December 2022, the US Government Accountability Office (GAO) issued Critical Infrastructure Actions Needed to Better Secure Internet-Connected Devices (GAO-23-105327). According to the GAO report, Internet of Things (IOT) generally refers to the technologies and devices that allow for the network connection and interaction of a wide array of “things” throughout such places as buildings, transportation infrastructures or homes. According to the report, every critical infrastructure sector has its own types of IOT devices. However, control system devices such as process sensors and actuators are not unique and are common to industrial and manufacturing applications.
According to NIST, IOT technology acts as a bridge between OT, which includes sensors and actuators, with IT, which includes data processing and networking. Industrial Internet of Things (IIOT), a subset of the broader IOT, encompasses the connected sensors and other devices to machinery and vehicles. IIOT leverages many of the same technologies as IOT and applies them to industrial and manufacturing environments within critical and other infrastructures.
There is confusion as to the differences between IOT, IIOT and process sensors. I consider IOT devices to be those used in “Fitbits and refrigerators.” IIOT devices generally are wireless devices used for supplemental information for big data analytics, not for real-time control. Process sensors are used in “power plants and pipelines” for real-time monitoring and control of physical processes. Process sensors have direct and indirect connectivity to the Internet but without cyber security capabilities - https://www.controlglobal.com/blogs/unfettered/a-vulnerability-worse-than-log4j-and-it-can-blow-up-facilities-and-shut-down-the-grid/.
The GAO report references many NIST reports but does not address the distinctive cyber security issues with legacy process sensors. Specifically, the GAO report references NIST Special Publication (SP) 1800-10 Protecting Information and System Integrity in Industrial Control System Environments: Cybersecurity for the Manufacturing Sector. The NIST report states “In this project, the focus was on the engineering workstations and not on the manufacturing components. It is acknowledged that many of the device cybersecurity capabilities may not be available in modern sensors and actuators.” The GAO report also does not address the International Society of Automation (ISA) Industrial Automation and Control Systems ISA/IEC-62443 series of standards that includes process sensor and IIOT devices.
According to GAO, the scope of the report was governed by a legislative mandate in The Internet of Things Cybersecurity Improvement Act of 2020, which (along with conversations with GAO’s Congressional clients), dictated the terms of GAO’s review. In a December 5, 2022, e-mail to me from GAO, GAO acknowledged the report did not address the control system cyber incidents in my blog https://www.controlglobal.com/blogs/unfettered/blog/21438102/more-than-17-million-control-system-cyber-incidents-are-hidden-in-plain-sight.
Next steps
The GAO e-mail stated that given the importance of actual control system cyber incidents, GAO anticipates conducting future reviews. This is critical for GAO’s congressional sponsors and other government organizations to understand that process sensors are not being addressed by the term “IOT.”
GAO also needs to clarify that cyber security issues specific to IOT such as consumer labeling are not applicable to process sensors.
There is a need for industry and standards organizations to clearly define the difference between IOT, IIOT and process sensors.
There is a need for industry and standards organizations to address the lack of cyber security and authentication in legacy process sensors and IIOT devices.
Joe Weiss
