Technology and Podcast Links

Technology and Podcast Links

I’ve released a couple of podcasts recently. One was based on what I learned at the HPE Discover Conference and the other based on a conversation with Dell Technologies IoT and OEM CTO Jason Shepherd. These can also be seen on my YouTube channel.

I have discovered more interest in the IT side of things on my podcasts. One I recorded a few months ago has hit more than 3.2K downloads. Interesting where the industry is going.

As I became recognized as the independent writer/analyst in the Industrial Internet of Things market, this infographic came my way. I don’t really have the right site to publish it, but here is a link–80 Internet of Things Statistics. Interesting.

The podcasts:

192 Why and OT guy goes to IT conferences — mostly based on trip to HPE Discover conference.

193 Open Source, IT and OT and Dell Tech — mostly on interview with Dell Tech’s CTO for IoT Jason Shepherd.

Technology and Podcast Links

Data Protection Best Practices White Paper

Standards are useful, sometimes even essential. Standard sizes of shipping containers enable optimum ship loading/unloading. Standard railroad gauges and cars enable standard shipping containers to move from ship to train, and eventually even to tractor/trailer rigs to get products to consumers. 

Designing and producing to standards can be challenging. Therefore the value of Best Practices.

Taking this to the realm of Industrial Internet of Things where data security, privacy and trustworthiness are essential, the Industrial Internet Consortium (IIC) has published the Data Protection Best Practices White Paper. I very much like these collaborative initiatives that help engineers solve real world problems.

Designed for stakeholders involved in cybersecurity, privacy and IIoT trustworthiness, the paper describes best practices that can be applied to protect various types of IIoT data and systems. The 33-page paper covers multiple adjacent and overlapping data protection domains, for example data security, data integrity, data privacy, and data residency.

I spoke with the lead authors and came away with a sense of the work involved. Following are some highlights.

Failure to apply appropriate data protection measures can lead to serious consequences for IIoT systems such as service disruptions that affect the bottom-line, serious industrial accidents and data leaks that can result in significant losses, heavy regulatory fines, loss of IP and negative impact on brand reputation.

“Protecting IIoT data during the lifecycle of systems is one of the critical foundations of trustworthy systems,” said Bassam Zarkout, Executive Vice President, IGnPower and one of the paper’s authors. “To be trustworthy, a system and its characteristics, namely security, safety, reliability, resiliency and privacy, must operate in conformance with business and legal requirements. Data protection is a key enabler for compliance with these requirements, especially when facing environmental disturbances, human errors, system faults and attacks.”

Categories of Data to be Protected

Data protection touches on all data and information in an organization. In a complex IIoT system, this includes operational data from things like sensors at a field site; system and configuration data like data exchanged with an IoT device; personal data that identifies individuals; and audit data that chronologically records system activities.

Different data protection mechanisms and approaches may be needed for data at rest (data stored at various times during its lifecycle), data in motion (data being shared or transmitted from one location to another), or data in use (data being processed).

Data Security

“Security is the cornerstone of data protection. Securing an IIoT infrastructure requires a rigorous in-depth security strategy that protects data in the cloud, over the internet, and on devices,” said Niheer Patel, Product Manager, Real-Time Innovations (RTI) and one of the paper’s authors. “It also requires a team approach from manufacturing, to development, to deployment and operation of both IoT devices and infrastructure. This white paper covers the best practices for various data security mechanisms, such as authenticated encryption, key management, root of trust, access control, and audit and monitoring.”

Data Integrity

“Data integrity is crucial in maintaining physical equipment protection, preventing safety incidents, and enabling operations data analysis. Data integrity can be violated intentionally by malicious actors or unintentionally due to corruption during communication or storage. Data integrity assurance is enforced via security mechanisms such as cryptographic controls for detection and prevention of integrity violations,” said Apurva Mohan, Industrial IoT Security Lead, Schlumberger and one of the paper’s authors.

Data integrity should be maintained for the entire lifecycle of the data from when it is generated, to its final destruction or archival. Actual data integrity protection mechanisms depend on the lifecycle phase of the data.

Data Privacy

As a prime example of data privacy requirements, the paper focuses on the EU General Data Protection Regulation (GDPR), which grants data subjects a wide range of rights over their personal data. The paper describes how IIoT solutions can leverage data security best practices in key management, authentication and access control can empower GDPR-centric privacy processes.

The Data Protection Best Practices White Paper complements the IoT Security Maturity Model Practitioner’s Guide and builds on the concepts of the Industrial Internet Reference Architecture and Industrial Internet Security Framework.

