The key to properly securing the industrial Internet of Things (IoT) is a combined approach of IT and OT, according to Tom Le of GE Digital Wurldtech. Le spoke at the 2016 Structure Security conference in San Francisco, where he explained the different challenges facing industrial IoT.

The biggest difference in standard IoT and industrial IoT is that attacks on industrial IoT have a physical impact if they were to be followed through with. While traditional IoT attacks can put data and privacy at risk, Le said, industrial IoT attacks pose a risk of human safety, environmental damage, and massive system disruption.

Le said that he considered endpoints in three tiers, relative to how much the devices are used. Standard endpoints like smartphones and laptops have pretty good security, Le said, but the middle tier of smart appliances and similar, and the low end of connected cameras and other devices have poor security today.

SEE: 67% of manufacturers investing in big data and industrial IoT, says new report

One of the big ideas around industrial IoT security is the concept of an air gap, which is the idea that the industrial IoT system is secure because it is isolated from an unsecured network. Le said that this is a myth for industrial systems, because they are exposed by “indirect connectivity.”

Additionally, he said, we are rushing to bring even more unsecured assets online, due to the promise of additional usefulness they may bring.

Another difference between standard and industrial IoT are the assets involved. Assets on the IT side, such as phones, routers, and laptops tend to be replaced every couple years, or can be easily updated.

On the OT side, however, the life cycle can last sometimes as long as 40 years. And, some have maintenance cycles that last years as well. Many of these systems also cannot be updated anymore. Le said that he’s aware of thousands of Windows XP hosts that are still managing industrial systems, and updates are difficult for those systems and require an additional cost.

This leads to an interesting truth, Le said, and that is that “the threat of change is often greater than the threat of cyber,” when it comes to industrial systems.

Many things that are taken for granted on the IT side of things can cause a major disruption within OT. One example cited by Le was a company that deployed a new printer, and when it began to scan the network, it disrupted many of the key OT systems there. Many of these legacy industrial systems, Le said, weren’t designed for modern networks, and companies need to be aware of that when they begin securing them.

In addition to both edge and cloud security, Le said that industrial companies need to look to the proper standards that address industrial systems for their industrial IoT products. What GE is doing, he said, is including cybersecurity out of band for their industrial products. So, a connected turbine or engine will come with an additional piece of technology that will protect it from malicious activity or misconfiguration.

The risks posed by industrial IoT are great, and Le said that what keeps him up at night is the threat of the next big security event that has a physical effect. He gave the example of a German mill that had its blast furnace taken over and controlled by hackers. Hopefully, modern security standards, and addressing both IT and OT, can help prevent future attacks like that.

The 3 big takeaways for TechRepublic readers

  1. GE’s Tom Le said that companies must address IT and OT to properly secure industrial IoT.
  2. Industrial IoT’s risks are different than standard IoT, and they include environmental damage and risk to human safety.
  3. OT products often have longer life cycles and maintenance cycles than IT devices, and that needs to be realized for proper security.