EDITOR’S QUESTION
Does Industrial IoT have
cyber security concerns?
Earl Perkins at Gartner details the realities and myths of
cybersecurity concerns within the Industrial Internet of Things.
A
on the other hand, devotes significant effort
and budget to protecting information.
s the Internet of
Things and digital
transformation
progresses, what is your
reality check about the
risks and vulnerabilities
in this adoption phase?
Myth #3: IT, OT and IIoT
cybersecurity should be in a single
team reporting to one executive.
Reality: For most organisations, this is
neither possible, nor even desirable. While
it is desirable to govern and plan major
digital security decisions as a single, often-
central group, a single blanket answer to
this is not reasonable or cost-effective.
I
n March 2016, reports emerged that
hackers had infiltrated a water utility’s
control system. Many critical IT and
operational technology functions ran on
the same system, which was connected
to the Internet, exposing the system to
attacks. In this case, the hackers were able
to change the levels of chemicals being
used to treat tap water, threatening the
health and safety of citizens.
Myth: IT and OT cultures are
too incompatible for a common
cybersecurity strategy.
Incidents like these have raised industry
concerns. In Gartner’s 2016 IoT Backbone
Survey, 35% of IT leaders cited security as a
top barrier to Internet of Things success. It is
time to have a strategic discussion regarding
the future of industrial cybersecurity.
Cybersecurity is evolving, becoming
a single organism. Gartner uses the term
digital security to describe a common
framework for security requirements
across IT, OT, the industrial IoT and
physical security environments.
Gartner predicts that by the end of
2022, half of asset-centric organisations
will have digital security risk strategies in
place to address IoT security impacts on
IT and OT, up from 10% in 2017. Myths
regarding what OT and IIoT security
should or should not look like must not
Myth #4: OT and IIoT systems are
too specialised and unique to use
off-the-shelf security solutions.
Earl Perkins, Research Vice President, Gartner.
prevent security and risk managers from
doing their job.
Myth #1: OT and IT systems face
the same risks, so OT and IIoT
can use IT methodologies to
assess risk and threats.
Reality: IT and OT have overlapping,
but distinctive, risks. IT security has been
devoted for decades to the protection of
information: its confidentiality, integrity
and availability. OT is founded on the
reliability and safety of people and
environments. There are some similarities,
but each requires targeted processes and
systems to address digital security needs
within each environment.
Myth #2: IT and OT cultures are
too incompatible for a common
cybersecurity strategy.
Reality: IT and OT cultures are not
incompatible, but they require executive
guidance to realise initial alignment.
While OT culture does consider security
requirements, it is unlikely to have a
structured or devoted security practice. IT,
Reality: Each year, the rate of IT
protocols, formats and services increases
in OT, which means that OT systems are
exposed to many of the same IT security
threats. You can use existing IT processes
as a starting point, but there will be
modifications needed, depending on
service-level agreements. For example, an
IT system that uses port, vulnerability or
virus scanning can cause havoc on some
latency-sensitive OT networks.
Myth #5: Cloud-based
cybersecurity solutions and
automation are not realistic for
OT and IIoT systems.
Reality: A common discussion in asset-
centric organisations is whether OT systems
can use automated cybersecurity responses
that can shut off or prevent access, initiate
safety shutdowns, notify maintenance
personnel and perform other duties.
Most OT organisations have also been
reluctant to use cloud-based cybersecurity
solutions because of perceptions that they
are not secure enough. Gartner believes
this will change in time because many
decisions once considered as unthinkable
in IT security years ago are relatively
common today.
49