Major differences between IoT and IIoT you must be aware of
Author: Daniel Ehrenreich, Consultant and Lecturer, SCCE
Business opportunities created by the Internet of Things, IoT and the Industrial IoT, IIoT, are among the most debated topics, as these are considered important for a broad range of consumer and industrial applications. Leading market research firms already estimate that by 2020 there will be over 20 billion installed end-point devices worldwide, defined as part of IoT or IIoT systems.
Although the forecasted number is growing every year, it is not clear whether these figures correctly refer to deployments which can be and which cannot be considered as an IoT or IIoT. Therefore, it is strongly recommended that decision factors such as outlined below shall be taken into consideration. First, let’s review the correct definitions of IoT and IIoT.
The IoT and the IIoT are not sensors and not an equipment, but a communication-based eco-system in which variety devices such as; cameras, product counters, rate of sales and industrial sensors communicate with cloud-based processes and the result is displayed on a computer screen, smartphone or used for optimized operation of an industrial process, resulting in unique operating and financial benefits. Examples of IoT/IIoT ecosystems include applications such as; remote operation of home appliances, medical devices, checking on availability of a product in a store, warnings of unusual technical conditions, malfunctions and more.
The purpose of this paper is to highlight the most significant differences among the IoT and IIoT. While walking thought the listed considerations, the reader will have opportunity to learn about these ecosystems. Furthermore, this paper will elaborate on cyber risks, presenting the most critical stumbling blocks for reaching the predicted deployments.
Prior diving into details, let’s make it clear that not all connected devices are IoT nor IIoT. The segmentation according to applications shall be considered as the principal difference between the IoT and IIoT ecosystems. I will try to clarify some principal considerations:
- You purchased a home air conditioner activated by a smartphone. The packing label shows “Wi-Fi-Ready”, but it will be an IoT, since cloud-based data is not used to enhance the operation.
- You consider adding a vibration sensor to a large water pump to diagnose a malfunction. This is not an IIoT, as the vibration sensor is reporting to a special PLC and an ICS/SCADA computer.
- A CCTV camera is connected to a home computer for security surveillance. This is not an IoT, because a loop recording system does not require additional data available from cloud-based resources.
- If your air conditioning is configurated to communicate with an IoT (cloud-based) service provider, who may turn on your unit when 30% of similar appliances are operating, this is an IoT.
- Served applications
- The IoT refers to applications such as checking the availability of a product in store, estimating consumer demand based on weather condition (for example). Here the specific intelligence is provided through a cloud-based service offered by a service provider who manage that ecosystem. Therefore, the IoT ecosystem provides unique value (enhanced convenience) to users of this service.
- The IIoT refers to an industrial operation where a technology sensor is connected to a Programmable Logic Controller (PLC) and its output is sent to a service provider. That data will be processed using cloud-based (proprietary) information, and the result is an optimized operation. The IIoT ecosystem (service provider) adds extra intelligence, which a specific user can not access.
- Type of end devices
- Here we may refer to “inputs” to a consumer-type IoT ecosystem from sensing devices such as: product’s quantity counter, number of phone calls, number of SMS messages, data on road traffic, information on power grid loading, etc. The IoT ecosystem output may be delivered to the user in form of message on smartphone screen, automatic (re-stocking) purchase order to vendor, etc.
- The IIoT utilizes a range of technology sensors such as: temperature, flow, wind, light, vibration, pressure, etc. The sensor output is fed to a PLC prior being uploaded to the IIoT process. The feedback received from the IIoT ecosystem may be delivered to a pump controller, heater, pressure balancer, etc., leading to optimized operation and more accurate fault detection.
- Ecosystem architecture
- The IoT architecture always involves a public cloud accessible by the ecosystem operator. When an inquiry comes in, it is being analyzed and directed for a specific process which require proprietary information not available for the requesting entity. Upon completion of the cloud-based IoT process, the result is delivered to the user as per the specific architecture (i.e. smartphone screen, etc.).
- The IIoT ecosystem architecture is completely different. Here the process is done within the private cloud operated by the service provider, where the proprietary data is stored. The outcome of the IIoT ecosystem is aimed to assist the user to make a cost-effective decision. The IIoT feedback may be directed to the ICS control center through the IT network of the organization.
- Operation Safety
- When we deal with most IoT ecosystems, the operation safety is not an issue as these systems are typically not handling industrial processes. No serious safety incident might happen if due to any reason (cyber-attack, mistaken action, etc.) a wrong decision is made. Understanding this topic for IoT versus what is explained in the next paragraph, will also help you differentiating among IoT and IIoT.
- When you deal with an IIoT ecosystem, the story is completely different. This ecosystem may be a critical part of the control loop and an incorrect action of the control process might push the system to an unstable and unsafe condition. Therefore, selecting the sensors, the PLCs, the communication protocol, the communication process are all highly critical. One mistake and people might lose their lives!
- Operation reliability
- Operating reliability is important, as decisions of people depends on the outcome of the IoT process. IoT ecosystem may also sense and detect intentional or mistaken action by an authorized person. Depending on the specific application, the IoT ecosystem must be equipped with special measures to detect manipulation and prevent any kind of cyber-attack which may produce a faulty result.
- This parameter is more critical because IIoT ecosystems are part of ICS architecture. Remember that the “reliability” is par of the SRP triad (Safety, Reliability, Productivity). Similarly, to explained above, IIoT ecosystem may also sense intentional or mistaken action by an authorized person. You may (carefully) assume the if the IIoT architecture assures operation safety, it also assures operation reliability.
