Trust and the Industrial IoT

They say that in business, it all comes down to trust. American author H. L. Mencken once wrote, “It is mutual trust, even more than mutual interest, that holds human associations together.” To succeed in life, we need to trust people. The same holds true for technology. To succeed in today’s world, we need to trust technology―from products like smart phones and cars to the tools and industrial processes that created them. To whatever extent that we trust technology, we apply it to improve our lives.

But just as there are some people we cannot trust, we should not blindly trust any technology that comes along. Some technologies are more trustworthy than others. So how can you know which ones are best? Take the Industrial IoT for example. Although it offers many benefits, engineers are justifiably cautious in adopting the various IoT technologies available, citing concerns for reliability and security.

Addressing this question, the Industrial Internet Consortium recently published a document titled Managing and Assessing Trustworthiness for IIoT in Practice. It defines trustworthiness as “the degree to which the system performs as expected” and to that end states, “Confidence comes from the assurance that several aspects of the system are under control: security of its data and of its equipment, safety for people and the community, protection of assets, privacy protection of data, reliability of operations and subsystems, and resilience of the system.”

Five Aspects of Trust

The document expands on this idea, locating within both OT (operational technology) and IT five basic aspects of trustworthiness: security, safety, privacy, reliability, and resilience. It shows how each of these may be more or less relevant to the requirements of OT or IT taken separately, and how they are all essential to any Industrial IoT solution. As we see it, this underscores the importance of a truly industrial approach to data communications:

  • Secure-by-design communications should not compromise in any way the security measures that are already in place in a production system. Indeed, the IoT system should measure up to those standards.
  • The safety of plant personnel should not be put into jeopardy as a result of connecting to the IoT.
  • Privacy of data has to be maintained, so that each connecting party gains access only to the information meant for them.
  • Reliability of data transfer must be ensured to the extent possible, given the fact that Internet connections are not 100% stable. Data protocols must be able to indicate the quality (trustworthiness) of the data at every moment so that clients can act accordingly.
  • Resilience of the connection, including the ability to optimize high-speed or low-speed connections over wide or narrow bandwidths, and to recover quickly and gracefully from an outage, keeps the data flowing in the best way possible.

“The network must be built with the expectation of heavy damage,” wrote Paul Baran, one of the developers of ARPANET, precursor to the Internet, back in 1964. So, too, should be the implementation of industrial data communications over the Internet of Things. As with personal relationships, it may be difficult to achieve 100% trustworthiness for this technology. But the value of any Industrial IoT system should be considered in light of how close it comes to that goal.

Security Framework for Industrial IoT Built on Trust

Ultimately, it comes down to trust.  When someone hears about the Industrial IoT, and asks, “What about security?” what they probably mean is, “Should I trust it?”  Without trust, things get complicated, bog down, and sometimes stop moving altogether.  Without trust it’s difficult to build anything—a team, a business, or a family.  And among other things, trust depends on security.

Recently the Industrial Internet Consortium (IIC) published a paper titled Industrial Internet of Things Volume G4: Security Framework, that outlines a comprehensive security framework for the Industrial IoT (IIoT).  In the introduction, the paper outlines five key system characteristics that build trust: security, safety, reliability, resilience and privacy.  The IIC paper then describes how these characteristics must be infused into the IIoT for industrial users to trust it.

It says, “A typical Industrial Internet of Things (IIoT) system is a complex assembly of system elements. The trustworthiness of the system depends on trust in all of these elements, how they are integrated and how they interact with each other. Permeation of trust is the hierarchical flow of trust within a system from its overall usage to all its components.”

Trust is fundamental to the Security Framework

The idea is that for trust to permeate through the IIoT system—for the users to trust it—the system must be trustworthy from the ground up.  First, the components or building blocks of the system must be trusted.  Next, the system builders need to both trust these components, as well as put them together in a trustworthy way.  When all is checked, tested, and functioning well at these two levels, and the system meets the specifications of the system users, then the users will begin to trust the system.  Trust will permeate down from the users to the system builders, and ultimately to the components and those who supply them.

Skkynet’s secure-by-design approach to the IIoT follows this model.  At the level of components, our software and services have been installed in hundreds of mission-critical systems.  The system integrators who work with these components trust them, because they have seen how they perform.  Using DataHub® and SkkyHub™, they have been able to deliver highly-trusted, well performing systems.  Plant managers and owners are satisfied with these systems, and have extended their trust to the system integrators, as well as to the software and services.

How the IIC’s Security Framework applies specifically to Skkynet’s SkkyHub, DataHub, and ETK is well beyond the scope of one blog—more needs to be said, and is coming soon.  The Security Framework concepts are familiar to us, as we have been incorporating them for years in the secure-by-design approach we take in developing our software and services.  We are pleased that the IIC has published this paper, and consider it a valuable resource for gaining a better understanding about security and the Industrial IoT.