Can IoT Win the War on Security?
While the Consumer IoT industry calls for stronger security, the IIoT is meeting the challenge.
Too many IoT devices lack intrinsic security. In a connected world all it takes is one vulnerable device to bring down an entire network of machines. As you can imagine, this weakness in the IoT heightens fear within supply chain systems, especially in the manufacturing world. Asset-intensive organizations facing the threat of cargo loss, theft, damage and piracy can’t afford to complicate operations by opening the door to sophisticated cybercrime.
However, there’s no reason to believe information and operational blindness is a cost of doing business in 2018. The IoT boogeyman doesn’t exist. IoT adoption is growing in both public and private sectors, impacting all areas of business where asset-rich enterprises operate. According to the IDC, “The IoT use cases that are expected to attract the largest investments in 2017 include manufacturing operations ($105 billion), freight monitoring ($50 billion), and production asset management ($45 billion).”1
Maersk Line, the world’s largest container shipping company, uses real-time IoT data to optimize route planning and asset utilization, track intermodal freight, predict equipment failure, and minimize performance variations. By leveraging the power of the IoT, Maersk reports that the company has saved millions of dollars in operational costs.2
Lost production is easier to recover than your reputation. If you’re ready to embark on the IoT journey, you’ll discover that the IoT can provide you with an ability to cost-effectively balance real-time visibility, security and convenience.
Act I: Ready?
You may say, “Recent online articles describe the IoT as a security crisis. Is there no effective way to secure our vehicles, assets and cargo?” We say yes. Risk exposure haunts the entire IoT industry. However, much of what gets published on IoT security breaches deal with the Consumer IoT (CIoT), not the Industrial IoT (IIoT). That’s not always clear to the reader, and this is where the waters get muddy. To better understand the content covering IoT security vulnerabilities, you need to be familiar with the devices and attacks being written about.
Take, IoT botnets, for example. The notorious IoT botnets making headlines are attacks on consumer-grade devices. These attacks target, infect, and hijack IoT-enabled devices, such as smart cameras and routers, which are shipped and sold with default usernames and passwords.3 These login credentials are publicly published and searchable online. If the default username and password isn’t changed by the customer, cyber criminals can recruit that IoT device for their botnet army of machines.
Act II: Aim…
Fortunately, unlike the CIoT, the IIoT hasn’t been plagued by successful exploits. But it hasn’t been ironclad either. According to Verizon’s 2017 Data Breach Investigations Report, the manufacturing and transportation industries faced a fair share of malware attacks, DDoS (Distributed Denial of Service), and cyber-espionage in 2016.4 This shouldn’t deter asset-intensive organizations from digital transformation, though. Trusted IIoT managed service providers emphasize and offer rigorous security architecture for companies that lack the in-house experience or expertise needed to protect IIoT data.
Besides, the technology available to you is also available to your competitors. Companies that avoid or delay IIoT adoption risk losing talented employees, partners, market share, customer loyalty, revenue and competitive advantages. To compete in today’s global economy, companies in the logistics space need better ways to innovate service delivery, maintain equipment, and monitor assets moving through supply chains.
The IIoT can help you reach these new levels. To maximize value from the IIoT, your IoT technology partner must provide real-time data, analytics, advanced reporting, and intuitive applications. However, these functionalities must be secured across four different layers: Device, Network, Cloud, and Application.
The device layer refers to the hardware component of your IIoT solution. IIoT hardware ranges from devices that monitor asset location, vehicle movement and health, cargo temperature, and machine diagnostics. Devices should be robust and meet military specifications for durability, FIPS 140 requirements for tamper-resistance against physical attacks, and cryptographic module specifications. IIoT devices should also allow over-the-air firmware and configuration updates to maintain the hardware’s software life-cycle.
The network layer refers to network connectivity, which enables data transport between your IIoT device and cloud, server, or hybrid storage. The most popular communication protocol for IIoT deployments is 3G/4G cellular connectivity. Other common communication protocols include Wi-Fi, Zigbee, satellite, and LoRaWan. The major wireless carriers provide end-to-end encryption security for every IIoT device that connects to their wireless networks. Connectivity for the other communication protocols can also be secured through data service centers like Amazon Web Services (AWS), or with other solutions such as a virtual private network (VPN).
The cloud layer refers to a managed service of virtual servers that allow you to gather, store, aggregate, and analyze IIoT data. Cloud services should be scalable, secure and compartmentalized. Scalable architecture allows you to dynamically access data storage when needed. Also, for maximum security, the cloud layer of your IIoT solution should give you the ability to compartmentalize and control who has access to your data and what they can see.
The application layer refers to software applications that contextualize and visualize IIoT data on desktop and mobile devices. Bringing IIoT data over the Internet and into the hands of users requires multiple layers of security. First, your application must provide strong credential management to prevent the exploitation of weak usernames and passwords. Second, security protocols must tightly govern user roles and permissions. Applications should control each user’s ability to view, create, edit and delete data, as well as provide a hierarchy that sets permissions from object- to field-level.
Act III: Fire!
The IIoT has ushered in a new era in secure data management. With the IIoT, asset-intensive companies are positioned to use actionable data for reducing costs and increasing profitability.
Manufacturers are deploying the IIoT for many different use cases. Facilities managers, for example, can use IIoT devices to monitor equipment vibrations to quickly detect and predict problems so that preventative maintenance can be performed before breakdowns occur. Building owners are also finding creative use cases for IIoT solutions in the areas of building automation, energy reduction, environmental sustainability, and facilities/machinery monitoring and maintenance.
Similarly, motor carriers and construction companies are empowering fleet and maintenance managers with IIoT devices to improve logistics operations. GPS Trackers can simultaneously monitor movement and engine diagnostics. The data gathered from these devices can help reduce heavy equipment theft, miles driven, wasteful idling, poor driving behaviors, late deliveries, and costly vehicle breakdowns.5
In Flagstaff, Arizona, the Northern Arizona Intergovernmental Public Transit Authority (NAIPTA) relies on an IoT-enabled transit asset management solution to help transport millions of riders per year.6 Because of the IIoT, NAIPTA is now capturing approximately 85% of the work the facilities team is performing at each stop. This is data that can now be used to make smarter decisions to be a more efficient organization. Also, when the city planning department wants to develop new bus stops along a new route, this data can be used to plan for costs and resources with more accuracy.
Security is the IoT’s Achilles’ heel. Again and again, hackers have revealed fatal flaws in IoT architecture. But history is replete with patterns that can teach us a lot about security. From castle walls to moats to canons, innovations in protection are largely responses to the advancements by attackers. The IoT isn’t perfect, but you’re more secure with it than without it. Is the IoT worth the risk? Yes, because the biggest risk is not taking a risk.
(first published in IAM USA Newsletter Issue 6 – Q2 2018)
1 IDC. June 14, 2017. Worldwide Spending on the Internet of Things Forecast to Reach Nearly $1.4 Trillion in 2021, According to New IDC Spending Guide. Retrieved from here.
2 Maersk. February 10, 2016. Smart containers listen and talk. Retrieved from here.
3 Krebs on Security. January 17, 2017. Who is Anna-Senpai, the Mirai Worm Author? Retrieved from here.
4 Verizon. 2017. Verizon’s 2017 Data Breach Investigations Report. Retrieved from here.
5 ThingTech. December 6, 2017. Aubrey Silvey Enterprises Prevents Heavy Equipment Theft with Real-Time Asset Tracking [Case Study]. Retrieved from here.
6 ThingTech. February 1, 2018. NAIPTA Relies on ThingTech to Transport Millions of Riders Per Year [Case Study]. Retrieved from here.