Recent IoT Attack on Dyn Calls for Secure By Design

/by

The recent denial of service attack on Dyn, a DNS service company for a huge chunk of the Internet, sure woke up a lot of people.  Somehow when it happens to you, you tend to feel it more.  Twitter, Netflix, Reddit, eBay, and Paypal users certainly felt it when they couldn’t access those sites.  Now that most of us are awake, what can we do about it?

In the short term, not a lot, apparently.  In a recent article about the attack titled Vulnerability Is the Internet’s Original Sin, Internet security expert and author of Dark Territory: The Secret History of Cyber War, Fred Kaplan points out that from the beginning the costs and challenges of designing security into the Internet from the ground up was considered too challenging and costly.

Kaplan tells how, back in 1967, Willis Ware, the head of the Rand Corporation’s computer science department and a NSA scientific advisory board member, wrote a paper warning the ARPANET team and others that “once you put information on a network—once you make it accessible online from multiple, unsecure locations—you create inherent vulnerabilities … You won’t be able to keep secrets anymore.”

The Dyn attack was simple in concept and easy to execute.  The devices used were accessible household appliances and electronics, configured out of the box with simple default user names and passwords like “username”, “password”, and “12345”.  The virus cycled through these default credentials to recruit thousands of devices into a giant collective, which was then coordinated to flood Dyn with traffic.

To prevent this kind of hack, device manufacturers may start updating their devices to ensure more secure usernames and passwords.  But that ignores the elephant in the room.  The fundamental problem is that these IoT devices are available (they are always on, ready to communicate over the internet), they are accessible (they can be seen on the internet), and they are numerous (with numbers growing exponentially).  This combination of availability and accessibility, multiplied by the huge numbers, makes IoT devices perfect for coordinated attacks.  We can be sure that the bad actors are already working hard on defeating username/password protection on IoT devices.

Considering the first of these three critical factors, IoT functionality requires that IoT devices are available for communication.  There is not a lot we can do about availability.  Secondly, the business opportunities and economic promise make device proliferation unstoppable.  We have to expect continued rapid growth.  But we can do something about the third critical factor: accessibility.

No IoT device should be sitting on the Internet with one or more open ports, waiting for something to connect to it.  The device can and should be invisible to incoming probes and requests to connect.  A hacker or bot should not even see the device, let alone be given the chance to try a username or password.  That technology exists, is easy and inexpensive to implement, and has been proven in thousands of industrial installations for over a decade.  Governments and manufacturers need to be employing it across the full range of IoT applications.

IBM Realizes the Value of the Industrial IoT

/by

A recent report in Fortune magazine claims that one of the key areas for growth at IBM this year has been its Industrial IoT (“IIoT”) business.  In the past 9 months alone, the number of their IIoT customers shot up 50%, to 6,000.  The area of IIoT is one of IBM’s “strategic imperatives”, which contributed an overall increase in growth of 7% for the company.  In contrast, the more traditional hardware and services areas experienced a 14% decline year-on-year.

The report quotes a survey released last month from IDC (International Data Corporation) that found the trend towards IIoT implementation is increasing industry-wide. Over 30% of the companies participating in the survey have already launched IoT initiatives, and another 43% expect to do so in the coming year.  “This year we see confirmation that vendors who lead with an integrated cloud and analytics solution are the ones who will be considered as critical partners in an organization’s IoT investment,” said Carrie MacGillivray, Vice President, Mobility and Internet of Things at IDC.

Results of the IDC survey of 4,500 managers and executives from a wide range of industries in over 25 countries suggest that many companies have completed proof-of-concept projects, and are now moving towards pilot implementations and scalable IoT deployments.  This trend is acknowledged by Bret Greenstein, IBM’s vice president for IoT platforms, who commented in the Forbes interview, “There was so much tire-kicking a year ago. Now you are seeing adopters in every single industry actually building solutions.”

What is driving this demand for IoT among IBM’s customers?  The Forbes article didn’t say, but the IDC survey found that much of the value of the IoT is seen to be internal to the company itself, to become or stay more competitive.  Respondents cited boosting productivity, streamlining procedures, and cutting costs as reasons for implementing the IoT, rather than any direct services or other benefits for customers.

Although the IDC survey was for the IoT in a broad range of industries, including manufacturing, retail, utilities, government, health, and finance, its results correlate with the experience of IBM in the Industrial IoT.  The company plans to bring on 25,000 new people for IIoT-related projects and services worldwide, with 1,000 of them in their Munich global IoT headquarters alone. As we see it, both the survey results and the experience of IBM point to a common reality: the Industrial IoT is quickly moving into the mainstream.

Security Framework for Industrial IoT Built on Trust

/by

Ultimately, it comes down to trust.  When someone hears about the Industrial IoT, and asks, “What about security?” what they probably mean is, “Should I trust it?”  Without trust, things get complicated, bog down, and sometimes stop moving altogether.  Without trust it’s difficult to build anything—a team, a business, or a family.  And among other things, trust depends on security.

