Peanut butter and jelly. Baseball and hot dogs. Lennon and McCartney. Sometimes, two things come together so perfectly, it’s like they were made to be together. Sometimes though, despite everyone believing it’s a match made in heaven, it takes a little more work. That’s where we are today with the worlds of IT cyber security and the Industrial Internet of Things (IIoT).
You don’t have to be an expert to understand why cyber security and industrial systems have to come together. As industrial equipment gets more inter-connected and as companies continue to rely upon big data analytics from industrial control systems (ICS), cyber threats are becoming an ever-larger concern.
While the rationale for industrial cyber security is straightforward, however, the actual implementation can get complicated quickly.
In theory, you shouldn’t have to start from a blank slate to extend IT cyber security principles to IIoT. There are, after all, decades of advances in IT security to build on. But as anyone involved in this segment knows, industrial networks and infrastructure are a very different animal than enterprise IT. And they present some thorny issues to navigate—both for the companies crafting IIoT security defenses and for investors betting on their growth.
Scoping the Challenge
It’s easy to understand why cyber security continues to be such a hotbed of activity. No company wants to make headlines as the latest victim of a major data breach. In the industrial space, the need is just as dire, but the barriers — and in some cases, the stakes — are much higher. This is a function of the stark differences between the industrial world and conventional enterprise networks. Differences like:
- The lack of good metrics: What, exactly, constitutes an “attack?” The question sounds almost silly for enterprise IT. Dip into industrial systems, where there is no standard definition, and things get murkier. Add to that inconsistencies in how data is collected and measured in different systems, and the notorious lack of visibility into ICS systems to begin with. The result is a huge challenge in capturing meaningful statistics about the security of industrial networks. Experts will make a case for security, only to find that they must rely on hyped and inflated metrics, or reference only old use cases repeatedly. The actual extent of the threats may be under-reported.
- The nature of potential attacks: In enterprise IT, the purpose of a breach is to access a company’s data; the assets holding or transmitting that data are just a means to that end. In the industrial world, the asset itself is often the goal. A successful attack that disrupts the integrity of production processes or knocks a critical component offline can translate to huge financial losses — or even worse, in some critical systems, risk physical harm to human beings.
- Lack of a lingua franca: IT security products make certain assumptions: that everything attached to the network has an IP address, that it speaks TCP/IP, that it’s connected via some flavor of Ethernet. These are perfectly good assumptions for enterprise systems, but they don’t apply to an oil refinery or factory floor. There are, of course, industrial assets with IP addresses, but there are all sorts of nodes out beyond the IP edge, many of which speak different protocols that aren’t standard. How do you secure something you can’t see, that doesn’t talk to you, and that, in some cases, you don’t even know is there?
- A question of scale: IT networks can be vast organisms encompassing thousands of nodes that change constantly as devices and users connect, disconnect, and reconnect again someplace else. An entire framework of automated IT tools has evolved to grapple with dynamism at that scale. ICS networks, by contrast, are much smaller and tend to be static for years. Security tools designed for sprawling enterprise topologies often piggyback on basic IT models (the structure of enterprise network segments, the way that networks are functionally partitioned with many different levels of trust) that don’t apply to industrial networks.
- Struggles with software: Testing new software and managing patches are common (sometimes daily) occurrences in enterprise IT systems. In the industrial world, both are fraught with risk. Where IT systems are generally open and designed to constantly change, ICSs are closed, and often highly dependent on specific hardware and software configurations. Even small changes can, therefore, lead to disastrous results. And, any patch that requires a component to reboot can be hugely disruptive to running production system. New software or security updates, therefore, require extensive, exhaustive testing. In some cases, OS security patches can be delayed indefinitely — increasing the demand to find ways to keep older software secure.
- Overlap between IT and OT worlds: Despite the many differences, enterprise IT and ICS do share commonalities, such as different user account levels for accessing operating systems and applications, and physical components like workstations and servers. The devil, however, is in the details. While industrial workstations and servers may look like their IT counterparts (and may even run familiar Windows operating systems) they typically run custom-built, hardened, proprietary software, configured to standards that are very different from enterprise systems. ICSs are also, functionally, complete distributed systems, where user roles are tightly coupled to the actual industrial process being controlled. As a result, decisions about granting or denying access require a level of technical expertise far more granular than with enterprise systems — and usually require a custom user management application tailored to that network.
- Lack of standard architectures: IT networks support companies in every industry, for every purpose under the sun, but the fundamental network architecture is basically the same. This is not the case in industrial operations technology (OT), where almost every network is a custom design. This makes it harder for startups to apply cyber security solutions outside of specific networks. For investors, this also introduces additional risk, as even the best IIoT cyber security technology may not scale beyond a niche customer base.
These are just a few of the differences.
But the bottom line is that IIoT security systems need to be designed differently because they live in a different world and play by different rules.
The IIoT segment may have the same basic cyber security goals as enterprise IT — keeping the bad guys out, monitoring for anomalies, authenticating that the thing you’re talking to really is what it purports to be. But most of the IT tools and methodologies used to solve those problems don’t translate to industrial systems.
Segmenting the Cyber Security Opportunity
Of course, where there’s a problem, there’s an opportunity. A number of startups are exploring novel ways to approach these challenges and create growing businesses around them. Because industrial systems are so varied, we’re unlikely to find a single security solution for “industrial systems.” Rather, startups are attacking specific sets of problems for specific types of customers. We can, however, break down IIoT cyber security into a few broad categories of problems to be addressed:
- OT visibility: Not only do most industrial assets not speak IP, they typically communicate over specialized protocols, few of which are standardized. So unless you’re walking around with a clipboard, it’s extremely difficult to tell what’s actually connected to the network. Some emerging solutions start with the human-machine interface, the last computer in the environment, and tell you what’s connected to it. Some go deeper, listening to the protocols or SCADA commands that different devices use, and extrapolate what they are. Others focus on authentication, verifying that the connected asset really is what it claims to be and, ultimately, that it’s performing as it should.
- Enabling real-time response: Among the most urgent “asks” of IIoT customers is products that can detect anomalous behavior in real time, so that operators can take action quickly. A number of companies are developing novel strategies to establish baselines for normal operations and alert operators to anomalous behavior. These entail new approaches to edge computation, cloud connectivity, and on-premises agents to enable real-time decisions.
- Bridging hybrid IT/OT environments: The collision of IT and OT environments presents its own set of challenges. Most in the industry recognize the value of convergence, but there is no single vision for what that should look like. Companies attacking this problem are looking to enable two-way communications between IT and OT systems, and creating multiple checkpoints between networks to support more protocols and simplify deployments.
These problems aren’t news to industrial companies operating in this space, and certainly not to the startups looking to solve them. Most companies building IIoT cyber security solutions are actively working to cover all of these bases. Now comes the interesting part: parsing the differences in the various approaches to address these issues.
For investors taking a broader view of this segment, the challenges aren’t merely technical. How companies navigate the unique risks of the IIoT space — highly conservative customers, extremely long sales cycles, roadblocks to broad scalability — can be just as important as the technology itself.