Efficient Plant Nov./Dec 2019 - 11

feature | cybersecurity

THE PROMISE OF edge devices and the ability to move
computing to them, while having connectivity to cloud
assets, has never been brighter. The resultant benefits of
being predictive, extending the work force, and delivering
efficiency to operations makes it a must-do consideration.
It is how we, as organizations, need to be effective and deliver to our stakeholders.
Like all promises of change, we can expect some common
challenges and weaknesses. We put our operations at risk
while moving or upgrading from one operational construct
to another. From the corporate board to the worker in the
plant, from the organization changing their operations to
the suppliers and vendors providing the necessary tools,
we all need to address these risks with diligent security
implementation.
Worker awareness, at all levels, is needed to understand
that it only takes one person to place the entire system
at risk. Everyone needs to be aware of the importance of
spotting and addressing insecure configurations and devices
or systems as we work on these daily. This is not a one-anddone approach.

EDGE IMPORTANCE
The edge is a boon for many industrial operations in today's
economy. It has allowed plant expansion and reduced repetitive tasks, leading to improved safety and reduced costs.
Edge is the traditional domain of the operations technology (OT) department. Over time, we extended the
workforce by adding communications paths from the edge
device to management interfaces and then over the internet
using TCP/IP. As our understanding of operations expands,
we're learning to implement ever-increasing capabilities to
manage, interpret, and analyze the generated data.

MIXING OT AND IT
Let's address an area of confusion that is creeping into the
lexicon. IoT generates many concerns in today's threat
landscape as it is synonymous with a wide range of attacks
and lack of protections. With expectation that, by 2020,
there will be more than 5.8-billion enterprise IoT devices
deployed, one can see a cause for some security concern.
However, IoT is quite different from the Industrial Internet
of Things (IIoT) and being able to distinguish between these
definitions is probably the most difficult aspect to understand.

NOV/DEC 2019

So why not describe IoT as simply services for consumers
and consumer electronics? Think of personal wearables, or
set-top digital-video recorders, or today's mobile phones.
They are fully TCP/IP dependent for their communication
mechanism through hard-wire or Wi-Fi systems. These IoT
devices are dependent on the consumer to configure and
maintain them.
Because they are so easy to use, IoT devices are becoming
a portion of "shadow IT devices" deployed in the workplace and are being attached to corporate networks. Many
of these IoT devices have a very short market lifespan,
compared with an industrial device, and they have little in
the way of support from the supplier/vendor. Besides initial
setup, there is little action taken by the user for support.

IIOT DEVICES
IIoT is primarily focused on commercial devices/applications with long use or dwell times, in operation for 10 to
50 years or more. IIoT is normally a part of a system or set
of systems working an industrial process with sustained
support, a secure development lifecycle (SDLC), and a
robust incident-response team from the vendor. With
system lifecycles measured in decades versus years, there
is a completely different support, security, and operational
construct at work. Initially IIoT was established for use on a
communication network separate from serial communication to modem, radio (high-frequency), cellular, and later,
of IT networks using TCP/IP.
Even within IIoT, there is a spectrum of what is doable
when it comes to security and configuration changes.
Looking at a device that has been in use for decades, you
will most likely see that it was originally part of OT serial
communications. Later it became attached to the IT network over TCP/IP. That was a boon in being able to manage
devices over broad areas. What legacy devices are missing is
the ability to be updated over the air, and to have a changeable user identity (UID) and password. In essence, legacy
OT does not have the ability to make system-wide changes
or quick changes, if at all.
Devices manufactured in the past ten years or so have
likely been capable of being attached to the network, simplifying operations and networking. They normally allow
UID and passwords to be changed, however, in day-to-day
operations. This is not done consistently. This one option
of being able to change access to the device and network
EFFICIENTPLANTMAG.COM |

http://www.EFFICIENTPLANTMAG.COM

Efficient Plant Nov./Dec 2019

Table of Contents for the Digital Edition of Efficient Plant Nov./Dec 2019