Blog post

Addressing security within Industrial IoT

Admir Abdurahmanovic

There is an increasing buzz about Industrial Internet of Things (IIoT). More and more are talking about it, the field is growing and PrimeKey was recently invited to speak to Swedish industries about IIoT and about the security implications it entails. There is definitely something interesting going on in the market here.

It seems inevitable that computerized components will be added to almost everything from tools and machines, all the way to even raw materials. For some companies, this may be a decision between closing operations or transforming a 40 years old factory into a 21st century on-demand, always-connected modern facility. The clear majority of industrial companies sees movement towards IIoT as critical for their future, although the relative majority prefers to observe how the market and technologies evolve rather than immediately react to new trends. Just about a third of industry belong to the extremes in the sense that they either already have detailed IoT roadmap with a solid regional or enterprise-wide plans; or no plans yet. The rest has limited to modest ambitions – starting from pilots, projects and learning focus, moving to clearer business goals with small footprint. The industries are slowly but steadily getting connected and it is said that the factories will become “smart”. But - Becoming smart should not mean being naïve when it comes to security! A successful attack on IIoT may stop a factory, blow up a facility and in some circumstances, be used as an act of warfare. If anything, the security people agree on things will get worse, without even adding “before getting better”. Intellectual property thefts are “old news”. The current buzzword is ransomware. To come to terms with security solutions for IIot, PrimeKey suggest you have a think about the following:

Open and well-tested standards

Open standards give ability to integrate with different systems and “repeal and replace” an inadequate solution with something better, faster, larger and hopefully more secure. Today there are myriads of “closed” standard and initiatives that wish to make their mark on industry in general, or address a vertical. In the security field, we understand that we should only bring in “new” stuff when it is well-tested and it makes sense to replace the old stuff. It can be argued that the “new” is not the right word here, in many senses. Currently, we see two important trends within our area of security – blockchains and post-quantum cryptography. At PrimeKey we are addressing both, but we think that none are ready for prime-time yet, due to lack of standardization and need for further rigorous research before making general availability.

Ownership of data and data-flows

The emergence of service providers that “encapsulate” the old-style companies and connect them to the rest of the world, delivering new market opportunities. However, this means that these service providers may have access to data and data-flows that are not “theirs”; which may enable the providers with information and control to “turn off” the very company they were supposed to serve. Obviously, the un-authorized collection or alternation of data much be avoided, but this is not a news. At PrimeKey, we build our products so that we can not interfere or alter data that belongs to our customers. For us this is natural approach, based on our values and on scientific approach in cryptography. Even more so, we have (hardware) products that help put other software into secured execution environments, providing both physical and logical protection of mission critical data and software.

Plan for robustness and resilience

As much as open standards are good if one needs to replace something; it is imperative that things work 100% of time. While for serving consumers, it may be OK to have what is coined as “ephemeral services”, for an industrial control system it may be out of question. A cloud is not 100% up. There are some cloud providers that focus more on industry and deliver better on as-an-Infrastructure aspects. However, there is always question how a factory is to be connected to the cloud itself and is this connection always there? At PrimeKey, we design our products so that redundancy in deployments and recovery from an internal or external malfunction are part of feature set.

Plan for adoptability and change

While robustness is important, it can not be so rigid to become its own paradox - fragile. “Doing IIoT” should be planned and done so that one can switch between service and technology providers or even use more than one provider. Delivered technologies should be upgradeable as to accommodate to new requirements that will emerge in future. At PrimeKey, our products are consistently maintained and we release updates quite frequently, bringing new features and improvements. It goes without saying, the updates are delivered so that there is an upgrade path from a previous product release.

Observe regulations; local and global

In Europe, a hot marketing buzzword is General Data Protection Regulation, GDPR. It is important to be compliant here, since this regulation also brings punitive measures that are very high. In some countries, it is mandated that service providers are local geographically or legally, or both. In such cases, there is nothing to do then to obey. As a Swedish/German company, we deliver globally and being exporters we are very keen to observe all relevant regulations. Furthermore, we work with our local partners to assure compliance that may be based on mandated use of own citizens that control certain sensitive infrastructure.


Siemens HeadquartersRead more

EJBCA Enterprise PKI enables Siemens to rapidly roll out new security technologies to its high security products, in an efficient industrial process. Siemens - Ingenuity for life and safe communications

Admir Abdurahmanovic

Author

Admir Abdurahmanovic

Admir is VP Strategy & Partners and one of the founders of PrimeKey. With a strong background in IT Security and cryptology, he is one of the most experienced PKI experts in the world. Contact Admir: admir.abdurahmanovic@primekey.com +46 708 37 02 37