5/1/2016 5KeyChallengesfortheIndustrialInternetofThings(IIoT)

THE STATE OF SECURITY

(HTTP://WWW.TRIPWIRE.COM/STATE-OF-

SECURITY/)
News. Trends. Insights.

HOME (HTTP://WWW.TRIPWIRE.COM/STATE-OF-SECURITY) FEATURED ARTICLES (HTTP://WWW.TRIPWIRE.COM/STATE-

OF-SECURITY/TOPICS/FEATURED/) 5 Key Challenges for the Industrial Internet of

5 Key Challenges for the Industrial Internet of Things (IIoT)

DAVID BISSON (HTTP://WWW.TRIPWIRE.COM/STATE-OF-SECURITY/CONTRIBUTORS/DAVID-BISSON/)

DEC 2, 2015 | ICS SECURITY (HTTP://WWW.TRIPWIRE.COM/STATE-OF-SECURITY/TOPICS/ICS-SECURITY/)

(HTTP://WWW.TRIPWIRE.COM/STATE-

OF-

SECURITY/CONTRIBUTORS/DAVID-

BISSON/)

43 361 56

http://www.tripwire.com/stateofsecurity/featured/5keychallengesfortheindustrialinternetofthingsiiot/ 1/10
5/1/2016 5KeyChallengesfortheIndustrialInternetofThings(IIoT)

TheInternetofThings(http://www.tripwire.com/stateofsecurity/securitydataprotection/securityhardening/the
internetofthingswhysecurityneedstobethefutureofiot/)(IoT)isoneofthemostsignificanttrendsin
technologytoday.Ameldingofinnovationsinthefieldsofcomputingandcommunication,IoTanditssmart
devicesarepoisedtorevolutionizenotonlyusermachineinteractionbutalsothewayinwhichmachines
engagewithoneanother.
AlreadywearebeginningtoseethepermeationoftheInternetofThingsintovariousmarketsectors.One
verticalwhereweseethisdiffusionthemostisinindustry.Indeed,energy,healthcare,automotive,andother
industriesarebeginningtograpplewiththeIndustrialofInternetofThings(IIoT),wheredevicessuchas
sensors,robots,mixingtanks,andinsulinpumpsarebecomingincreasinglymoreconnected.Asnotedina
blogpost(http://www.tripwire.com/stateofsecurity/securitydataprotection/securityhardening/theinternetof
thingswhysecurityneedstobethefutureofiot/)byLaneThames,asecurityresearchandsoftware
developmentengineeratTripwire,thissubsetofIoTholdsmuchpromiseforthefuture.
TheIndustrialInternetofThingswilldrasticallychangethefuture,notjustforindustrialsystems,butalsofor
themanypeopleinvolved,Thamesexplains.IfwecanachievethefullpotentialoftheIndustrialIoTvision,
manypeoplewillhaveanopportunitytobettertheircareersandstandardsoflivingasaresultofcountless
valuecreationopportunities.
ThamesgoesontoidentifyhowIIoTcouldcreateanumberofnewsmartparadigms,suchassmartpower
gridsandsmarthealthcare,aswellasleadtothedevelopmentofnewmanufacturingecosystemsthatare
drivenbyselfaware,autonomicmachines.
Clearly,theIndustrialInternetofThingscanhaveabrightfuture.ButasThamesrightlywarns,thedevilisin
thedetails.DevicesthatcanconnecttooneanotherandoverthewebpotentiallythreatenourIndustrial
ControlSystems(ICSs),securityconsultantLarryVandenaweele(https://twitter.com/lvandenaweele)has
observed(http://www.tripwire.com/stateofsecurity/offtopic/beyondthebasicsoficssecuritygettingitright
fromthestart/).Thosesystemsarevitaltotheoperationoftheutilities,energy,andnuclearsectors.More
specifically,asbusinessrequirementsnecessitatethatindustriesmovebeyondsmartdevicesmerelyasa
meansofcontrol,theymightrunintoobstaclesastheyseektoincorporateIIoTintotheirofficeenvironments.
TherearenumerouschallengesthatindustriescouldfacewhenimplementingIIoT.Herearefivethatstandout
inparticular.

