IoT GUIDE

My colleague Scott Evans recently wrote a brilliant piece about Industrial IoT lessons for the consumer wearables market. It got me thinking about Industrial IoT data privacy and cybersecurity for manufacturing, production plants and associated assets.

One avenue to explore in this article are the lessons learned by Facebook in the consumer space. Facebook changed the way people communicate at no cost, in exchange for metadata about a Facebook profile and other activity. Regarding data privacy and security in the consumer space, people are willing to let go of some of their data privacy in exchange for something that improves their quality of life or simplification of a task in some way. Likewise, Industrial manufacturers will also give up on some data privacy and security to gain a competitive advantage in other areas.

I suspect that consumer IoT will continue to forge ahead with a plethora of products, while a large segment of those customers will not be overly concerned about data privacy and security. People will be ready and willing to subscribe to a micro service or APP that might improve their health or life function, even if the data is usable by a 3rd party.

The opposite is occurring today in certain Industrial IoT segments. People responsible for making decisions about control and safety of manufacturing operations are becoming overly concerned about securing the data about physical assets. Many sensors that are needed to enable IoT outcomes do not exist in the plant today while manufacturing assets have simply not been digitized (example: things that spin). The data privacy and cybersecurity requirements for sensors used in plant control and safety, unfortunately, are sometimes broadly applied to IoT sensor data that is used to "monitor" and create an IoT outcome like supply chain improvement or servitization. Servitization is the process by which a manufacturer changes its business model to provide a holistic solution to the customer, helping the customer to improve its competitiveness, rather than just engaging in a single transaction through the sale of a physical product. In other words, for process industries, your pumps, control valves, exchangers, furnaces may be owned, monitored and maintained by OEM manufacturers. These manufacturers not only receive the data from the asset they own or maintain, but also the associated time-series data that describe how it is running in the process. The cybersecurity requirements for control and safety are vastly different than the requirements for supply chain and remote monitoring efficiencies created by IoT.

Since the installation of the first electronic sensor or instrument hooked to a plant control system or controller or safety system, decision makers have considered sensor data of paramount importance for plant operations. Data availability requirements go well beyond 5-9's for most industrial processes. Industrial cyber security standards today (Nerc, ISA 62443 / ISA-99, etc.) address the data security for plant control and safety and not the requirements for IoT. But since sensors applied to Industrial IoT are not necessarily control or safety related, the appropriate level (effort and cost) of data security must be applied. Fit-for-purpose IIoT cybersecurity will include a level of security that leverages the Internet protocols to pass plant sensor data to a cloud service used by an OEM or service model and does not require the control platform DCS, PLC or their respective plant control networks to accomplish this. The Open Internconnect Consortium is an example of an emerging effort to balance cybersecurity for IoT. Michael S. Richmond, Executive Director of OIC presented at the ARC Orlando Forum last week and brilliantly described this effort.