- Operation benefits
- The whole idea behind the IoT ecosystem is to generate unique benefits through deployment of cloud-based processes, otherwise not accessible to users. Important to repeat here, that if cloud-based proprietary data is not part of the process, these are networked end-point devices and not part of IoT ecosystem. Actually, the use of proprietary data is vital for generating these benefits.
- The operating benefit for IIoT is created by the fact that decisions related to failure analysis and maintenance timing can be made based on big data analysis conducted by a relevant IIoT ecosystem provider. If they have in their database actual and correct information on failures of 1000 pumps similar to your pump (installed worldwide), you may trust the feedback they provide.
- Financial benefits
- The financial benefits are clear as the entire operation is supported by the IoT ecosystem owner. For example, no single customer/user can easily learn (without surfing the internet for hours) in which of the nearby stores is the product available and also sold at the best price.
- For example; A water utility need an expert’s support for optimizing their maintenance process through the IIoT ecosystem. If based on the response you received, you may wait X weeks prior shutting down the water pump, this allows careful planning and selecting the most cost-effective procedure.
- Communication media
- The communication media and the protocol must match the IoT ecosystem architecture. Since we are dealing with consumer-oriented operations, probably the system will involve Wi-Fi, Bluetooth and cellular networks, and obviously use standard IT protocols. The complete IoT ecosystem may use a combination of these media, and each must be separately cyber-secured.
- The IIoT ecosystem which is part of the ICS architecture provides wired and wireless link between the sensor and the PLC and the ICS server. From that computer, the data is communicated to the IIoT ecosystem provider, and you may see inclusion of ICS oriented protocols. In IIoT ecosystems where you expect to receive feedback in a short time, you must verify the network latency.
- Cyber risks
Every ethernet based device, whether wired or connected through a wireless link might serve as an entry-node or as a backdoor to the computerized operation. Once the attacker penetrated to your system, anything might happen. Therefore, it is important to analyze each and every IoT or IIoT end-device you consider adding and check if that connection generates any new security vulnerability. For example, you visit a family in the hospital and follow the processes the nurse is doing. You may see on the screen that medical data, images, records of your family is transferred (without security) trough to the internet. The conclusion can be, that in some cases, the overall benefit does not worth the risk.
- Cyber risk for IoT ecosystems is a reason for concern. Due to fact that in most IoT end-point devices cyber security is not included, these might serve as the “attack gate” into your system. When you realize that the feedback from IoT ecosystem is wrong, or the iRobot pictured your apartment all the night or your air-condition worked around the clock … these incidents might turn to a problem.
- Similarly, the end devices serving the IIoT ecosystem extend the cyber-attack surface. They might serve as the “attack gate” into your system and increase the risk of an attack on your critical infrastructure. Here we not speak about buying an ice-cream in a more expensive place, but severe risks which might cause operation outage, mechanical damage and risk lives of people.
- Cyber defense
If you reach reading this bullet it means that you found this post interesting, educating and you are ready for the most difficult and critical challenge. You already know that there is “no silver bullet, which may protect your computerized system against all possible attacks. Therefore, a combination of defense measure is needed, adapted to the deployed IoT / IIoT architectures.
- Cyber defense for IoT ecosystems represents a major problem mainly because we deal with consumer-oriented end-devices installed in homes, stores, bus stations, office buildings, gardens, etc. Due to the fact that until now these devices were viewed as “Improved convenience for the public”, the cost limitation prevented inclusion of cyber defense measures. What can we do about it…?
- Deploy enhanced cyber defense for the network used for communicating with these devices
- Update authentication measures where applicable (devices’ user name and password)
- Perform ongoing scanning of the networks to detect “foreign” / not authorized devices
- ….. more
- When dealing with IIoT, things are different. On one hand the cyber risk is higher, but on the other hand you may easily obtain investment resources for upgrades and retrofits. In addition to best practices already listed above for IoT ecosystems, for IIoT you shall consider additional measures:
- Performing retrofits, vulnerability analysis, improved physical protection,
- Performing anomaly condition detection using Intrusion Detection System (IDS)
- Adding special authentication measures suitable for IIoT ecosystems
- …… more
As the world is gearing up toward deployment of tens of billions of end point devices integrated with IoT and IIoT ecosystems, the computer security turns to a problem for the world population and for commercial and industrial operations. To mitigate these risks, (we were not aware of just few years ago), important to identify the root causes and not just deal with patching and isolating the problems. Furthermore, you have to build teams of internal champions and supporters having the right expertise, each in his specific field.
We all hope for huge IoT/IIoT deployments in the future, as this is good for users, vendors and also for innovation. But…., anyone considering to develop a new IoT/IIoT ecosystem, shall focus on real needs and values it delivers and properly design a cloud-data based architecture.
Cyber protection for any IT and ICS architecture consists of three essential and achievable elements a) the use of cyber secured technologies, b) strict adherence to policies, and c) careful user behavior achieved through awareness training. Innovative technologies, components and architectures that will include cyber protection as part of the IoT/IIoT ecosystem at no extra cost, will drive the success.
Daniel Ehrenreich, BSc. is a Consultant and Lecturer acting at Secure Communications and Control Experts, teaching at cyber security colleges and presenting at ICS cyber defense conferences; Daniel has over 25 years’ engineering experience with electricity, water, gas and power plants systems as part of his activities at Tadiran, Motorola, Siemens and Waterfall Security. Selected as Chairman for the ICS Cybersec 2018, taking place on 11-10-2018 in Israel. Linkedin