KEY CHALLENGE #1: SETTLING ON DEVICE CAPABILITIES

JeffreyCaldwell,chiefarchitectofsecuritywhooverseestheresearchanddevelopmentforICSand
infrastructuresecuritysolutionsandproductofferingsatBeldenInc.(https://twitter.com/beldeninc),feelsthat
oneofthemostfundamentalchallengesinvolvedwithIIoTtodayisthedifferentsetofdevicecapabilities
availabletomanufacturersandprocesscontroloperators.
Manysolutionsandopportunitiesformachinetomachine(M2M)interconnectivityandcommunicationare
available,andmorearebeingbroughttomarketonaregularbasis,observesCaldwell.WhendeployingIIoT
technologies,wemustthereforethinkovertheafewquestions.Whatinformationshouldbecollected?How
shouldinformationbestored?Howcantheinformationbestbeanalyzed?Andwhatdecisionsshouldbemade
basedontheanalysis?
WhileananalysisofeconomicvalueandROIcanassistindustriesindecidingwheretoincorporateIIoT
technologies,thechallengeofsettlingoncapabilitiesextendsallthewayuptodevicemanufacturers.Joel
Langill(https://twitter.com/SCADAhacker?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor),
anoperationalsecurityprofessionalandindustrialcontrolsystemcybersecurityconsultantwithnearly35years
experienceinindustrialautomationandcontroldeveloping,aswellasthefounderoftheinformationsharing
websiteSCADAhacker.com(https://scadahacker.com/),explainsthatsomemanufacturersarestilltryingto
catchuptothecomplexdemandsofIIoTthings.

http://www.tripwire.com/stateofsecurity/featured/5keychallengesfortheindustrialinternetofthingsiiot/ 2/10
5/1/2016 5KeyChallengesfortheIndustrialInternetofThings(IIoT)

TherealrisktowhatIcallmanufacturingintegrityiswhenproductsandservicesthatmaybewellsuitedfora
typicalofficesettingarepresentedassolvingthesameproblemsinamanufacturingenvironmentwithout
completelyunderstandingtheassociatedrequirements(environmental,hazardousareas,reliabilityand
availabilityofservices,etc.),explainsLangill.Attheendoftheday,thefinalcontrolcomponents(controllers,
sensors,actuators,etc.)thatbridgethecyberphysicalspacearestillbasedontechnologiesthatarenot
commonwithinmostITarchitectures.ThoughEthernet(NoticeIdidnotsayTCPorUDP.)isbecomingmore
prevalentthaninpriordecades,Windowsplatformsarealmostnonexistentbecausetheylackthemostbasic
ofoperationalrequirements.
WhenitcomestonavigatingtheIndustrialInternetofThings,notonlymustindividualindustrialenterprises
carefullyconsiderwheretheywouldliketoimplementIIoT,butalsomanufacturersmustclearlydefine
operationalrequirementsandunderstandthecapabilitiesofthetechnologiestheywishtocreate.This
necessitatesadeepcomprehensionoftherealtimeproductionequipmenttowhichthedeviceswould
ultimatelybeapplied.

