Soderbery said some $1.95 trillion of that $14.4 trillion he noted will come in the manufacturing sector.
Security at the Fore
There clearly are many challenges to all this, from converging and merging disparate networks, to harvesting distributed intelligence by pushing analytics out to the data sources, to ease of use, but the one that trumps them all, Soderbery said, is security.
Unless you address those concerns, you can't get started.
So why is IoT security different? One of the reasons is the ‘attack surface.' "Those are places where an attack can be initiated," Soderbery explained. "The attack surface of a factory is large and complex. Remediation also is different. What do you do if you're under attack in the process industry? Shutting down is not a practical or easy response."
Soderbery presented a few simple building block ideas for IoT security. "Access control is more than a firewall," he stated. "You have to be aware of the content on the network through tools like deep-packet-inspection engines. A second thing is the context. What's the device, what data does it produce, is it where it says it is? You can draw some conclusions through the combination of content and context."
All this contributes to improved threat awareness and an understanding of the threat landscape, Soderbery said. Who are the bad guys, what are they trying to do, what actions have they taken or are they taking now?
Mike Assante is advisor and director for the National Board of Information Security Examiners. He currently is the SANS Institute project lead for industrial control system (ICS) and supervisory control and data acquisition (SCADA) security.
He mentioned that the desire for analytics isn't just restricted to the manufacturer and its supply chain. "Companies such as the equipment and machine builders themselves want access to the equipment they sold you and want to better understand the operating envelopes of those machines to help optimize those machines and perform more safely," he said.
Expanding on Soderbery's security remarks, Assante pointed out that the threats in industry are becoming more targeted and structured. "We aren't the only ones investing," Assante reminded the audience. "The cyber underground has been doing it for years, some say to the tune of several billion dollars."
Assante reported that up to 94% of those targeted attacks aren't discovered by the victim until they learn about it through a third-party or learn that some of their information was found on someone else's server. And the mean time before that discovery was a whopping 416 days of what Assante calls ‘free time' for intruders to travel around through that business system.
"In all these reported cases, the companies were up-to-date with their anti-virus solutions in place and used industry security practices, but still were compromised," Assante reported. "It tells us that our conventional security approach isn't working for that type of threat."
So it's time to adapt, Assante proposed. "We're at an inflection point in the effectiveness of traditional defenses."
He said we have to secure our people first. "Automation engineers have to work with cybersecurity personnel and vice-versa to cross-educate their strengths and needs. We don't want to turn automation engineers into security professionals. But this can lead to new approaches to better security. We're setting up guidelines to help do that."
Designing for Security
Frank Kulaszewicz, senior vice president for Architecture & Software, Rockwell Automation, followed by reporting that less than 14% of U.S. manufacturers have tied their machines' intelligence to the enterprise network. As a result, there will be plenty of opportunities for increasing value. But, as we connect, potentials for threats will rise as well.
Kulaszewicz explained the strategic partnership that Rockwell Automation shares with Cisco, which leverages the expertise of both companies to help enhance security going forward, particularly at the device level.
"We're changing the way we do development and we've created a Design for Security process," he said. "Before any Rockwell Automation product leaves our doors it has to be compliant with these Design for Security standards." These include clearly defined specifications and an audit process to identify gaps in performance. They allow us to enhance and improve our products that will help customers evolve their systems to a safer, more secure environment."