Recently the Industrial Internet Consortium (IIC) published a paper titled Industrial Internet of Things Volume G4: Security Framework, that outlines a comprehensive security framework for the Industrial IoT (IIoT).  In the introduction, the paper outlines five key system characteristics that build trust: security, safety, reliability, resilience and privacy.  The IIC paper then describes how these characteristics must be infused into the IIoT for industrial users to trust it.

It says, “A typical Industrial Internet of Things (IIoT) system is a complex assembly of system elements. The trustworthiness of the system depends on trust in all of these elements, how they are integrated and how they interact with each other. Permeation of trust is the hierarchical flow of trust within a system from its overall usage to all its components.”

Trust is fundamental to the Security Framework

The idea is that for trust to permeate through the IIoT system—for the users to trust it—the system must be trustworthy from the ground up.  First, the components or building blocks of the system must be trusted.  Next, the system builders need to both trust these components, as well as put them together in a trustworthy way.  When all is checked, tested, and functioning well at these two levels, and the system meets the specifications of the system users, then the users will begin to trust the system.  Trust will permeate down from the users to the system builders, and ultimately to the components and those who supply them.

Skkynet’s secure-by-design approach to the IIoT follows this model.  At the level of components, our software and services have been installed in hundreds of mission-critical systems.  The system integrators who work with these components trust them, because they have seen how they perform.  Using DataHub® and SkkyHub™, they have been able to deliver highly-trusted, well performing systems.  Plant managers and owners are satisfied with these systems, and have extended their trust to the system integrators, as well as to the software and services.

How the IIC’s Security Framework applies specifically to Skkynet’s SkkyHub, DataHub, and ETK is well beyond the scope of one blog—more needs to be said, and is coming soon.  The Security Framework concepts are familiar to us, as we have been incorporating them for years in the secure-by-design approach we take in developing our software and services.  We are pleased that the IIC has published this paper, and consider it a valuable resource for gaining a better understanding about security and the Industrial IoT.

Manufacturers and Machine Builders Weigh In on IIoT

/by

With all the conversation swirling around about Industry 4.0 and the Industrial IoT, you sometimes have to wonder what’s actually trickling down to those people who are expected to buy in, like manufacturers and machine builders.  The bottom line is that someone is going to have to invest in the IIoT, and they expect to get a return on that investment. IIoT proponents are counting on manufacturing companies and OEMs to put some skin in the game.  But who is talking to them?

At least one person is.  Larry Asher, Director of Operations at Bachelor Controls Inc., a certified member of the Control System Integrators Association (CSIA), has been meeting with long-term customers in a number of industrial fields, and asking them for their thoughts on the IIoT. Their responses indicate an overall positive view of the potential.

Asher first reiterates a growing understanding that the IIoT is not just a new term for industrial networking, or SCADA as usual.  He says, “Though it is true that networking has existed as part of industrial control solutions for many years, traditional isolated control networks will not support the level of integration required for large-scale data and analytics, nor will they support the number of connected devices that will be a part of IIoT-based solutions. IIoT-based solutions demand connectivity, accessibility and security, making the network infrastructure critical.”

He then shares the insights garnered from his conversations, organized into four areas that the IIoT is expected to impact: data analysis, mobile/remote access, supply chain integration, and preventative maintenance.

Summary of Insights

Here is a summary of how the manufacturers and machine builders he met with view the impact of the IIoT:

Data and Analytics: Everyone agrees that investing in IIoT to enhance data collection and develop more sophisticated and powerful analytics is a good thing.  Applying this higher level of analysis is already impacting procedures and control implementation on the plant floor. Some manufacturers are even revising company organizational structures to bring in people who can maximize performance and profit using IIoT data.

Mobile/Remote Access: Access to data via mobile devices and/or from remote locations has seen less interest, but that is expected to change.  Right now the implementation is fairly low, despite the significant number of products and options available, perhaps due to a perception of high cost.  But, as Asher reports, “mobility remains as a central theme and poised for rapid growth with a change in the value proposition.”

Supply Chain Integration: As to supply chain integration, there was a wide range of experience.  Some saw little or no difference between current practices and what the IIoT has to offer, while others reported that the integration is so complete that suppliers now effectively have direct access to user inventory levels.

Preventative Maintenance: Manufacturers and OEMs alike appreciate the value of IIoT-based preventative maintenance.  With machines and equipment connected directly to the vendor, manufacturers can automatically generate maintenance work orders or request spare parts.  Vendors gain a competitive advantage when they are able to monitor and remotely service their equipment 24/7, which also provides them with a source of recurring revenue.