KEY CHALLENGE #2: SUPPLY CHAIN CONCERNS

Functionalityisnottheonlyfocusthatmanufacturerswillneedtoaddressinthecomingyears.Costand
industrialreliabilitywillalsoplayapartasearlyadoptersvietomakethetransitiontoIIoT.Asembedded
systemsincreasinglymaketheirwayintoenterprises,theonuswillbeonmanufacturerstomaintainthe
integrityoftheirsupplychains.
ThischallengeisnotlostonPatrickMiller(https://twitter.com/patrickcmiller),aManagingPartneratArcher
EnergySolutions(http://www.archerenergysolutions.com/)andatrustedindependentadvisordedicatedtothe
protectionanddefenseofcriticalinfrastructuresaroundtheglobe.
ParticularlywhereIIoTelementsareusedwithincriticalinfrastructure,Ianticipatethatsupplychainconcerns
willariseinrespecttopolitics,publicopinion,andotherperspectives,predictsMiller.Togetaheadofthis
potentialsourceofresistance,organizationsmustconsiderhowtheycanbestmaximizetransparencyand
standardizationinthemanufacturingprocess.Theywillneedtobuilddevicesaccordingtoanagreedupon
openstandardthatcanbeevaluatedindependentlyinanefforttoconfirmthatonlytheexpectedhardware,
software,orfirmwareisincluded.

KEY CHALLENGE #3: SECURITY

IntegrallytiedtothecomponentsofIIoTdevicesarethestepsthatresearchershavetakentosecurethem.As
notedbyRonCarr,PresidentandManagingMemberofAccessControl
TechnologiesLLC(ACT),aswellasaBusinessDevelopmentPartnerforTripwirewithover40yearsof
experienceinpipelineSCADAcommunications,thisproblemaffectsnotonlymanufacturersandprocess
controloperatorsbutalsopipelinecontroloperators.
AnythingordevicethatiscontrolledbynetworkcommunicationthatfacestheInternetisvulnerabletobeing
hacked,heobserves.
IIoTdevicesareinnowayexemptfromthis.Forexample,accordingtoCarr,thebriefperiodoftimeittakesto
pluginalaptop(thathasaninternetconnection)toaflowcomputerinordertodownloadasoftwareupgradeis
allittakestouploadmaliciousmalwaresuchasBlackEnergy
(http://www.techtimes.com/articles/19698/20141108/russiantrojanhorseincomputersofuscritical
infrastructuressince2011.htm)orStuxnet(http://www.tripwire.com/stateofsecurity/featured/stuxnetusb
attackvectorvulnerabilitystillprevalentwithcve20150096ms15018/).
Toprotectagainsttheseandotherthreats,industrialenterprisesshouldconsiderhowtheycouldintegratean
advancedcyberthreatprotectionsolutionintotheirnetwork.

KEY CHALLENGE #4: BRIDGING THE GAPS THAT DIVIDE US

http://www.tripwire.com/stateofsecurity/featured/5keychallengesfortheindustrialinternetofthingsiiot/ 3/10
5/1/2016 5KeyChallengesfortheIndustrialInternetofThings(IIoT)

SecurityisasignificantconcernwhenitcomestoimplementingIIoT.However,aswithanynewtechnology,
technicalproblemsareultimatelynomatchforissuesthatdividepeopleandpreventusfromworkingand
adaptingtogether.
Perhapsthehardestchallengetoovercomeisthatofbreakingsilosbetweendifferentdisciplinesand
departments,notesGaryMintchell(https://twitter.com/garymintchell?
ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor),anindustryleadingwriteronautomation,
control,software,manufacturing,marketing,andleadership.ThefamousIT/OTConvergence
(http://www.tripwire.com/stateofsecurity/riskbasedsecurityforexecutives/connectingsecuritytothe
business/theiotconvergencehowitandotcanworktogethertosecuretheinternetofthings/)thathasbeen
discussedformanyyearsmusthappen.Controlengineersmustupgradetheirskillssothattheyinthevery
leastunderstandnetworkingandsecurity.AndITengineersandarchitectsmustunderstandthedifference
betweenbusinessprocessesandmanufacturingprocesses.
Thatisnottosaythatanyofthosestepsareeasy.However,forgingnewchannelsofcollaborationwillbenefit
theoverallenterpriseintermsofproductivity,profitability,customerservice,andsustainability.AsMintchell
rightlystates,leadersmuststepuptheirgametoshowtheway.

