabletobeing
hacked,heobserves.
IIoTdevicesareinnowayexemptfromthis.Forexample,accordingtoCarr,thebriefperiodoftimeittakesto
pluginalaptop(thathasaninternetconnection)toaflowcomputerinordertodownloadasoftwareupgradeis
allittakestouploadmaliciousmalwaresuchasBlackEnergy
(http://www.techtimes.com/articles/19698/20141108/russiantrojanhorseincomputersofuscritical
infrastructuressince2011.htm)orStuxnet(http://www.tripwire.com/stateofsecurity/featured/stuxnetusb
attackvectorvulnerabilitystillprevalentwithcve20150096ms15018/).
Toprotectagainsttheseandotherthreats,industrialenterprisesshouldconsiderhowtheycouldintegratean
advancedcyberthreatprotectionsolutionintotheirnetwork.
http://www.tripwire.com/stateofsecurity/featured/5keychallengesfortheindustrialinternetofthingsiiot/ 3/10
5/1/2016 5KeyChallengesfortheIndustrialInternetofThings(IIoT)
SecurityisasignificantconcernwhenitcomestoimplementingIIoT.However,aswithanynewtechnology,
technicalproblemsareultimatelynomatchforissuesthatdividepeopleandpreventusfromworkingand
adaptingtogether.
Perhapsthehardestchallengetoovercomeisthatofbreakingsilosbetweendifferentdisciplinesand
departments,notesGaryMintchell(https://twitter.com/garymintchell?
ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor),anindustryleadingwriteronautomation,
control,software,manufacturing,marketing,andleadership.ThefamousIT/OTConvergence
(http://www.tripwire.com/stateofsecurity/riskbasedsecurityforexecutives/connectingsecuritytothe
business/theiotconvergencehowitandotcanworktogethertosecuretheinternetofthings/)thathasbeen
discussedformanyyearsmusthappen.Controlengineersmustupgradetheirskillssothattheyinthevery
leastunderstandnetworkingandsecurity.AndITengineersandarchitectsmustunderstandthedifference
betweenbusinessprocessesandmanufacturingprocesses.
Thatisnottosaythatanyofthosestepsareeasy.However,forgingnewchannelsofcollaborationwillbenefit
theoverallenterpriseintermsofproductivity,profitability,customerservice,andsustainability.AsMintchell
rightlystates,leadersmuststepuptheirgametoshowtheway.
ThefifthandfinalkeychallengeenterprisesfacewhenimplementingIIoTissafety.Thisconcernrelatestohow
thedeepintegrationofconnecteddevicesandphysicalcontrolsareintroducingnewmethodsofattack.
TimErlin(https://twitter.com/terlin),aDirector,Security,andITRiskStrategistresponsibleforSolutionsand
StrategyatTripwire,elaborates:Therehavebeensafetyregulationsformany,manyyears,ofcourse,butthey
rarelyconsiderhowalogicalattackmightaffectaphysicalresult.Weveseenthestartofthesekinetic
cyberattackswithStuxnetandtheGermansteelmill(http://www.tripwire.com/stateofsecurity/securitydata
protection/securitycontrols/cyberterroristsattackoncriticalinfrastructurecouldbeimminent/),buttheIIoT
drivesagrowingattacksurface.TheequationsimplyisntthesameasithasbeenforITsecurity,andwell
needtoadapt.
Fortunately,industrialenterprisescanleveragethenewcollaborationchannelsbetweenITandOTtotheir
advantageinresponsetothatobstacle.
WemustappealtothehistoryandexperienceoftheOTspaceandoperators,recommendsErlin.ITsecurity
shouldstartincorporatingsafetyintotheirthreatmodelingandbeginconsultingwiththeOTsecurityteamson
howtodoso.Thisisntacasewhereonegrouphasalltheanswers.Itstrulyanopportunityforconvergence.
