Secure Products - Dealing with Legacy Equipment
The first key concept in IIoT deployment involves securing systems. Product lifecycle has a huge impact on security in industrial applications. Unlike IT environments, products can remain in active service in industrial control systems for as long as 30 years. It is unrealistic to assume that end users will update older components when implementing IIoT. Thus, IIoT systems will include legacy end devices that were developed prior to advent of security standards alongside new end devices with native security features.
Let’s begin by looking at the challenges posed by legacy devices. Most industrial installations contain equipment that is antiquated from IT and security perspectives. Legacy equipment is at greater risk of attack than equipment with the latest versions of security features. There are two options available to mitigate this issue, with their selection driven by the application.
1. Limit communication to data collection only. This is the safest option but may not be viable for all applications.
2. Placing restrictions on device access. Note that this will require monitoring of the integrity of communications to ensure that data is not changed as it travels between devices. This option is more practical as limiting access to data collection is not feasible for many applications.
Devices that have been recently deployed will have security features. In this case you may be able to operate without building security around devices.
Considerations when Purchasing Equipment
If customers choose to update legacy equipment, selecting equipment with firmware and software signing is critical to ensure secure patching. You should also lean toward products developed using a secure development lifecycle. Most organizations have a well-defined process to create, release, and maintain products. However, increasing concerns and business risks associated with insecure products have brought increased attention to the need to integrate security into the development process. You should ask potential vendors to supply proof that development centers have been certified to standards such as IEC 62443-4-1. Third-party certification of a development process can provide confidence that products were developed using secure practices, reducing potential implementation risk.
Connecting devices to each other and the cloud opens the door for an intelligent process, potentially leading to significant improvements in productivity and efficiency. The tools to successfully implement the IIoT are in place today, but change will be evolutionary vs. revolutionary. End users will weigh the value of new functionality against the risk of making changes to their control system which will impede rapid change. Security will be a key factor impacting success. System design, product features, secure development processes, and implementation expertise will have to be taken into consideration when implementing the IIoT.
About the Author: Fabrice Jadot first joined Schneider Electric in 1997, focusing on motor control within R&D as part of the variable speed drives activity, which became a joint venture with Toshiba in 2000 named Schneider Toshiba Inverter. In 2012, he joined the corporate side of the company as the Strategy and Innovation Platforms VP, dealing with cross-business technology platforms in the domain of digital services, supervisory control, and embedded control. Today, he is the Chief Technology Officer for Industry business driving automation system architecture, cybersecurity, and automation digital transformation (Industrial Internet of Things, Industry 4.0, etc.). In 2015, he became a board member of ODVA, an international association comprised of members from the world's leading automation companies. He enjoys traveling, especially visiting historical sites and architectures, along with wine tasting and walking.