Public Utilities Benefit from the Industrial Internet of Things But Must Secure It

The National Institute of Standards and Technology defines the IIoT as “the sensors, instruments, machines and other devices that are networked together and use Internet connectivity to enhance industrial and manufacturing business processes and applications.”

Government-owned utilities, such as water utilities, benefit from implementing and securing the IIoT.

How Does the IIoT Help Governments?

A water utility connected to the IIoT may rely on sensors to detect when to operate appropriate devices. A sensor may detect when temperature runs too low in a water system, and the sensor may trigger an actuator that lights a burner to increase temperature. A sensor may detect that water isn’t flowing in the proper route, and it may open a valve that redirects water flow.

“All of these assets are orchestrated into systems that help create all of these societal advantages and benefits to organizations,” says Grant Geyer, chief strategy officer at cyber-physical systems security company Claroty.

On its website, Cisco notes a number of benefits of IIoT devices, including:

• Improved worker safety
• Increased production uptime
• Consistent product quality
• Regulatory compliance
• Improved operational efficiencies
• Real-time data collection and processing

“There are over 150,000 public drinking water systems within the United States, most of which are very small entities at the state and local level,” Geyer says. “The Industrial Internet of Things connects their operations to places that have a critical dependence on water, such as hospitals. This interconnected system has provided so many advantages to the citizens of the United States, but with that digital transformation comes digital risk.”

RELATED: Edge computing is necessary for smart cities, but hard to secure.

How Does the Industrial Internet of Things Open the Door to Risks?

As illustrated by the rural Texas water utility attacks earlier this year, adversaries see attacks on public utilities as a means of disrupting American government operations.

Public utilities have adopted IIoT solutions to save money and to make operations more efficient for American citizens, Geyer says.

“For example, Russia was attacking rural water treatment plants, and at one plant caused an overflow of the water system. It’s important to frame that in context: Every cyberattack happening out there is either driven by criminal intent to steal money or driven for the potential of creating sabotage or projecting power from a foreign adversary into the United States,” Geyer says.

Hale Center protected its IIoT systems by disconnecting them from the internet. That’s one way to secure systems, particularly in an emergency: air-gap them.

LEARN MORE: Multi-tier backup and recovery is crucial to cyber resilience.

Meanwhile, utilities must ensure the IT assets connected to OT devices have the appropriate level of security built into them. The U.S. Cybersecurity and Infrastructure Security Agency warns, “As a nation, we have allowed a system where the cybersecurity burden is placed disproportionately on the shoulders of consumers and small organizations and away from the producers of the technology and those developing the products that increasingly run our digital lives.”

CISA supports a concept called Secure by Design that tasks manufacturers to invest in building cybersecurity protections into systems rather than leaving them as an afterthought. The agency launched a Secure by Design pledge, and hundreds of organizations have vowed to protect against basic vulnerabilities.

Recently, CISA announced the Secure by Demand initiative to recommend manufacturer security standards that meet a particular set of requirements. Secure by Demand asks software vendors to implement authentication, eliminate vulnerabilities, record intrusions, protect the supply chain and take other actions.

How Can Governments Protect Against IIoT Security Threats?

To protect IIoT networks, government utilities must adopt strong asset management. Conducting an asset survey can be tricky for utilities, Geyer says, as industrial assets communicate via different long-lived protocols.

“Unless you know how to analyze these communication methods, you can’t determine what assets are out there,” he says.

Claroty conducts asset discovery to paint a picture of assets and how they are communicating with each other, Geyer says. “Programmable logic controllers for water treatment may be talking to interfaces that provide visibility into the levels of different chemicals within the water. Engineering workstations may make changes in those programmable logic controllers. There is a whole interconnected network of assets that control the process and control water treatment in this case.”

DIVE DEEPER: Operational technology assessments are key to IIoT security.

Utilities must master four processes to secure assets once they have identified them, Geyer says:

• Exposure management
• Network segmentation
• Secure access
• Threat detection

Exposure management may traditionally be thought of as vulnerability and risk management, Geyer says. But given an overwhelming number of vulnerabilities, utilities can manage the scale of risk by determining how attackers might gain access to an asset through exposure. Meanwhile, network segmentation can contain exposure by interrupting connections between systems.

Secure access ensures that everyone is who they claim to be and that they have authorization to conduct business. And utilities must rely on threat detection to identify attackers.

Does AI Play a Role in the Future of the IIoT?

Artificial intelligence has many applications and uses within the future of the IIoT, Geyer says. First, AI can help operators see who has access to IIoT systems and automate communication between IIoT devices.

“When we think about the expected growth of IoT devices over the next five or 10 years, those are things that will need to be completely automated, and that’s where AI can have an important use: to really provide an intelligent view of what should be talking to what, helping orchestrate those communications, helping spot deviations in that massive amount of traffic. Humans simply won't be able to master those tasks,” Geyer says.

As with every technology challenge, utilities must examine their cultures and determine what changes are required to commit to IIoT growth and AI adoption, he adds.

PREPARE: Demystify artificial intelligence adoption for your organization.

OT teams have traditionally resisted change. “IT and OT teams have different perspectives on whether change is good or bad, and those need to be harmonized. From an education perspective, when you think about the myriad small water utilities, ports and other critical infrastructure around the United States, we need to ensure that OT operators think about security but also think about themselves as the first line of defense.”

To begin that journey, utilities should conduct assessments of their IIoT environments and determine what they must learn to improve.

“A lot of organizations need to take the first step of acquiring basic awareness by conducting some initial assessments of the environment. The key is to go from being unaware to being open-eyed about the risk. And then organizations must get on the path of consciously learning and consciously taking ownership and governance of their cyber risk.”