CONCLUSION
ThekeychallengesofimplementingIIoTmightseemdaunting.However,theproblemsassociatedwithdevice
capabilities,supplychainconcerns,security,dividesbetweenpeople,andsafetyallultimatelydemonstratethe
extenttowhichdepartments,entireenterprises,andmanufacturersmustworktogethertonavigatethisnew
trendintechnologygoingforward.Ineverycase,thereisacourseofactionavailabletoindustriesitssimply
uptothemhowtheywouldliketoproceed.
Ifyouworkforanindustrialenterpriseandyouwouldliketolearnmoreabouthowyoucanprotectyour
enterpriseindustrialnetwork,pleaseclickhere(http://www.belden.com/blog/industrialsecurity/Industrial
Networking5StepstoBenefittingfromtheIIoT.cfm)toreadBeldenInc.sblogpostonfivestepsenterprises
cantaketobenefitfromIIoT.
Alternatively,youcanlearnmoreaboutthestateofICSSecurityhere:
http://www.tripwire.com/stateofsecurity/featured/5keychallengesfortheindustrialinternetofthingsiiot/ 4/10
5/1/2016 5KeyChallengesfortheIndustrialInternetofThings(IIoT)
43 361 56
(HTTP://WWW.TRIPWIRE.COM/STATE-OF-SECURITY/TOPICS/SECURITY-DATA-PROTECTION/IOT/)
SECURITY (HTTP://WWW.TRIPWIRE.COM/STATE-OF-SECURITY/TAG/SECURITY/)
(http://www.tripwire.com/register/edrfordummies/?
utm_source=sos&utm_medium=blog_bottom&utm_content=pdf&utm_campaign=edrfordummies)
http://www.tripwire.com/stateofsecurity/featured/5keychallengesfortheindustrialinternetofthingsiiot/ 5/10
5/1/2016 5KeyChallengesfortheIndustrialInternetofThings(IIoT)
0Comments TheStateofSecurity
1 Login
Startthediscussion
Bethefirsttocomment.
ALSOONTHESTATEOFSECURITY
AnApatheticAfterthought:TheSecurityChallenge TypoHelpedPreventHackersFromStealing$1Bin
oftheHealthcareIndustry BankHeist
2comments2monthsago 1comment2monthsago
jctaylor405Chris,welcometohealthcare!Ireally FaradayDefconTodayIlearnedspellingsomething
enjoyedyourarticleandyourperspectivesonthe COMPLETELYWRONGisa"typo"
healthcareindustry's
CounteringCyberAdversaryTradecraft CryptoransomwareSpreadsviaPoisonedAdson
1commentamonthago MajorWebsites
AvatarKipBoyleIagreewithyou,Matt,that"...technologyis 1comment2monthsago
nottheproblem.Peoplearetheproblem,butpeopleare AvatarjwmortNotnewnews,malwarehasbeenspreadby
alsothe banneradsforyears,it'snowsteppedupwith
ransomwaretaking
DavidBisson(http://www.tripwire.com/stateofsecurity/contributors/davidbisson/)has
contributed559poststoTheStateofSecurity.
Follow@DMBisson
(http://www.tripwire.com/state
of
security/contributors/david
bisson/)
TheStateofSecurityNewsletter
Receivethelatestsecuritystories,trendsand
insightsdirectlyinyourinbox.
http://www.tripwire.com/stateofsecurity/featured/5keychallengesfortheindustrialinternetofthingsiiot/ 6/10
5/1/2016 5KeyChallengesfortheIndustrialInternetofThings(IIoT)
Enteryouremailaddresshere...
