When we look at the IIoT there are three main requirements:
1. Access to device data: Our connected devices generate information that we want to use. It can be as simple as a door sensor in a home security system or as complex as an oil drilling platform’s SCADA system. The common theme is that remote access to the information has value. There are different scenarios within the industrial sector for this kind of access.
- Plant to field device
- Device to device (M2M)
- Central office to process systems (IT to OT)
- Central location to remote locations (data gathering, possible supervisory control)
- Vendors / OEMs to in-plant or field devices (monitoring)
2. Remote control of the device: Sometimes it is necessary to control the system we are accessing remotely. If a door sensor says the door is unlocked then we might like to lock it. If our SCADA system says that a machine is malfunctioning we would like to turn it off. Remote control should of course be optional. The determination of whether control is allowed should be made at the device, so attempts to control the system remotely will fail if the device is not configured to allow it.
3. Security: We have all heard of security breaches in connected systems. Hackers turn home appliances into bots on spam networks. SCADA systems are remotely hacked to shut down or otherwise damage industrial systems. A couple of years ago a power plant in the Ukraine was hacked. Attackers “used stolen VPN credentials to reach the industrial control systems network, and remote access tools to control the HMIs and pull the breakers,” according to an article published on the DarkReading website, and other reports.
Commenting on the recent WannaCry attack and its implications for the Industrial IoT, Brad Hegrat in an IOActive blog wrote, “It may be time to rethink critical infrastructure cybersecurity engineering because if MS17-010 exploiting malware variants are successful, we are clearly doing something wrong.”
The security for IIoT data communication systems must be improved to prevent these kinds of attacks. And, as we will explain later, securing an industrial system for the IoT is fundamentally different from traditional industrial network security. A new approach is needed. IIoT must be secure by design.
– Andrew Thomas, Skkynet