How to Approach the Risks of IoT Technology

May 6, 2024
NIST offers manufacturers an array of cybersecurity information related to Internet of Things technologies—from device selection and implementation guidance to outlines on what capabilities IoT devices should feature.

For the past two decades the manufacturing world has been hearing about Internet of Things (IoT) devices. These devices are designed to not just collect operations data as their predecessors did, but also connect and communicate with a broader array of networked devices to help provide a holistic—or at least near holistic—view of plant operations.

Beyond this high-level explanation of an IoT device, to truly understand these devices and the potential cybersecurity risks they present, it’s important to understand their core make-up. As described by Jeff Marron, an IT specialist at the National Institute of Standards (NIST), an IoT device has at least one transducer for interacting with the physical world (e.g., a sensor or actuator) and at least one network interface (e.g., Ethernet, Wi-Fi, Bluetooth, etc.). 

In his presentation at the Industry of Things World USA 2024 event, Marron cited five guiding principles from the NIST related to IoT device cybersecurity in manufacturing environments:

  • Adopt a risk-based understanding. Users of IoT devices should focus on how IoT characteristics affect system and organizational cybersecurity risk.
  • Understand that IoT is really an ecosystem of “things.” Users should realize that no device exists in a vacuum. Therefore, it’s critical to look at your entire ecosystem, not just the IoT endpoints. 
  • No one-size-fits-all technology exists. Manufacturers (both end users and producers of IoT devices) should allow for a diversity of approaches and technologies across verticals and use cases. 
  • Have an outcome-based approach. Armed with specific, desired outcomes prior to purchase and deployment of IoT devices enables users to better select from among the best options for their environment. 
  • Ensure stakeholder engagement. No matter the size of the project, be sure to collaborate with diverse stakeholders across the organization regarding tools, guidance, standards and resources. 

 

IoT device help

Even with these guiding principles in mind, Marron noted that manufacturers will still need help to ensure secure IoT deployments. To address this, NIST offers multiple sources of information and guidance for manufacturers using—or looking to use—IoT devices.

Among these works is “The Unique Challenges of IoT Cybersecurity (IR8228)". Marron said this walks readers through the process of considering IoT cybersecurity and privacy risks by:

  • Defining specific capabilities IoT devices can provide.
  • Describing considerations that may affect cybersecurity management and privacy risks of IoT devices. 
  • Providing manufacturers with recommendations on how to address specific risk issues with their IoT devices.

Another publication from NIST is the “Foundational Activities for Manufacturers Producing IoT Technologies (IR8259)”. This is designed to inform manufacturers of IoT devices about what they should provide and process they should perform. It can also serve as a helpful guide to manufacturing end users to better understand what capabilities their IoT devices should feature. 

According to NIST, the main capabilities an industrial IoT device should feature are:

  • Device identification—the IoT device can be uniquely identified logically and physically.
  • Device configuration—the configuration of the IoT device’s software can be changed and such changes can be performed by authorized entities only. 
  • Data protection—the IoT device can protect the data it stores and transmits from unauthorized access and modification. 
  • Logical access to interfaces—the IoT device can restrict logical access to its local and network interfaces and the protocols and services used by those interfaces to authorized entities only. 
  • Software update—the IoT device’s software can be updated by authorized entities only using a secure and configurable mechanism. 
  • Cybersecurity state awareness—the IoT device can report on its cybersecurity state and make that information accessible to authorized entities only. 

Marron also noted that NIST’s National Cybersecurity Center of Excellence provides a collaborative hub for industry, government and academia to solve real world cybersecurity problems. He said the NCCOE provides “extensive IoT resources including manufacturing environment cybersecurity, trusted IoT device network layer onboarding and lifecycle management. 

About the Author

David Greenfield, editor in chief | Editor in Chief

David Greenfield joined Automation World in June 2011. Bringing a wealth of industry knowledge and media experience to his position, David’s contributions can be found in AW’s print and online editions and custom projects. Earlier in his career, David was Editorial Director of Design News at UBM Electronics, and prior to joining UBM, he was Editorial Director of Control Engineering at Reed Business Information, where he also worked on Manufacturing Business Technology as Publisher. 

Sponsored Recommendations

Why Go Beyond Traditional HMI/SCADA

Traditional HMI/SCADAs are being reinvented with today's growing dependence on mobile technology. Discover how AVEVA is implementing this software into your everyday devices to...

4 Reasons to move to a subscription model for your HMI/SCADA

Software-as-a-service (SaaS) gives you the technical and financial ability to respond to the changing market and provides efficient control across your entire enterprise—not just...

Is your HMI stuck in the stone age?

What happens when you adopt modern HMI solutions? Learn more about the future of operations control with these six modern HMI must-haves to help you turbocharge operator efficiency...