Home

What are the key differences between securing industrial internet of things (IIoT) devices and other IoT?

When I joined Bayshore Networks, I was one of the founders on the tech side. At the time, the entire industrial internet of things (IIoT) space was in its infancy, but the underlying technologies had already been around for 30 years. That's a critical consideration because there was a lot of learning to be done there, especially from a communications protocol perspective. We had to decipher these protocols that were designed for serial communications, not ethernet-based network communications. We were able to create this protocol-agnostic product that performs native protection for those devices at the protocol level. That was critical, because most products operated at the most generic level possible in order to sell to a larger population. But we wanted to solve a real problem. It meant a lot to us because something like a traffic light system is so important to protect. There's human life depending on that system. The engineering team believed that what we were doing was important to society.  The industrial control system (ICS) devices that we dealt with are radically different from some of the consumer IoT devices that have come out, particularly in terms of their hardware resources, the communication protocols, and their actual protectability. With old PLCs, you can't even add security code to them because they don't have enough power to run it. When we were doing regular security scanning on a network of industrial devices from 20 years ago, we would end up knocking them off the network. That's how fragile those things are and they run our critical infrastructure, which is disturbing. When we started getting involved in the commercial IoT space, we were dealing with familiar enterprise protocols, like CTP, FTP and STP. When you look at an old PoC and a new IoT device, they almost look like resources from the outside that are constrained on the same level. But they're not because hardware's come so far in terms of what's put into these devices. With older devices, it’s the same form factor, but what can you do with only 64K of memory? So protecting IIoT versus IoT requires different angles. Protecting PLCs for which you can't inject anything requires a network-centric approach. You want to catch bad actions at the protocol level. But for some of these new IoT devices, you want to do security at the host level because they have the ability to run that type of code. That doesn’t mean you wouldn't do network protection for them as well, but you have different options.

Anonymous Author
When I joined Bayshore Networks, I was one of the founders on the tech side. At the time, the entire industrial internet of things (IIoT) space was in its infancy, but the underlying technologies had already been around for 30 years. That's a critical consideration because there was a lot of learning to be done there, especially from a communications protocol perspective. We had to decipher these protocols that were designed for serial communications, not ethernet-based network communications. We were able to create this protocol-agnostic product that performs native protection for those devices at the protocol level. That was critical, because most products operated at the most generic level possible in order to sell to a larger population. But we wanted to solve a real problem. It meant a lot to us because something like a traffic light system is so important to protect. There's human life depending on that system. The engineering team believed that what we were doing was important to society.  The industrial control system (ICS) devices that we dealt with are radically different from some of the consumer IoT devices that have come out, particularly in terms of their hardware resources, the communication protocols, and their actual protectability. With old PLCs, you can't even add security code to them because they don't have enough power to run it. When we were doing regular security scanning on a network of industrial devices from 20 years ago, we would end up knocking them off the network. That's how fragile those things are and they run our critical infrastructure, which is disturbing. When we started getting involved in the commercial IoT space, we were dealing with familiar enterprise protocols, like CTP, FTP and STP. When you look at an old PoC and a new IoT device, they almost look like resources from the outside that are constrained on the same level. But they're not because hardware's come so far in terms of what's put into these devices. With older devices, it’s the same form factor, but what can you do with only 64K of memory? So protecting IIoT versus IoT requires different angles. Protecting PLCs for which you can't inject anything requires a network-centric approach. You want to catch bad actions at the protocol level. But for some of these new IoT devices, you want to do security at the host level because they have the ability to run that type of code. That doesn’t mean you wouldn't do network protection for them as well, but you have different options.
0 upvotes
Anonymous Author
I thought about this for a while and convinced myself that there should not be a difference. Both are end points and both are entry points to some network where you don’t want bad actors. There are some challenges with the differences in technology for management software to track, secure, patch and report but there really shouldn’t be a separate approach to managing two separate environments where there are so many similarities in device composition.  
0 upvotes
Anonymous Author
I don’t think there is a difference - or at least there shouldn’t be. Security in an industrial setting should be no different than in a home user/retail device. I think manufacturers and service providers sacrifice in security in non-industrial applications to save on cost, but this could be devastating to the product in the event of a large security failure.
0 upvotes
Anonymous Author
I would like to think that there should be very little difference between industrial IoT devices and consumer grade IoT devices, but realistically, industrial devices NEED to be be more secure, and can be made more secure, just from the fact that industrial devices are set up by IT professionals (you'd hope) and consumer grade devices are not. At the industrial level, there is also a whole underlying infrastructure and security environment that is in place that is managed and monitored by people whose job it is to keep an eye on these things.  At the industrial level, there are also far more serious consequences for breaches and hacks than there are for consumer devices.
0 upvotes