Is that Newborn an IoT or an IIoT – How to Decide?
Introduction
During the past decades, we learned about Information Technology (IT), Industrial Control Systems (ICS), Operation Technology (OT), and Supervisory Control and Data Acquisition (SCADA) systems, which manage the operation of a broad range of consumer, commercial industrial and more facilities. We learned how to design each type of control architecture and learned about cyber security risks and applicable cyber defense solutions specifically for the OT environment.
During the past decade, people have started to use and hear about the Internet of Things (IoT) and Industrial IoT (IIoT). Still, we do not understand the terms that everybody is discussing. The described products and solutions are not new; some were used over three decades ago, but the terms are new. Nowadays, the IoT and IIoT products and ecosystems are promoted in versatile formats, but unfortunately, none explained to us how to differentiate between them.
While walking through the listed considerations in this paper, you will have the chance to learn about the particularities of their applications, and this will also help you to understand and decide which cyber security regulation should be used for each type of IoT or IIoT device and ecosystem.
The IoT and IIoT Products and Ecosystems
The decision to classify an appliance or an ecosystem as IoT or IIoT is not straightforward and depends on its usage context. While both refer to interconnected devices, the IoT primarily refers to commercial environments to improve productivity and users’ convenience, and the IIoT refers to industrial-type environments to monitor the operation of mechanical appliances, improve their operation processes, minimize the risks of operating outage, reduce the overall cost of maintenance, and more. Understanding these considerations will help you select the most applicable cybersecurity regulation for each commercial or industrial operation.
Notes:
a) Before reading this paper, you must clearly understand the term “industrial operation.”
b) Stay tuned for future ISA/IEC 62443 1-6 releases regarding cloud interfacing for IIoT devices.
1. Operation environment
If a specific product or an ecosystem primarily collects and analyzes operational data within the organization, the correct designation for that function will be the IoT ecosystem.
Note: Such an environment can be an office building, or a warehouse that manages packages to be shipped out, or a vending machine containing cans of drinks.
If a specific operation is collecting and analyzing process-related data on the physical operation of an appliance or an operation process, the correct designation will be IIoT.
2. Interface to the organization
Suppose a specific product or a subsystem is connected to an on-premises or a cloud-based IT zone to optimize commercial process-related data, the correct designation will be IoT ecosystem.
If a specific product or a subsystem connects the operational zone, such as ICS, SCADA, DCS, and other control systems, the correct designation will be IIoT ecosystem.
Note: The reader may consider unique risks to an IoT or IIoT product or an ecosystem connecting to the cloud, an on-prem system, or both. (refer to future document ISA/IEC 62443 1-6)
3. Operating functions
Suppose a non-critical appliance is operating as a non-industrial-type service robot in a restaurant or minimal risk facility that delivers goods; in that case, the correct designation will be IoT ecosystem.
If a specific appliance operates as a robot or a packaging appliance in a production line and conducts an industrial process, the correct designation will be IIoT ecosystem.
Note: If such an operation refers to a non-critical/low-risk process, then we may consider it an IoT. However, if that refers to a critical/risky process, we must consider it an IIoT ecosystem.
4. Operation process
Suppose a simple robotic appliance has a robust and safe design that, during its normal operation, might never hurt people (even during a malfunction). In that case, we may refer to that as an IoT ecosystem.
Suppose an appliance operates as a production/industrial robot and performs risky processes that in extreme cases or during a malfunction, might hurt people. In that case, the correct designation shall be an IIoT ecosystem.
Note: According to the considerations outlined above, we must also evaluate what might happen if the operation of the robot is manipulated or receives an abnormal command.
5. Applicable standards for cyber security
Consequently, to the considerations described above, an ecosystem considered as an IoT may be evaluated according to ETSI 303 645 or a similar-level framework.
However, if the decision calls for designating a product as an IIoT, it should be evaluated according to ISA/IEC 62443 sections 4-1, 4-2, and partially 3-3 (as applicable).
Note: Readers may learn the definitions of Security Level (SL1 to SL-4), and according to the attack probability, they can select the most suitable cyber security evaluation.
Summary and conclusions
Industrial automation and control systems and IIoT ecosystems should be secured by ISA/IEC 62443 no matter what devices are deployed, whether Internet-connected or not. Other devices or systems that monitor and control light physical or non-physical operations can consider other standards. Furthermore, mentioning that the user or the buyer often dictates selection for a specific regulation or standard is essential.
About the author
Daniel Ehrenreich, BSc. is a consultant and lecturer acting at SCCE- Secure Communications and Control Experts, and periodically teaches in colleges, training industrial organizations and presenting at conferences on the integration of cyber defense with CI operations; Daniel has over 33 years of experience with ICS-OT for electricity, water, gas, and power plants as part of his activities at Tadiran, Motorola, Siemens, and Waterfall Security. Daniel delivered keynote speeches at multiple conferences and was re-elected as the Chairman for the 9th ICS Cybersec conference in Israel on 27-11-2024.