Industrial IoT (IIoT) devices will comprise the majority of the billions of IoT devices deployed over the next decade. How will the information security market meet this onslaught of technology?
The consumer market is not a useful guide for this analysis. Consumers buy in small quantities and choose to deploy information security tools piecemeal. Few consumers buy smart phone security products, usually after experiencing an incident. The industrial market is more sensitive to risk.
Industrial-scale IoT devices must have low price points. Once an enterprise decides to deploy a fleet of IIoT technology, they seek out the lowest price product that will meet their needs. This puts pressure on manufacturers to keep costs low. IIoT device manufacturers will not spend extra resources designing, installing, testing, and configuring effective security measures voluntarily. Government regulation will change this reluctance, but until forced to do so buyers will have to secure their devices after installation.
What will the IIoT security market look like? Given the low purchase price and vast scale of deployments, there will be a negligible aftermarket for individual IIoT device security software or hardware. The market will focus on aggregation points, concentrators, gateways, and network access devices.
Consider a solar panel farm. The largest solar farm now under construction, the Egyptian Benban solar park near Aswan, will cost about $4 billion, and should come on-line in 2020. Ten times larger than New York City’s Central Park, it will generate 1.8 gigawatts using 5 million panels. Each panel has an inverter and a sensor, and every 16 panels has a PLC (programmable logic controller). This farm will have 10 million edge IIoT devices and 312,500 PLCs.
How would you secure over 10 million IIoT devices? Assume the control systems are centralized. By protecting the external gateway only, you spend the least, but if any problem gets in, the plant could be disabled or destroyed. Segmentation costs more, but reduces the attack surface and impedes the spread of malware.
What is the optimum number of cells? There is no hard and fast rule. The cost of a device increases with its capacity, so having a few large cells would require powerful security appliances. More cells will reduce the impact of a breach, and lessen the load per appliance, allowing a lower price point. With one appliance for every thousand PLCs (covering 16,000 panels, meaning 32,000 IIoT devices) the configuration would need over three hundred appliances, with monitoring and control through an appropriately configured automation and management hub. The appliance cost would be miniscule compared with the total cost of the overall configuration.
The full security configuration would include the engineering and architecture skill to design and site the appliances, the architecture and deployment of the management hubs (dual for high availability), and the training for ongoing operations and maintenance. IIoT security vendors will work through channel partners with expertise in the specific vertical industries they serve.
Project managers for large industrial IoT deployments should work with their IT channel and OT engineering teams to identify the most cost-effective sourcing and deployment options for comprehensive, effective IT/OT security.
What do you think? Let me know, either in the comments below or @WilliamMalikTM.