Key highlights
- The article explains why real-time control systems can't rely on cloud connectivity due to latency concerns.
- Process engineers must understand how adding IIoT devices can increase a facility's cyberattack surface, especially when devices span across OT, IT and DMZ boundaries.
The Internet of Things (IoT) and the Industrial Internet of Things (IIoT) are an important part of facility operations, particularly asset management. However, incorporating IIoT technologies into your network risks expanding the surface of your cybersecurity envelope, especially if added inside the control environment or outside the operations technology (OT) domain with its demilitarized zone (DMZ) boundary.
The default data path for most IoT sensors and actuators is through the cloud—greater than 80%. It’s the opposite when it comes to IIoT devices, where only around 20% are cloud connected—ironically, this is the Pareto Principle ratio. However, the number of IIoT applications and use cases continue to grow. As understanding about how to make effective use of this quasi-real-time data evolves, the number of legacy systems with limited ability to support IIoT data connections will decline, and overall adoption of the technology will continue to grow.
IIoT prioritizes security, reliability and real-time control in the operations technology (OT) domain. Cloud connectivity introduces unpredictable latency, which is unacceptable for real-time control loops, not just between the sensor and the cloud platform, but also for getting cloud data to OT environments. The typical Purdue model requires transitioning every message through the IT domain, DMZ and the OT control layer. There’s a minimum of three layers with associated cybersecurity devices, each adding a small lag and the potential for misconfiguration.
This lag story played out when wireless sensor networks (WSN) were introduced, and no one was comfortable incorporating them into regulatory control. Some smart folks figured out how to compensate for it in the PID algorithms and tuning, so industry now uses WSN control loops.
Another way to address the lag issue is for edge computing devices or industrial gateways to act as a secondary layer for analytics and optimization—almost always mediated by robust edge computing and secure network architectures, which pre-process the data before sending it to the cloud platform. These devices perform critical functions, such as decision-making, data aggregation and filtering. They also convert typical protocols, such as Modbus, to lightweight/low-overhead IoT protocols. These include MQTT (with TLS), AMQP, or secure HTTP and local analytics, ensuring that only necessary data is sent securely to the cloud. This process also reduces bandwidth, enhances security, and supports local decision-making.
Get your subscription to Control's tri-weekly newsletter.
Edge devices can also act on change of state, as part of their pre-processing, especially when images identify a change significant enough to warrant sending the data to the cloud. In the IoT world, this analysis is done in a security system by turning on the yard light, and sending an alert to yourself and your security company when something walks in front of the detector. Image analysis tools detect liquid-to-liquid interfaces in the process industries and factory automation to align objects.
Network security principles were discussed in previous columns, IEC 62443 and zero trust and April’s WSN cybersecurity. However, because of the widely distributed nature of IIoT devices, including edge computing platforms, device security must include:
- Device visibility and inventory of every connected device on the network to prevent additional invalid devices on the network, which is fundamental for managing risks;
- Vulnerability management to regularly identify and address known vulnerabilities, such as firmware and software updates for registered IIoT devices;
- Changing default passwords and implementing strong credential management; and
- Protecting IIoT devices and infrastructure from physical tampering or theft in locations that are only protected by the enclosure, which can be opened with a multitool.
Despite the challenges associated with connecting IIoT devices to the control domain, organizations are leveraging cloud platforms for data storage, analytics, remote monitoring, predictive maintenance, and other advanced applications that aren’t closed-loop control/time-sensitive to gain additional insights into improving overall system performance. They benefit from improved asset reliability and availability, reduced maintenance costs, increased productivity and output, while also improving overall operational safety.