The Data Protection Best Practices White Paper and a list of IIC members who contributed to it can be found on the IIC website 

Cybersecurity Zero Day Threats and Executive Survey

Cybersecurity Zero Day Threats and Executive Survey

Cybersecurity is in the news more often than violence or politics, its seems. Last week I received two important pieces of news—both reported below. The first details vulnerabilities found in VxWorks—the most widely used Real-Time Operating System forming the foundation for process control. The other news concerns a survey of executives that shows continued cyber attacks on industrial systems.

Zero Day Vulnerabilities

Enterprise IoT security company, Armis, announced the discovery of 11 zero-day vulnerabilities, 6 critical, that affect Wind River® VxWorks versions since version 6.5, that include the IPnet stack, collectively known as “URGENT/11.” Updated releases have been provided. URGENT/11 does not impact versions of the product designed for certification, such as VxWorks 653 and VxWorks Cert Edition.

VxWorks, the leading real-time operating system (RTOS), is used in more than two billion devices across industrial, medical and enterprise environments such as mission-critical systems including SCADA, elevator and industrial controllers, patient monitors and MRI machines, as well as firewalls, routers, satellite modems, VOIP phones and printers. If exploited, URGENT/11 could allow a complete takeover of the device and cause disruption on a scale similar to what resulted from the EternalBlue vulnerability.

“VxWorks is the most widely used operating system you may never have heard of,” said Ben Seri, vice president of research at Armis. “A wide variety of industries rely on VxWorks to run their critical devices in their daily operations—from healthcare to manufacturing and even security businesses. This is why URGENT/11 is so important. The potential for compromise of critical devices and equipment especially in manufacturing and healthcare is a big concern.”

URGENT/11 includes six Remote Code Execution (RCE) vulnerabilities that could give an attacker full control over a targeted device, via unauthenticated network packets. Any connected device leveraging VxWorks that includes the IPnet stack is affected by at least one of the discovered vulnerabilities. They include some devices that are located at the perimeter of organizational networks that are internet-facing such as modems, routers and firewalls. Any vulnerability in such a device may enable an attacker to breach networks directly from the internet. Devices protected by perimeter security measures also can be vulnerable once the devices create TCP connections to the internet. These connections can be hijacked and used to trigger the discovered TCP vulnerabilities, allowing attackers to take over the device and access the internal network.

“URGENT/11 could allow attackers to remotely exploit and take over mission critical devices, bypassing traditional perimeter and device security. Every business with these devices needs to ensure they are protected,” said Yevgeny Dibrov, CEO and co-founder of Armis. “The vulnerabilities in these unmanaged and IoT devices can be leveraged to manipulate data, disrupt physical world equipment, and put people’s lives at risk.”

VxWorks is pervasive and trusted due to its rigorous and high-achieving safety certifications and its high degree of reliability and real-time accuracy. In its 32-year history, only 13 Common Vulnerabilities and Exposures (CVEs) have been listed by MITRE as affecting VxWorks. Armis discovered unusually low-level vulnerabilities within the IPnet stack affecting these specific VxWorks versions released in the last 13 years, from versions 6.5 and above. These are the most severe vulnerabilities found in VxWorks to date.

The IPnet networking stack was acquired by Wind River through its acquisition of Interpeak in 2006. Prior to the acquisition, the stack was broadly licensed to and deployed by a number of real-time operating system vendors.

Wind River has been working in collaboration with Armis on this matter, and customers were notified and issued patches to address the vulnerabilities last month. To the best of both companies knowledge, there is no indication the URGENT/11 vulnerabilities have been exploited.

Organizations deploying devices with VxWorks should patch impacted devices immediately. More information can be found in the Wind River Security Alert posted on the company’s Security Center.

Operational Downtime is the Most Common Impact of IoT-Focused Cyberattacks

As connectivity in the Industrial Internet of Things (IIoT) promises to transform the manufacturing and production industry, new research by Irdeto underlines the importance of cybersecurity, revealing that 79% of manufacturing and production organizations surveyed have experienced an IoT-focused cyberattack in the past year. This finding demonstrates the importance of cybersecurity as IoT devices proliferate across the critical infrastructure of these organizations, to ensure that the potential business benefits of IoT can be realized safely.

The Irdeto Global Connected Industries Cybersecurity Survey of 220 security decision makers in organizations in this sector (700 respondents in total) found that of the organizations that were hit by an attack, operational downtime (47%), compromised customer data (35%) and compromised end-user safety (33%) were the most common impacts. These findings clearly point to a direct bearing on revenue as well as health safety challenges presented by unsecured IoT devices.

