For many years industries like oil and gas, electricity, agriculture and utilities have relied on operational communications infrastructure outside the main corporate network to collect data and provide supervisory control. Known as Supervisory Control and Data Acquisition (SCADA) systems the data they collect leads to efficient allocation of resources, monitors safety conditions and improves operational decision-making. But now, with the emergence of Internet of Things (IoT) technology, industrial organizations are eager to deploy new wireless machine-to-machine (M2M) devices to collect even more data from field assets in remote, geographically dispersed locations. The number of sensors and data points in industrial networks looks set to multiply exponentially overnight. As a consequence, there will be more access points than ever before. Security, therefore, will be an important factor in determining the overall success of IoT deployment.
IoT opportunity knocks
Industrial IoT devices could provide easy, remote access to remote sensors located at the edge of SCADA networks. Such self-contained sensors may already be running an application, and may already be part of equipment that uses IP. It is easy to see how, for example, by monitoring the data IoT could be used to help predict SCADA failures. In some cases improving efficiency by even a tiny percentage could save billions of dollars. The purpose of IoT in industry will be to connect every single asset, across every facility so that data can be made readily available to key decision makers.
SCADA: built for a long and lonely life
Care is needed, however, when introducing IoT devices into SCADA networks. Many SCADA systems have been in use since the late twentieth century. At the time they were designed security was not really a concern. Designed to be self-contained systems without the possibility of remote access SCADA’s base communication protocols are inherently insecure. Security measures simply amount to maintaining an ‘Air Gap’ – not connecting them to the larger network – so that data cannot possibly pass beyond its own sphere of operation. If such systems are suddenly expected to communicate with a wider, completely connected network they could experience security issues they were never designed for – with unforeseeable consequences.
When two worlds collide
There are important differences between comparatively modest SCADA networks and fully joined up IP networks that IoT devices communicate with. In IP networks every device is a potential threat to the entire corporate IT network unless it is properly secured. In comparison to a traditional SCADA system, this is a communication network on a much larger scale with thousands of potential end points. Operators in industrial IoT environments need to be concerned with everything that could be introduced to the network at every single connection point.
Traditionally, companies have separated their operational technology (OT) from their information technology (IT) systems with a corporate firewall. But with an IoT network, there is a need to take additional protection measures for sensors and applications on the operational side. Unless this happens securing the communication link is not enough. If individual devices on the OT side become compromised and the threat has access to that communication link, there would be nothing to stop a hacker from pushing malicious data, causing denial of service (DoS), or introducing malware or viruses to the entire network.
VPN security provides the missing link
Through the use of standards like IPsec/TLS/SSL and even AES-128 data encryption, it is possible to establish secure connections even in an Industrial IoT environment. When the data is properly encrypted, via a VPN tunnel for example, an unauthorized party cannot access the data even if they can see it in the network. In wireless environments, standards-based connections permit relatively easy access to the network itself, while the software encryption keeps the snoopers out.
In summary, the opportunity to save millions of dollars through improved efficiency and preventative maintenance is driving the implementation of IoT in industry. In the process the traditionally separated zones of operational and information technology are on collision course. Combining traditional SCADA systems with new IoT systems is not without risk and great care needs to be taken to avoid compromising security. However, VPN is one technology that can provide an additional layer of security for both IT and OT networks.