In our September Athens Group Services newsletter, we discussed steps to take to identify threats to your drilling assets. Number 7 on the list of top cybersecurity threats was “IoT devices like smart locks or smart assistants being hacked”. As we discussed where our industry was going with automation technology, we generated a frequency word cloud of the most expressed automation technology terms:
Remember, we were identifying our cybersecurity threats and only this one – IoT — is being considered by some of our industry technologists. Previously we labeled IoT as “red herring” because when searching Shodan, our ICS browser, we found:
- 3,551,412 internet connections to ICS components,
- 10% of the visible ICS systems are Energy & Utilities,
- Remove the Smart Utilities monitoring systems on our homes and businesses,
- Remaining is a 2% exposure, or fewer than 4,100 devices in Oil & Gas E&P.
That said, the world is still beating the drum for a massive Industrial Internet of Things cybersecurity Armageddon. Gartner forecasts that 14.2 billion connected things will be in use in 2019, and that the total will reach 25 billion by 2021, producing immense volume of data. Gartner is the gold standard for technology trends’ predictions. The 2018 Hype Cycle for Emerging Technologies puts IoT into the emerging technology context of starting the slide off of the “Peak of Inflated Expectations”.
IoT/ICS Consideration No. 1: Machine Learning
Big Data powers the IoT and your ability to derive some kind of meaning. Machine Learning will be applied to a wide range of IoT information, including video, still images, speech, network traffic activity and sensor data. Machine Learning is just another phrase for Artificial Intelligence(AI). For Industrial Control Systems, the phrase Machine Learning is more appropriate. As you can see from the Hype Cycle chart, AI is further below IoT and much less mature for IoT applications to its Big Data. Sensing a pattern here? The only technology we are discussing here that is no longer on the Hype Cycle is Big Data. Why? Because Gartner dropped it from the Hype Cycle in 2015.
IoT/ICS Consideration No. 2: Social, Legal and Ethical IoT
As IoT becomes more widely deployed on your drilling assets, a range of social, legal and ethical issues will grow in importance. These include ownership of data; algorithmic bias; privacy; and compliance with the General Data Protection Regulation(GDPR). The GDPR applies to organizations located within the EU and organizations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. So, think about your Dutch Elec Tech on your North Sea asset.
IoT/ICS Consideration No. 3: Infonomics and Data Brokering
Are you planning to sell data collected by your products and services? The theory of Infonomics takes this monetization of data further by seeing it as a strategic business asset to be recorded in the company accounts. By 2023, the buying and selling of IoT data will become an essential part of many IoT systems. Have you quantified the risks and opportunities related to data broking in order to set the IT policies required in this area and to advise other parts of the organization?
IoT/ICS Consideration No. 4: The Shift from Intelligent Edge to Intelligent Mesh
The shift from centralized and cloud to edge architectures is well under way in IoT/ICS. The set of layers associated with edge architecture is evolving into a more unstructured architecture comprising of a wide range of “things” and services connected in a dynamic mesh. These mesh architectures will enable more flexible, intelligent and responsive IoT systems — although often at the cost of additional complexities. This will be a nightmare for your CyberSecurity efforts. If you plan to take advantage of this IoT mesh, best to have it fit within an already defined security architecture. Once the mesh is activated you will never be able to stuff it back into a secure hardware/software architecture.
IoT/ICS Consideration No. 5: IoT/ICS Governance
The need for a governance framework that ensures appropriate behavior in the creation, storage, use and deletion of information related to IoT projects becomes increasingly important. Simple technical tasks such as device audits and firmware updates to more complex issues such as the control of devices and the usage of the information they generate becomes the range of governance. How have you defined this on your assets? Management of Change?
IoT/ICS Consideration No. 6: Sensor Evolution
The sensor market continuously evolves. New sensors enable a wider range of situations and events to be detected, current sensors will fall in price to become more affordable or will be packaged in new ways to support new applications, and new algorithms will emerge to deduce more information from current sensor technologies. How do you manage today’s sensor suites onboard your assets? How do you know they are really working to spec?
IoT/ICS Consideration No. 7: Trusted Hardware and Operating System
CyberSecurity is the most significant area of technical concern for organizations deploying IoT/ICS systems. Many times, your assets don’t have control over the source and nature of the software and hardware being utilized. By 2023 Gartner expects the deployment of hardware and software combinations that hopefully create more trustworthy and secure IoT systems. This has yet to be demonstrated in practice.
IoT/ICS Consideration No. 8: Novel IoT/ICS User Experiences
The IoT user experience (UX) covers a wide range of technologies and design techniques. The drivers are: new sensors, new algorithms, new experience architectures and context, and socially aware experiences. With an increasing number of interactions occurring with things that don’t have screens and keyboards, your assets and supplier UX designers will be required to use new technologies and adopt new perspectives. How do these fit within your CyberSecurity regime and security architectures?
IoT/ICS Consideration No. 9: Silicon Chip Innovation
Currently, most IoT endpoint devices use conventional processor chips, with low-power ARM architectures being particularly popular. However, traditional instruction sets, and memory architectures aren’t well-suited to all the tasks that endpoints need to perform. New special-purpose chips reduce the power consumption required, enabling new edge architectures and embedded functions in low-power IoT/ICS endpoints. This will support new capabilities such as data analytics integrated with sensors, and speech recognition included in low cost battery-powered devices. Go back to consideration no. 4 and make sure your edge and mesh are well defined.
IoT/ICS Consideration No. 10: New Wireless Networking Technologies for IoT/ICS
IoT networking balances a set of competing requirements, such as endpoint cost, power consumption, bandwidth, latency, connection density, operating cost, quality of service, and range. No single networking technology optimizes all of these and new IoT networking technologies will provide additional choice and flexibility. With choice and flexibility comes the need for cybersecurity planning and secure architectures. Using these easy, new technologies introduces multiple new gateways into your assets being hacked and rendered inoperable at best, unsafe at worst!
If you would like further information on any of the concepts covered in this newsletter, please reach out to us. We will be more than happy to begin a technology dialogue.
Also, please take a look at our blog for the next three issues covering:
- Blog_Post 13: IoT and ICS – What’s on Your Asset?
- Blog_Post 14: IoT and ICS – Who’s in Charge?
- Blog_Post 15: IoT and ICS – What happens next?
Read the blog entries on our website – www.athensgroupservices.com, join our LinkedIn Group, and subscribe to our newsletter.
