Advancing to IIoT means back to security basics

Manufacturers may see advantages to the Industrial Internet of Things (IIoT) and Industrie 4.0, but the backbone of their plant, the control system, wasn't built with cybersecurity in mind, and many companies aren't addressing this potentially serious issue.


With the industry headed into digital transformation via smart manufacturing and Industrie 4.0 and the Industrial Internet of Things (IIoT), company leaders look at these initiatives as opportunities they need to jump on—and fast.

They can gain a competitive advantage through new service-enabled business models, disruptive new products, a more agile supply chain, and efficient operations. However, the systems that end up being the backbone of the manufacturing enterprise, the control systems, are not built with security in mind. On top of that, a survey released by Honeywell shows adoption of cybersecurity is low.

The survey, "Putting Industrial Cyber Security at the Top of the CEO Agenda," was conducted for Honeywell by LNS Research. It polled 130 strategic decision makers from industrial companies about their approach to the Industrial Internet of Things (IIoT), and their use of industrial cybersecurity technologies and practices.

Slow or low adoption could mean either manufacturers will move forward with the digital transformation and remain insecure, or they will be delayed in their movement forward and lose valuable time and potential revenues until they adopt a security program.

Either way, it appears companies at the vanguard of employing security already, have a leg up on any potential competitors. It can also mean more companies are still at the beginning of creating a security program.

"I think everyone knows they have a problem now, but they are not quite sure where to start," said Seth Carpenter, software engineer and cyber security technologist at Honeywell. "There is a long way to go. Awareness is a good first step. We can't do anything unless there is an agreement that something needs to be done. The next step is putting funding behind these programs. Sometimes it is not throwing money at it, it can really be building up the culture in the organization where you are thinking of security and putting responsible officers in there making sure they are reporting out on cybersecurity and it is going all the way up to the C-level and the board."

The survey's findings included: 

  • More than half of respondents reported working in an industrial facility that already has had a cybersecurity breach
  • 45% of the responding companies still do not have an accountable enterprise leader for cybersecurity
  • 37% are monitoring for suspicious behavior
  • Although companies are conducting regular risk assessments, 20% are not doing them at all

"One of the things I found interesting was when they were asked if they had a breach at their plant, most people normally don't want to talk about it, but here quite a few people admitted they had a breach," Carpenter said.

The survey found there has been low adoption of cybersecurity measures, however, awareness is through the roof, the question remains on when will manufacturers establish a timetable for adopting a security program.

"It is a combination of things," Carpenter said. "We know we should brush out teeth and take our vitamins, but sometimes you just say, I will go to sleep right now. It is hard without that driving factor or a really good business case behind it. We are at a point where there is a lot of awareness of what is happening. We see attacks in every industry like healthcare, banking, financial institutions, the awareness is there. I think that is the first part where people recognize something needs to be done. They might not know where to start. So, they say we need to do something about it, but that can be daunting. It is like eating the elephant, you have got to figure out the little bite I can take on this."

First step

Image courtesy: Ilya Pavlov/UnsplashA good first step for a manufacturer is conducting an assessment.

"There are really good cybersecurity maturity models users can map their processes to so they can get started," Carpenter said. "Sometimes the hardest part is taking the first step and think here is what we are going to get and here is where we want to be and putting together that plan."

Traditionally, security has been seen as a cost center, but in reality, it can end up viewed as a business enabler that keeps systems up and running by eliminating unplanned downtime.

"That is one of the trickiest parts of security," Carpenter said. "When I invest in a manufacturing line, I see I am producing 20% more product. That is tangible and I can put a dollar value on that. If I spend the same amount of money on a cybersecurity program how do I measure success? How do I show my boss and my bosses boss, 'Hey, we did a really good job here.' I think there needs to be a mindset shift to see this isn't a problem where we are dumping our money into because we have to, instead this is helping us maintain our machines and giving us the uptime numbers we need."

The report issued three recommendations:

1. Use an operational excellence model of people, process, and technology capabilities to enable digital transformation and build industrial cyber security capabilities into the model.

2. Focus on best practices adoption. Start with the basics like firewalls and access controls; over time move to more advanced topics like network architecture, risk management, and activity monitoring. Build a roadmap based on increasing people and process maturity that considers risk and equates safety with security. If people capabilities are limited to start, consider augmenting with external professional services that have information technology (IT) and operations technology (OT) experience.

3. Focus on empowering leaders and building an organizational structure that breaks down the silos between IT and OT. A common approach across these disciplines is critical for success in industrial cyber security and it can only be done by investing time and energy in the soft skills of change management.

"We know this is complicated, we are talking systems that have been up and running for years and years, let's face it if it is not broken, don't fix it," Carpenter said. "So, getting visibility into the assets can be difficult. You have to know what normal looks like."

Gregory Hale is the editor and founder of Industrial Safety and Security Source (, a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media,

ONLINE extra

See related stories from ISSSource linked below.

Click here to register to download the report.

The Top Plant program honors outstanding manufacturing facilities in North America. View the 2017 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
Welding ergonomics, 2017 Salary Survey, and surge protection
2017 Top Plant winner, Best practices, Plant Engineering at 70, Top 10 stories of 2017
Pipe fabrication and IIoT; 2017 Product of the Year finalists
Product of the Year winners, Pattern recognition, Engineering analytics, Revitalize older pump installations
Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
The cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Setting internal automation standards
Knowing how and when to use parallel generators
PID controllers, Solar-powered SCADA, Using 80 GHz radar sensors

Annual Salary Survey

Before the calendar turned, 2016 already had the makings of a pivotal year for manufacturing, and for the world.

There were the big events for the year, including the United States as Partner Country at Hannover Messe in April and the 2016 International Manufacturing Technology Show in Chicago in September. There's also the matter of the U.S. presidential elections in November, which promise to shape policy in manufacturing for years to come.

But the year started with global economic turmoil, as a slowdown in Chinese manufacturing triggered a worldwide stock hiccup that sent values plummeting. The continued plunge in world oil prices has resulted in a slowdown in exploration and, by extension, the manufacture of exploration equipment.

Read more: 2015 Salary Survey

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.
The maintenance journey has been a long, slow trek for most manufacturers and has gone from preventive maintenance to predictive maintenance.
This digital report explains how plant engineers and subject matter experts (SME) need support for time series data and its many challenges.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.
Maintenance Manager; California Oils Corp.
Associate, Electrical Engineering; Wood Harbinger
Control Systems Engineer; Robert Bosch Corp.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me