Productivity gains in the industrial sector have shrunk to 1% over the past several years. Every ounce of benefit from lean manufacturing and Six Sigma has been realized. Industrial companies are turning increasingly to digital investments to find new levels of productivity, production, and profit. As investment in digital transformation grows, so does the increased risk of cyber security incidents.
GE Digital spoke with Sivakumar (Siva) Narayanaswamy, Research Manager at Frost & Sullivan, to discuss key trends in the IIoT and how companies should approach cyber security to gain the most from their digital investments.
GE Digital: What trends are you seeing in Industrial Internet of Things (IIoT) adoption — are industries largely in ’test’ mode, or are we beginning to see broader rollout of IIoT, or somewhere else in the adoption cycle?
Sivakumar: Frost & Sullivan research highlights that the opportunity presented by the Internet of Things (IoT) in industrial manufacturing, including heavy industries, is becoming more beneficial to organizations as the technologies available to them continue to mature. The adoption of IoT in the industrial manufacturing sector, better known as the Industrial Internet of Things (IIoT), has led to improved automation in production management and greater transparency in the supply chain.
However, Frost & Sullivan research that includes focus groups in the U.S. and Europe, indicates that while Tier 1 companies are better positioned to invest in new technologies beneficial to smart manufacturing, Tier 2 and 3 companies (small and medium enterprises) are more concerned with the ROI of their technology investments. This means they are willing to wait to adopt the technologies that drive IIoT to mature, when they can afford to invest. The future development of IIoT requires synergetic efforts from all three stakeholders (solution providers, end-users and policy makers) to boost reliability and deliver massive societal benefits. Such collaborative efforts could result in wider awareness among end users about the immense potential of IIoT and ultimately lead to higher demand for new services. IIoT requires the analytical talent of data scientists. However, most research participants agree that current educational offerings are not up to this challenge.
GED: Which industries are further along the digital transformation journey?
Siva: The use of analytics and technologies to better understand assets and customer behavior is changing businesses. The real time data availability and the decisions drawn from them have enabled companies to leapfrog their competition. But, quite often, industry leaders consider digital transformation to be a disruption rather than an industry driver when it comes to achieving improvement in operational efficiency.
The adoption of digital technologies to automate work and derive the plethora of benefits is determined by the affordability, leadership, governance (organization structure), and business models that a company adopts. Primarily, adoption of digital technologies is also found to be different based on company size. The cost of adopting the digital technologies becomes a primary factor for small and mid-sized companies. Implementing “cutting-edge digital platforms” in many cases is cost prohibitive and the ROI is a primary question from this segment.
Frost & Sullivan research highlights that discrete industries, particularly semiconductor, IT manufacturing, and food & beverage, have tested and adopted IIoT on the shop floor. The process industry, such as energy organizations, particularly oil and gas, are also in a prime position to benefit from IIoT. Digital Oil Fields, conceptualized a couple of decades ago, are now becoming a reality, driven by the sector’s need to improve production reliability and efficiency. There are, however, security and affordability concerns that must be addressed.
GED: With the promise of benefits from the IIoT, what should companies be thinking about to protect against the threat of a cyber-incident (common mistakes industries make, or things they overlook, or areas that need greater attention)?
Siva: With an eye on the future, contemporary industrial control systems are pushed to operate in tandem with other business systems (IT systems) rather than in silos. To achieve this, companies must move beyond connecting solely to instrumentation/control networks, and leverage additional networks such as corporate networks and the Internet. Connecting to the Internet and other connected devices increases system vulnerabilities and calls attention to the need for company-wide cyber security policies.
Cyber security is often overlooked, as the overall losses involved are small when compared to the revenue made. The perceived benefits and ROI cannot be quantified, making it difficult for companies to invest in cyber security solutions.
However, in critical infrastructure industries, the awareness and investments are slowly on the rise due to the influx of regulatory compliance requirements. Critical infrastructure industries, such as power, oil and gas, and chemicals, have been at the forefront of creating awareness regarding cyber security implications. As a majority of industries move toward the implementation of smart systems and processes, cyber security will have to transition into an in-built solution rather than an add-on feature.
The impact of a security incident in the critical infrastructure industries is far more disastrous than in a traditional IT environment.
GED: A lot gets said about IT and OT security. How are they alike, different, and why does it matter?
Siva: The difference in IT and OT systems can be summarized under purpose, infrastructure / interfaces, connectivity, and the system’s role in the organization. While OT systems operate within the physical world, IT systems are concerned with data. Each operate with their own set of challenges, however, the convergence of these systems have created a whole new set of challenges from the security perspective.
There has been a general shift towards regulatory compliance rather than comprehensive security provision in regard to the converged industries. This is likely to lead to infrastructure insecurity. A prime example of this is the pipeline explosion in Turkey that was managed by hackers with the sole intention to cause destruction and economic loss.
It is estimated that approximately 30 percent of cyber security incidents are categorized as moderate or severe. Traditional IT security solutions cannot detect or protect these vulnerabilities, as the attacks are specifically designed to target the control systems (OT).
GED: In the era of portable media such as thumb/flash drives, and increasing number of Internet-connected devices, how should companies think about OT cyber security strategy? (example: is air-gapping an effective strategy, how should IT and OT partner for maximum protection, etc.?)
Siva: Air gapping is not a fool-proof methodology. Air gapping was considered a reliable tool when OT operated in isolation, however, since the convergence of OT and IT, industrial assets are exposed to persistent threats. HMIs, servers and similar industrial devices are vulnerable to the sophisticated attacks that maliciously delete and destroy critical data.
Modern control systems are dependent on external sources for information in form of new patches and updated software versions. Installing these updates can potentially expose previously isolated systems to malicious malware. To prevent that, cyber security needs to become an in-built component within individual devices and systems, networks, and ecosystems.
Industrial cyber security also depends on the end-user and OEM provider’s abilities to close the loop between detecting vulnerability or a threat, responding to it, and preventing it from entering the system. For optimal security, organizations need to be able to detect and respond to threats. Partnerships between solution providers in the IT and the OT ecosystems will be crucial to the development and implementation of end-to-end cyber security solutions for industrial systems.
GED: What approach should industrial organizations take to stay ahead of the threat or what approach should they take to make technological advances?
Siva: The increasing requirement for fast, flexible, and smart systems and processes will drive the implementation of factories of the future. Despite the added advantages of new technologies, such as wearables, artificial intelligence, and quantum computing, the introduction of new technologies also mean that security implications become more and more complex, requiring intelligent security solutions. Cyber security relating to industrial automation and control systems is still an unfamiliar concept to most of the critical infrastructure industries and the impact of a security incident in the critical infrastructure industries is far more disastrous than in a traditional IT environment. Restricting access through multi-factor authentication, restricted location, and restricted process area access can provide acceptable risk remote access management, especially in harsh operating environments such as offshore rigs.
Data encryption, endpoint and network access management, security intelligence and forensics, and security gateways are becoming mandatory security solutions to protect the different ICS levels. Managed security services (MSS) and the development of a Main Cyber Security Service Contractor (MCSC) capable of assessing, implementing, monitoring, and managing the security lifecycle of the enterprise will become plausible investments.