The research also suggests that these organizations are aware of where the key cybersecurity vulnerabilities exist with their infrastructure, but do not necessarily have everything they need to address them. The most prominent vulnerabilities within manufacturing and production organizations were in mobile devices and apps (46%). This was followed by the IT network (41%) and the software used by the organization (40%) – which if referring to the OT equipment software which runs of the factory floor, could be hugely problematic.

However, despite this awareness, 92% of respondents feel their organization does not have everything it needs to address cybersecurity challenges. 44% state that their organization needs to implement a more robust security strategy. This is followed by a need for additional expertise/skills within the organization to address all aspects of cybersecurity (42%) and a need for more effective cybersecurity tools (37%).

This is compounded by the finding that, in the manufacturing sector, a total of 91% of manufacturers and 96% of users of IoT devices state that the cybersecurity of the IoT devices that they manufacture or use could be improved either to a great extent or to some extent. Failure to address these challenges could prove costly with the average financial impact as a result of an IoT-focused cyberattack in the manufacturing space identified as more than $280,000 USD, according to the survey.

“While the benefits of IoT may be in abundance in manufacturing and industrial environments, this connectivity also increases the attack surface and these findings demonstrate that there is an awareness of the cybersecurity challenges and impacts within the industry, but potentially a need to rethink strategies to mitigate the impact of potential cyberattacks,” said Mark Hearn, Director of IoT Security and Business Development, Irdeto. “Whatever the nature of the threat, industrial and manufacturing organizations must understand the scope of their current risk, ask hard cybersecurity-centric questions to vendors, and work with trusted advisors to safely embrace connectivity in their manufacturing process.”

As organizations fight to keep pace with the cybersecurity challenges in the manufacturing sector, they do have several security measures in place, but have often not implemented enough layers into their security strategy. 21% of organizations surveyed do not currently have software protection technologies implemented, while 39% do not have mobile app protection implemented, despite identifying mobile devices and apps as the greatest source of vulnerabilities. In addition, only 50% make security part of the product design lifecycle process.

However, the majority of organizations that don’t already have these measures in place, state that they plan to implement them in the next year. In addition, 99% of the manufacturing organizations surveyed agree that a security solution should be an enabler of new business models, not just a cost. These findings suggest that attitudes towards IoT security are changing for the better.

“As the manufacturing industry embraces IoT technology it’s clear that there are many cybersecurity challenges that must be addressed, but the industry attitude towards cybersecurity is on the right track,” added Steeve Huin, Vice President of Strategic Partnerships, Business Development and Marketing, Irdeto. “As the scope of connected manufacturing grows, the opportunities and the risks are magnified and it is imperative that organizations upskill and implement robust cybersecurity strategies to ensure they mitigate the threat and safely take advantage of the benefits that IoT can bring.”

Industrial Internet of Things Maturity Assessment Explorer

Industrial Internet of Things Maturity Assessment Explorer

I’ve been off for most of the past week celebrating Independence Day and family birthdays. For those of you in the US, I hope you had a restful time off and enjoyed some fireworks displays. And now, back to what’s happening in the industrial world.

The Industrial Internet of Things (IIoT) comprises far more than just the simple connecting of devices back to a database in a server. It’s integral to digitalization. Applying abundance thinking to the system, clearly IIoT plays a key role for successful business transformation.

The Industrial Internet Consortium (IIC) has produced the IIoT Maturity Assessment, a web-based tool included in the IIC Resource Hub that enables users to better understand their enterprise IIoT maturity. The IIoT Maturity Assessment helps organizations become best-practice adopters of IIoT by guiding business managers through a range of questions about the adoption, usage and governance of IIoT within their organizations.

“The IIoT market has grown quickly and many businesses planned strategy while in the midst of execution and need to step back and assess their true IIoT maturity,” said Jim Morrish, Co-Chair of the IIC’s Business Strategy and Solution Lifecycle Working Group and co-author of the IIoT Maturity Assessment tool. “The IIoT Maturity Assessment will help companies get a baseline for their maturity right now and assess it in regular intervals to track their progress.”

This framework of four main dimensions and their corresponding strands will spur your thinking into broader areas beyond predictive maintenance or cost reduction programs.

The framework:

Business Strategy

  • Market context
  • Strategic context
  • Business model innovation and refinement
  • IoT Foundations

Business Solution Lifecycle

  • Interface to business strategy
  • Solution design
  • Project team structuring
  • Project management
  • In service monitoring and feedback

Technology

  • Technology strategy
  • Reference architecture and standards
  • Platforms stack
  • Data location transparency

Security

  • Governance
  • Enablement
  • Hardening

“There’s a real difference between using IIoT to streamline processes and using it to create new revenue streams or make better business decisions,” said Ian Hughes, Senior Analyst, Internet of Things, 451 Research. “A tool like this can be a real eye opener for an organization wanting to transform their business to remain competitive and increase profits.”