Overall, the views of those at manufacturing plants responsible for ensuring ROI validate the practicality and cost-effectiveness of the Industrial IoT.  As word gets out, and more decision-makers understand the benefits, we expect to see increased levels of adoption.

System Integrators Defend Their IIoT Readiness

/by

A clear sign of a growing opportunity is when people start staking their claims.  Here’s a case in point.  A recent blog in AutomationWorld has caught the attention of system integrators, and from their comments it seems to have rubbed some of them the wrong way.  The blog, The IIoT Integrators Are Coming, by Senior Editor Stephanie Neil, claims that automation system integrators may lose out on IIoT opportunities if they don’t keep up with the technology, leaving the space open for non-industrial IoT companies from the IT world.

Several control system integrators, members of Control System Integrators Association (CSIA), have responded saying that Neil and the people she quotes are mistaken.  They explain the differences between consumer or business IoT and Industrial IoT, and point out that it is easier for a company that knows industrial automation to add IoT to their portfolio than for an IoT company to learn industrial process control. For example, in counter-blog We Are Ready for IIoT, Jeff Miller of Avid Solutions makes the case that his company, at least, is ready.

If nothing else, this conversation provides a useful window into what these potentially key players in the Industrial IoT space are thinking.  On the one hand, some realize that IIoT can be a valuable service to offer their customers, and are gearing up for it.  Others are holding back, questioning the value, reluctant to test the waters, and wondering whether this isn’t just mainly hype that will evaporate in a year or two.  But, according to Neil, if they wait too long, someone else will swoop in and steal their lunch.  And that person or company may be completely outside the traditional world of industrial system integration.

Who is right?

Our take on this is simple.  Both are right.  First, anyone from the IT realm working in IoT needs to know that there is a real difference between regular IoT and Industrial IoT.  An industrial user of the IoT will have special requirements, different and in many cases far beyond what someone might need for a general business or consumer application. At the same time, system integrators must understand that the knowledge required for building an IoT application is highly specialized. It takes a deep understanding of TCP and working with unstructured data, in addition to the critical issue of Internet security.  Above all, we encourage system integrators to keep an open mind, and treat the IIoT as a new opportunity to better serve their customers.

As to the best approach to take, we see at least two: do it yourself, or partner with someone who provides good tools. We won’t stand in the way of the DIY’ers in the crowd, but for those who value tools, we have an easy and cost-effective way to implement the Industrial IoT that works. It does not require integrators to learn new protocols or build security models. It simply connects to in-plant systems and provides the remote data access that automation engineers expect: secure, bi-directional, and real-time, with no open firewalls, no VPNs, and no programming. And it has a revenue-share model for system integration companies that want to enjoy the financial benefits of the IIoT.

Realizing Profits from the IoT

/by

“Most of us understand that innovation is enormously important. It’s the only insurance against irrelevance. It’s the only guarantee of long-term customer loyalty. It’s the only strategy for out-performing a dismal economy.”

– Gary Hamel, management expert

A recent study from MPI Group, “How Manufacturers are Profiting from the IoT” validates the importance of innovation in IoT technologies.  It shows that there is a strong correspondence between understanding the IoT, implementing the IoT, and benefiting from the IoT.  “A good understanding of the IoT is a strong indicator of better operational performance,” the study said.  “Two-thirds of innovators have fully achieved or made significant progress toward world-class manufacturing status,” the study found.

These “innovators” are defined in the study as those companies most willing to use smart devices and embedded intelligence in their processes, their manufactured products, or both. Contrast that with those in the planning stages, labelled “incipients”, and those with no interest at all, called “indifferents.”  The indifferents, according to the study, “are also indifferent to manufacturing success; a whopping 73% have made—at best—only some progress toward world-class status.”

The take-away here is that those companies that understand the IoT and how to apply it to their businesses have for the most part benefitted, and are realizing profits from the IoT, while those that lag behind risk falling futher behind.

Two Areas for Realizing Profits

The study looks at two main areas of implementation of the IoT among manufacturers—in process and in products.  The process areas offering the most profit-making opportunities, according to survey respondents, were shipping and logistics, warehousing, document management, and manufacturing.  The most profit potential from products included adding IoT capabilities to the firm’s own products, as well as selling these capabilities in technologies, devices, software and/or materials to other companies.

There are challenges, of course.  One drawback is that most companies feel that their network infrastructures are not capable of handling machine-to-machine or machine-to-enterprise communications well.  Other top-of-mind challenges to survey respondents were in finding the budget needed for implementation, and in indentifying IIoT opportunities.

By the same token, though, when these companies learn how SkkyHub provides IIoT connectivity on existing networks and can be implemented with no capital expenditure, they may find that the Industrial IoT is within their grasp.  Using an end-to-end, secure-by-design IIoT solution that doesn’t cost an arm and a leg, they may find that realizing profits from the IoT is not as difficult as they thought it might be.