IOT World conference observations – Cyber security of process sensors still not on the radar screen

I attended IOT World in Santa Clara, CA May 14-16, 2019 which also included the SiliconValley AgTech Conference May 13th. The demonstrations and presentations of IOT and big data analytics were incredible. Between AI and machine learning, it appears possible to provide real time machine health and remaining equipment life which has been a long-time dream. These prognostications also extend to sensors by monitoring Ethernet IP sensor packets. However, there was effectively no discussions of sensor data before they became Ethernet packets. As there is no cyber security or authentication in legacy process sensors, IOT data analytics are based on untrusted data and this was not questioned. It also implies the industrial clouds are based on untrusted data.

 A related issue were the discussions by CISOs on cyber security. The "I" in CISO is for "Information". Therefore, CISOs will be aware of network considerations, but may not be cognizant about control system issues at the field device level and may not be interacting with Operations and Maintenance management. There is a need to train people that report to the CISO about control system-specific issues in addition to OT network issues. Without this training, the CISO is at risk from missing key information (malicious scenarios that aren't OT network-related) and systems interaction issues (unintentional consequences caused by network security tools and policies) that could be critical to any industrial/manufacturing organization. 

Joe Weiss