KEY CHALLENGE #5: SAFETY

ThefifthandfinalkeychallengeenterprisesfacewhenimplementingIIoTissafety.Thisconcernrelatestohow
thedeepintegrationofconnecteddevicesandphysicalcontrolsareintroducingnewmethodsofattack.
TimErlin(https://twitter.com/terlin),aDirector,Security,andITRiskStrategistresponsibleforSolutionsand
StrategyatTripwire,elaborates:Therehavebeensafetyregulationsformany,manyyears,ofcourse,butthey
rarelyconsiderhowalogicalattackmightaffectaphysicalresult.Weveseenthestartofthesekinetic
cyberattackswithStuxnetandtheGermansteelmill(http://www.tripwire.com/stateofsecurity/securitydata
protection/securitycontrols/cyberterroristsattackoncriticalinfrastructurecouldbeimminent/),buttheIIoT
drivesagrowingattacksurface.TheequationsimplyisntthesameasithasbeenforITsecurity,andwell
needtoadapt.
Fortunately,industrialenterprisescanleveragethenewcollaborationchannelsbetweenITandOTtotheir
advantageinresponsetothatobstacle.
WemustappealtothehistoryandexperienceoftheOTspaceandoperators,recommendsErlin.ITsecurity
shouldstartincorporatingsafetyintotheirthreatmodelingandbeginconsultingwiththeOTsecurityteamson
howtodoso.Thisisntacasewhereonegrouphasalltheanswers.Itstrulyanopportunityforconvergence.

CONCLUSION

ThekeychallengesofimplementingIIoTmightseemdaunting.However,theproblemsassociatedwithdevice
capabilities,supplychainconcerns,security,dividesbetweenpeople,andsafetyallultimatelydemonstratethe
extenttowhichdepartments,entireenterprises,andmanufacturersmustworktogethertonavigatethisnew
trendintechnologygoingforward.Ineverycase,thereisacourseofactionavailabletoindustriesitssimply
uptothemhowtheywouldliketoproceed.
Ifyouworkforanindustrialenterpriseandyouwouldliketolearnmoreabouthowyoucanprotectyour
enterpriseindustrialnetwork,pleaseclickhere(http://www.belden.com/blog/industrialsecurity/Industrial
Networking5StepstoBenefittingfromtheIIoT.cfm)toreadBeldenInc.sblogpostonfivestepsenterprises
cantaketobenefitfromIIoT.
Alternatively,youcanlearnmoreaboutthestateofICSSecurityhere:

http://www.tripwire.com/stateofsecurity/featured/5keychallengesfortheindustrialinternetofthingsiiot/ 4/10
5/1/2016 5KeyChallengesfortheIndustrialInternetofThings(IIoT)

What You Need to Know About Industrial Control System...

43 361 56

CATEGORIES FEATURED ARTICLES (HTTP://WWW.TRIPWIRE.COM/STATE-OF-SECURITY/TOPICS/FEATURED/), ICS SECURITY

(HTTP://WWW.TRIPWIRE.COM/STATE-OF-SECURITY/TOPICS/ICS-SECURITY/) , IT SECURITY AND DATA PROTECTION

(HTTP://WWW.TRIPWIRE.COM/STATE-OF-SECURITY/TOPICS/SECURITY-DATA-PROTECTION/), INTERNET OF THINGS

(HTTP://WWW.TRIPWIRE.COM/STATE-OF-SECURITY/TOPICS/SECURITY-DATA-PROTECTION/IOT/)

TAGS ICS SECURITY (HTTP://WWW.TRIPWIRE.COM/STATE-OF-SECURITY/TAG/ICS-SECURITY/) , IIOT

(HTTP://WWW.TRIPWIRE.COM/STATE-OF-SECURITY/TAG/IIOT/), KEY CHALLENGES (HTTP://WWW.TRIPWIRE.COM/STATE-

OF-SECURITY/TAG/KEY-CHALLENGES/), SCADA (HTTP://WWW.TRIPWIRE.COM/STATE-OF-SECURITY/TAG/SCADA/),

SECURITY (HTTP://WWW.TRIPWIRE.COM/STATE-OF-SECURITY/TAG/SECURITY/)

(http://www.tripwire.com/register/edrfordummies/?
utm_source=sos&utm_medium=blog_bottom&utm_content=pdf&utm_campaign=edrfordummies)

http://www.tripwire.com/stateofsecurity/featured/5keychallengesfortheindustrialinternetofthingsiiot/ 5/10
5/1/2016 5KeyChallengesfortheIndustrialInternetofThings(IIoT)

0Comments TheStateofSecurity
1 Login

Recommend Share SortbyBest

Startthediscussion

Bethefirsttocomment.

