Industrial automation technology and business computer systems have historically operated on separate and distinct networks, using different protocols, different hardware, and different security frameworks.
For example, it was a full decade between the birth of Microsoft Windows and the release of a version of Windows that was adopted with a reasonable degree of comfort about security and stability in the automation and controls industry (Windows NT). Even today, Programmable Logic Controllers (PLCs) are a widely accepted standard for industrial systems, alongside embedded controllers, PID controllers, and other formats.
However, over the last decade, a new model has evolved with the stated goal of engaging industrial systems on a wider communications framework using standard protocols such as TCP/IP. Starting with Supervisory Control and Data Acquisition (SCADA) systems and now moving directly into full Industrial Control Systems (ICSs) and Distributed Control Systems (DCSs), the Industrial Internet of Things (IIoT) model seeks to converge information technology (IT) and operational technology (OT). The end goal of this is to gain the benefits of enabling sensors and machine-to-machine communications that inform upstream platforms and enable real-time decision support, supported by AI and machine learning.
A consumer-facing example of this is automotive guidance and communication systems. Typically, such guidance and communication systems have run on completely localized, non-networked custom hardware and software whose only connection to the ‘outside world’ has been the occasional onboard diagnostics assessment by a repair shop. With the advent of OnStar in the late 1990s, this began to change as early wireless technology — originally limited to voice communication augmented with GPS — began to receive more and more sensor inputs from the vehicle itself.
We also know that such connections make hacking dangerously possible, as has been proven by repeated penetration tests in which ethical hackers have gained direct control over steering, acceleration and other safety-critical functions simply by tapping into these wireless connections.
If such connections can threaten to crash a single car, we can all imagine what such connections could do — if not properly protected and monitored — to an entire process plant, chemical factory, power generation station, or other high-risk environments.
Some industrial control professionals have fallen back on a very understandable answer and insisted that the only practical solution is to maintain a true ‘air gap’ between the industrial network and other systems — literally, the physical isolation of space between the platforms, so that they physically do not interlink.
However, air gapping is not a guaranteed-safe strategy and some experts have referred to it as a foolhardy one to boot. The first reason is simply that it can generate a false sense of security, and this concern is further exacerbated by the fact that most industrial networks have thousands of endpoints and the likelihood that all of them are truly isolated from other systems is often simply unlikely or impractical.
In addition, air gaps don’t necessarily consider the second most common hacking model for isolated systems, which is simply to plug in an infected USB drive, CD-ROM, or other pieces of portable hardware and breach the ‘air gap’ in a matter of seconds,
If we conclude with all reason that air gapping is more of a wishful hope than a practical strategy, the question then becomes: what do we do, and is IIoT a means of exacerbating security risks or actually reducing them?
The answer is yes…and yes.
What IIoT really shows is that industrial networks must be treated with the same level of security focus and sophistication as all other kinds of networks. Industrial automation professionals can no longer assume that the ‘real risks’ are borne only by front-office systems, since the reality is all technology platforms and networks now exist in the same plane, with the same overall risk profile.
Industrial network professionals would do well to learn from their colleagues in banking and financial service, who have relied on more traditional front-office platforms for years and yet faced the risks of extremely serious consequences for hacking or system failure successfully.
The key to IIoT safety over the long term will be in the understanding and rigorous application of core security standards across the systems, software, hardware, and components that make up these networks. This is not a foreign concept to the world of industrial automation. After all, the modern intrinsic safety standards for control systems located in hazardous areas were first developed in the 1960s and later adopted successfully worldwide, across thousands of products and solutions.
Ultimately, the solution to industrial network security in the IIoT age is to embrace tools and protocols that can help ensure a secure end-to-end environment for mission-critical and safety-critical operations. These include end-point monitoring, industrially hardened firewalls, physical VPNs, and an overall network security strategy that considers all components fully — from controllers to sensors and beyond.
Image Credits: Freepik @Creative Commons