Sven Schrecker, chief architect for Intel’s IoT Security Solutions Group, shares with us his thoughts on security threats to the IIoT, the shifting relationships of key players in the IT/OT security arena, and how all of the IIoT-security puzzle pieces are available…we must simply figure out how to fit them together. Take a look:
Smart Industry: What are the greatest challenges to securing legacy assets?
Sven: Within critical infrastructure there is this past-due IoT…the smartification of devices, if you want to call it that. The enablement of smart devices in the environment is really driving the IT/OT convergence. Take something like predictive maintenance, where in the past you never would have had an IT element with your OT network. Suddenly it not only seems like a good idea, but it’s being mandated by management.
Smart Industry: Does this differ in greenfield and brownfield environments?
Sven: Within industrial there are the pre-existing characteristics—safety, reliability in factory spaces as well as oil and gas. And now resiliency has come in, followed by security and privacy. Anything that actually touches the consumer space needs to have privacy-awareness as well. So these five things all interact with each other—safety, reliability, resiliency, security and privacy. You can’t go in and just choose your security. You have to choose your security with the other four components in mind to make sure it’s an appropriate fit.
Smart Industry: Who are the various stakeholders in cybersecurity for the IIoT?
Sven: There are spectrums where you have the vendors, manufacturers, OEMs and ODMs at one end. They sense the capabilities for devices and software, but what security capabilities do they have? For greenfield we can certainly provide changes. But for brownfield we have to get a little inventive. On the flipside of that spectrum you have the owner/operators who are burdened with the risk of the operational process. If something goes wrong, it doesn’t matter whose fault it is…it’s their problem. They don’t care how much return-on-investment in the R& D process the equipment manufacturers have in their production process or in their products. All they care about is how they can implement a secure process and what kind of controls they will have. That’s where the management of monitoring really kicks in.
Smart Industry: How connected are those players?
Sven: In between those guys is a fairly large gap. Both sides are moving toward the middle, we’ve certainly seen that. But also in the middle are the systems integrators who actually take the manufacturers’ and vendors’ equipment and software and implement it into the owner/operator environment, usually with some type of a platform so they can actually scale it across vendors and owners/operators. The systems integrators are actually in a very good spot as far as Industrial IoT because they bridge that gap. And also in there are service-providers, who bridge that gap on both sides and enable the functionality to exist. One of my key points is that there are both sides—the owner/operators and the machine-builders moving toward the middle. There’s an acknowledgement that the middle is really an attractive place to be for the IIoT.
Smart Industry: What changes do you see in the SAAS world?
Sven: We’re looking at what can be done with the IIoT for security in a reproducible, inter-operable, open-security service such that all devices are truly considered independent of the make or model or manufacturer. We’re looking toward integrating all devices such that they can be monitored and implemented, which will be critical for the IIoT because there’s not just going to be one solution to rule them all. You need to have that open, interoperable capability. That will be key.
Smart Industry: How close are we to making that solution a reality?
Sven: It’s interesting because the Industrial Internet Consortium (IIC) is publishing the security framework that is the record of architecture for all the stuff we’ve talked about here. As far as implementation, it’s not a technology problem. All of the pieces exist. It’s just a matter of putting them all together. And the IIC’s security framework provides guidelines for doing just that. I am biased, because I work for Intel and this is what I do. But there are test beds that can demonstrate this functionality where we literally plug in all of these different vendors. Intel certainly doesn’t have all the pieces, but as far as getting the technology together from all of the different technology vendors and putting them into all of the owner/operator test beds, that is something we do on a daily basis in the federal space, in the consumer space, in the industrial space. We do that across the board to demonstrate how security can be interoperable and deployed across different verticals in consistent ways. You can have solutions supported by what vendors are providing, both with greenfield and brownfield.