SignUp
FREE EBOOK
(http://www.tripwire.com/scm/?utm_source=sos&utm_medium=sb
bnr&utm_content=pdf&utm_campaign=scmfordummies)
SecurityConfigurationManagement
ForDummies(http://www.tripwire.com/scm/?utm_source=sos&utm_medium=sb
bnr&utm_content=pdf&utm_campaign=scmfordummies)
SlackSecurityPracticesCouldLeadtoHackersEavesdroppingonCorporateInternal
ChatSystems(http://www.tripwire.com/stateofsecurity/latestsecuritynews/slack
securitypracticesleadhackers/)
http://www.tripwire.com/stateofsecurity/featured/5keychallengesfortheindustrialinternetofthingsiiot/ 7/10
5/1/2016 5KeyChallengesfortheIndustrialInternetofThings(IIoT)
(http://www.tripwire.com/state
ofsecurity/latestsecurity
news/slacksecuritypractices
leadhackers/)
DecryptionToolReleasedforCryptXXXRansomware(http://www.tripwire.com/stateof
security/latestsecuritynews/decryptiontoolreleasedforcryptxxxransomware/)
APRIL 27, 2016
(http://www.tripwire.com/state
ofsecurity/latestsecurity
news/decryptiontool
releasedforcryptxxx
ransomware/)
SWIFTSoftwareHackedinBangladeshBankHeist,FindResearchers
(http://www.tripwire.com/stateofsecurity/latestsecuritynews/swiftsoftwarehackedin
bangladeshbankheistfindresearchers/)
APRIL 25, 2016
(http://www.tripwire.com/state
ofsecurity/latestsecurity
news/swiftsoftwarehacked
inbangladeshbankheist
findresearchers/)
4KeyStepstoSecuringYourEndpoints(http://www.tripwire.com/stateofsecurity/latest
securitynews/4waystosecureyourendpoints/)
APRIL 25, 2016
(http://www.tripwire.com/state
ofsecurity/latestsecurity
news/4waystosecureyour
endpoints/)
MazarBOTAndroidMalwareDistributedviaSMSSpoofingCampaign
(http://www.tripwire.com/stateofsecurity/latestsecuritynews/mazarbotandroid
malwaredistributedviasmsspoofingcampaign/)
APRIL 24, 2016
(http://www.tripwire.com/state
ofsecurity/latestsecurity
news/mazarbotandroid
malwaredistributedviasms
spoofingcampaign/)
http://www.tripwire.com/stateofsecurity/featured/5keychallengesfortheindustrialinternetofthingsiiot/ 8/10
5/1/2016 5KeyChallengesfortheIndustrialInternetofThings(IIoT)
(http://bit.ly/1Kb6rne)
Tweetsby@TripwireInc
Tripwire,Inc.@TripwireInc
Takeawaysfromthe2016VerizonDataBreachInvestigationsReport
bit.ly/1qXDidkvia@DMBisson#data#breach
Takeawaysfromthe2016VerizonDataBreachInvestigationsReport
Herearesomeimportanttakeawaysfromthe2016VerizonDataBreachIn...
Embed ViewonTwitter
Tripwire
6,431likes
LikePage SignUp
Bethefirstofyourfriendstolikethis
Topics (/state-of-security/topics/)
Government
ICS Security
Incident Detection
http://www.tripwire.com/stateofsecurity/featured/5keychallengesfortheindustrialinternetofthingsiiot/ 9/10
5/1/2016 5KeyChallengesfortheIndustrialInternetofThings(IIoT)
Off Topic
Regulatory Compliance
Security Awareness
Security Slice
Tripwire News
Vulnerability Management
TOPICS (HTTP://WWW.TRIPWIRE.COM/STATE-OF-SECURITY/TOPICS/)
ABOUT (HTTP://WWW.TRIPWIRE.COM/STATE-OF-SECURITY/ABOUT/)
CONTRIBUTORS (HTTP://WWW.TRIPWIRE.COM/STATE-OF-SECURITY/CONTRIBUTORS/)
TRIPWIRE.COM (HTTP://WWW.TRIPWIRE.COM/)
TheStateofSecurityNewsletter
FOLLOW US
Receivethelatestsecuritystories,
trendsandinsightsdirectlyinyour
inboxeachweek.
Enteryouremailaddresshere...
SignUp
http://www.tripwire.com/stateofsecurity/featured/5keychallengesfortheindustrialinternetofthingsiiot/ 10/10