ALSOONTHESTATEOFSECURITY

AnApatheticAfterthought:TheSecurityChallenge TypoHelpedPreventHackersFromStealing$1Bin
oftheHealthcareIndustry BankHeist
2comments2monthsago 1comment2monthsago
jctaylor405Chris,welcometohealthcare!Ireally FaradayDefconTodayIlearnedspellingsomething
enjoyedyourarticleandyourperspectivesonthe COMPLETELYWRONGisa"typo"
healthcareindustry's

CounteringCyberAdversaryTradecraft CryptoransomwareSpreadsviaPoisonedAdson
1commentamonthago MajorWebsites
AvatarKipBoyleIagreewithyou,Matt,that"...technologyis 1comment2monthsago
nottheproblem.Peoplearetheproblem,butpeopleare AvatarjwmortNotnewnews,malwarehasbeenspreadby
alsothe banneradsforyears,it'snowsteppedupwith
ransomwaretaking

Subscribe d AddDisqustoyoursiteAddDisqusAdd Privacy

About David Bisson

DavidBisson(http://www.tripwire.com/stateofsecurity/contributors/davidbisson/)has
contributed559poststoTheStateofSecurity.

View all posts by David Bisson

Follow@DMBisson

(http://www.tripwire.com/state
of
security/contributors/david
bisson/)

TheStateofSecurityNewsletter
Receivethelatestsecuritystories,trendsand
insightsdirectlyinyourinbox.

http://www.tripwire.com/stateofsecurity/featured/5keychallengesfortheindustrialinternetofthingsiiot/ 6/10
5/1/2016 5KeyChallengesfortheIndustrialInternetofThings(IIoT)

Enteryouremailaddresshere...

SignUp

FREE EBOOK

(http://www.tripwire.com/scm/?utm_source=sos&utm_medium=sb

bnr&utm_content=pdf&utm_campaign=scmfordummies)
SecurityConfigurationManagement
ForDummies(http://www.tripwire.com/scm/?utm_source=sos&utm_medium=sb
bnr&utm_content=pdf&utm_campaign=scmfordummies)

Download Now (http://www.tripwire.com/scm/?utm_source=sos&utm_medium=sb-bnr&utm_content=pdf&utm_campaign=scm-for-dummies)

Latest Security News (/state-of-security/topics/latest-security-news/)

ToyMakerUnwittinglyInfectingWebsiteVisitorswithRansomware APR 29, 2016

HackingCompetitionChallengedUKCyberSecurityStudents APR 28, 2016

DecryptionToolReleasedforCryptXXXRansomware APR 27, 2016

ShopwarePatchesCriticalRemoteCodeExecutionBug APR 26, 2016

SWIFTSoftwareHackedinBangladeshBankHeist,FindResearchers APR 25, 2016

POPULAR FEATURED RECENT

SlackSecurityPracticesCouldLeadtoHackersEavesdroppingonCorporateInternal
ChatSystems(http://www.tripwire.com/stateofsecurity/latestsecuritynews/slack
securitypracticesleadhackers/)
http://www.tripwire.com/stateofsecurity/featured/5keychallengesfortheindustrialinternetofthingsiiot/ 7/10
5/1/2016 5KeyChallengesfortheIndustrialInternetofThings(IIoT)

APRIL 29, 2016

(http://www.tripwire.com/state
ofsecurity/latestsecurity
news/slacksecuritypractices
leadhackers/)