The IIoT Maturity Assessment considers 63 individual capabilities, each with five levels of maturity within the above framework. For example, under strategic context, a maturity level can range from a limited number of key individuals having stepped up to IIoT ownership to full ownership of IIoT within an organization. The IIoT Maturity Assessment provides feedback about the level of maturity and highlights areas that may require development.

The final outputs provided to users also provide links to the IIC Body of Knowledge for reference and to help improve their maturity. This includes collaborative resources developed by industry leaders from the IIC membership, including IIC foundational documents (Industrial Internet Reference Architecture, Industrial Internet Security Framework, Industrial Internet Connectivity Framework, Business Strategy and Innovation Framework, Industrial Internet of Things Analytics Framework, and Vocabulary Technical Report) and other IIC documents and tools.

The IIoT Maturity Assessment is available in three levels of analysis: Quick, Standard (both open to everyone) and Detailed (IIC members only).

Survey Sees 4th Industrial Revolution Moving From Buzz to Reality

Survey Sees 4th Industrial Revolution Moving From Buzz to Reality

The popular saying holds that the future is here just unevenly distributed. According to a survey released by PWC and The Manufacturing Institute, that thought is certainly true about the Fourth Industrial Revolution (which PwC labels 4IR but many others label Industry 4.0). This research confirms my observations that many manufacturers have projects at a variety of stages, while many others have adopted a wait-and-see attitude.

The report notes that fourth industrial revolution has been met with both enthusiasm and fence-sitting. While sentiments and experiences have been mixed, most business leaders are now approaching 4IR with a sense of measured optimism. Indeed, larger systemic changes are underway, including building pervasive digital operations that connect assets, developing connected products and managing new, real-time digital ties to customers via those products.

While manufacturers recognize the potential value of advanced technologies and digital innovation—particularly robotics, the Industrial Internet of Things (IIoT), cloud computing, advanced analytics, 3D printing, and virtual and augmented reality—they are still deliberating how and where to invest and balancing the hype with their own level of preparedness. Meanwhile, they’re also well aware of the significant changes 4IR will bring to a new manufacturing workforce—that is, one that is increasingly symbiotic and increasingly beneficial for many workers and manufacturers alike.

This narrative is reflected in a new survey of US-based manufacturers carried out by PwC and The Manufacturing Institute, the workforce and thought leadership arm of the National Association of Manufacturers. We see a definitive—and, indeed, inevitable—shift to 4IR as companies seek to integrate new technologies into their operations, supply chain, and product portfolio. At the same time, they acknowledge that scaling, justifying 4IR investments, and dealing with uncertainty surrounding use cases and applications usher in a new set of challenges.

Some key survey findings include:
• While the sector as a whole is making assertive forays into 4IR, many manufacturers still inhabit the awareness and pilot phases. Nearly half of manufacturers surveyed reported that they are in the early stages of a smart factory transition (awareness, experimental, and early adoption phases).
• Manufacturers do expect the transition to accelerate in the coming years—73% are planning to increase their investment in smart factory technology over the next year.
• While we see a number of fence-sitters, the bulk of manufacturers are indeed prioritizing 4IR, the digital ecosystem, and emerging technologies. 31% report that adopting an IoT strategy in their operations is “extremely critical” while 40% report that it’s “moderately critical.”
• About 70% of manufacturers say the biggest impacts of robotics on the workforce in the next five years will be an increased need for talent to manage in a more automated, flexible production environment and the opening of new jobs to engineer robotics and their operating systems.

…While adopters have identified clear signs of success. Though most manufacturers are still climbing the 4IR adoption curve—albeit at different speeds—those that have made progress are reporting a modicum of performance boosts measured by productivity gains, reduced labor costs, new revenue streams from IoT-connected products and services, as well as improved workforce retention and worker safety. Those that have effectively defined their use cases with a focus on outcomes rather than technology are seeing early wins, and are looking for ways to generate even more value.

The Takeaway
Manufacturers are seeking to balance 4IR hype and reality. And most acknowledge that sitting back and waiting for the inevitable may not be an option.

The road may be longer than the hype would have companies believe, but preparing for and embracing change is a muscle many of today’s manufacturers are ready to flex. Those that can build on their ad hoc pilots and prioritize investments and strategies with their long-term desired business outcomes will be better positioned to create lasting value for their organization.

Follow this blog

Get a weekly email of all new posts.