At the 2016 Structure Security conference, GE's Tom Le explained how a combination of IT and OT are core to securing industrial IoT.
The key to properly securing the industrial Internet of Things (IoT) is a combined approach of IT and OT, according to Tom Le of GE Digital Wurldtech. Le spoke at the 2016 Structure Security conference in San Francisco, where he explained the different challenges facing industrial IoT.
The biggest difference in standard IoT and industrial IoT is that attacks on industrial IoT have a physical impact if they were to be followed through with. While traditional IoT attacks can put data and privacy at risk, Le said, industrial IoT attacks pose a risk of human safety, environmental damage, and massive system disruption.
Le said that he considered endpoints in three tiers, relative to how much the devices are used. Standard endpoints like smartphones and laptops have pretty good security, Le said, but the middle tier of smart appliances and similar, and the low end of connected cameras and other devices have poor security today.
One of the big ideas around industrial IoT security is the concept of an air gap, which is the idea that the industrial IoT system is secure because it is isolated from an unsecured network. Le said that this is a myth for industrial systems, because they are exposed by "indirect connectivity."
Additionally, he said, we are rushing to bring even more unsecured assets online, due to the promise of additional usefulness they may bring.
Another difference between standard and industrial IoT are the assets involved. Assets on the IT side, such as phones, routers, and laptops tend to be replaced every couple years, or can be easily updated.
On the OT side, however, the life cycle can last sometimes as long as 40 years. And, some have maintenance cycles that last years as well. Many of these systems also cannot be updated anymore. Le said that he's aware of thousands of Windows XP hosts that are still managing industrial systems, and updates are difficult for those systems and require an additional cost.
This leads to an interesting truth, Le said, and that is that "the threat of change is often greater than the threat of cyber," when it comes to industrial systems.
Many things that are taken for granted on the IT side of things can cause a major disruption within OT. One example cited by Le was a company that deployed a new printer, and when it began to scan the network, it disrupted many of the key OT systems there. Many of these legacy industrial systems, Le said, weren't designed for modern networks, and companies need to be aware of that when they begin securing them.
In addition to both edge and cloud security, Le said that industrial companies need to look to the proper standards that address industrial systems for their industrial IoT products. What GE is doing, he said, is including cybersecurity out of band for their industrial products. So, a connected turbine or engine will come with an additional piece of technology that will protect it from malicious activity or misconfiguration.
The risks posed by industrial IoT are great, and Le said that what keeps him up at night is the threat of the next big security event that has a physical effect. He gave the example of a German mill that had its blast furnace taken over and controlled by hackers. Hopefully, modern security standards, and addressing both IT and OT, can help prevent future attacks like that.
The 3 big takeaways for TechRepublic readers
- GE's Tom Le said that companies must address IT and OT to properly secure industrial IoT.
- Industrial IoT's risks are different than standard IoT, and they include environmental damage and risk to human safety.
- OT products often have longer life cycles and maintenance cycles than IT devices, and that needs to be realized for proper security.
- How GE is using 3D printing to unleash the biggest revolution in large-scale manufacturing in over a century (TechRepublic)
- IDF 2016: Intel lays out its 5G, IoT strategy (ZDNet)
- Businesses beware: the 'industrial internet of things' is a prime target for cyberattacks (TechRepublic)
- Industrial IoT: From cranes to prototypes, how hackers are digging out new openings (ZDNet)
- How industrial IoT maker APX Labs is teaming with GE and Boeing to put wearables to work (TechRepublic)