DecryptionToolReleasedforCryptXXXRansomware(http://www.tripwire.com/stateof
security/latestsecuritynews/decryptiontoolreleasedforcryptxxxransomware/)
APRIL 27, 2016

(http://www.tripwire.com/state
ofsecurity/latestsecurity
news/decryptiontool
releasedforcryptxxx
ransomware/)

SWIFTSoftwareHackedinBangladeshBankHeist,FindResearchers
(http://www.tripwire.com/stateofsecurity/latestsecuritynews/swiftsoftwarehackedin
bangladeshbankheistfindresearchers/)
APRIL 25, 2016

(http://www.tripwire.com/state
ofsecurity/latestsecurity
news/swiftsoftwarehacked
inbangladeshbankheist
findresearchers/)

4KeyStepstoSecuringYourEndpoints(http://www.tripwire.com/stateofsecurity/latest
securitynews/4waystosecureyourendpoints/)
APRIL 25, 2016

(http://www.tripwire.com/state
ofsecurity/latestsecurity
news/4waystosecureyour
endpoints/)

MazarBOTAndroidMalwareDistributedviaSMSSpoofingCampaign
(http://www.tripwire.com/stateofsecurity/latestsecuritynews/mazarbotandroid
malwaredistributedviasmsspoofingcampaign/)
APRIL 24, 2016

(http://www.tripwire.com/state
ofsecurity/latestsecurity
news/mazarbotandroid
malwaredistributedviasms
spoofingcampaign/)

http://www.tripwire.com/stateofsecurity/featured/5keychallengesfortheindustrialinternetofthingsiiot/ 8/10
5/1/2016 5KeyChallengesfortheIndustrialInternetofThings(IIoT)

(http://bit.ly/1Kb6rne)

Tweetsby@TripwireInc
Tripwire,Inc.@TripwireInc
Takeawaysfromthe2016VerizonDataBreachInvestigationsReport
bit.ly/1qXDidkvia@DMBisson#data#breach

Takeawaysfromthe2016VerizonDataBreachInvestigationsReport
Herearesomeimportanttakeawaysfromthe2016VerizonDataBreachIn...

Embed ViewonTwitter

Tripwire
6,431likes

LikePage SignUp

Bethefirstofyourfriendstolikethis

Topics (/state-of-security/topics/)

Government

ICS Security

Incident Detection

http://www.tripwire.com/stateofsecurity/featured/5keychallengesfortheindustrialinternetofthingsiiot/ 9/10
5/1/2016 5KeyChallengesfortheIndustrialInternetofThings(IIoT)

IT Security and Data Protection

Latest Security News

Off Topic

Regulatory Compliance

Risk-Based Security for Executives

Security Awareness

Security Slice

Tripwire News

Vulnerability Management

2016 TRIPWIRE, INC. (HTTP://WWW.TRIPWIRE.COM/) ALL RIGHTS RESERVED.

FEATURED ARTICLES (HTTP://WWW.TRIPWIRE.COM/STATE-OF-SECURITY/TOPICS/FEATURED/)

TOPICS (HTTP://WWW.TRIPWIRE.COM/STATE-OF-SECURITY/TOPICS/)

ABOUT (HTTP://WWW.TRIPWIRE.COM/STATE-OF-SECURITY/ABOUT/)

CONTRIBUTORS (HTTP://WWW.TRIPWIRE.COM/STATE-OF-SECURITY/CONTRIBUTORS/)

PRIVACY POLICY (HTTP://WWW.TRIPWIRE.COM/LEGAL/PRIVACY/)

TRIPWIRE.COM (HTTP://WWW.TRIPWIRE.COM/)

TheStateofSecurityNewsletter
FOLLOW US
Receivethelatestsecuritystories,
trendsandinsightsdirectlyinyour
inboxeachweek.

Enteryouremailaddresshere...

SignUp

http://www.tripwire.com/stateofsecurity/featured/5keychallengesfortheindustrialinternetofthingsiiot/ 10/10