My initial alarm on the term Industrial Internet of Things (IIOT) occurred at the ARC Forum this February. I was stunned that basic DCS, SCADA and other ICS functions that have been occurring for decades were called IIOT. In fact ARC was taking well understood, more specifically defined and useful terminology and replacing it with a generic IIOT.
Fast forward to a recent Belden blog article: The IIOT Journey – With 4 Examples of Today’s Solutions, which was excerpted from a Belden Design Seminar. Here are the examples that Belden is calling IIOT:
- A Layer 3 switch with some firewall capability in a factory control system
- A router with a firewall capability and ethernet to serial interfaces used to connect the control room to an outstation, in this example an electric transmission or distribution SCADA system
- An oil pipeline SCADA system using a cellular network as the SCADA WAN for control room to PLC communications
- A network infrastructure for IP cameras
None of these solutions are new. Belden and their competitors have been selling equipment, in most cases quality equipment, to perform these functions for a decade.
My larger concern is that IIOT actually makes describing and evaluating these solutions harder. Most involve creating a secure and robust network infrastructure, and there are different requirements for a DCS infrastructure vs. a private network SCADA vs. a virtual private network SCADA. How does calling these IIOT help us understand or address this problem?
We should be drilling down to a more granular set of terminology, requirements and controls, not bundling them up into some new term that adds no value.
I have not given up on the term IIOT, and we are actively searching for the right presentation and presenter to add to S4x16. Unfortunately everything proposed to date has been along the lines of ARC and this blog article where everything ICS is now called IIOT because this is trying to leach off of the IOT buzz.
I believe there is a place for the IIOT term, and there are some good examples that do not represent renaming what we have called ICS for years. However if the name IIOT continues to be so generic and devoid of value it is best discarded and ignored.
The term Advanced Persistent Threat (APT) is a great example and warning. I first heard about APT from Richard Bejtlich. His explanation was clear, and the term was important. APT was a threat agent who attempted to achieve persistence on the compromised network. When a company found one instance of attack and cleaned it up, the APT had buried itself in other places and awoke to maintain persistence on the network. An attacker could be an APT, but an attack could not be.
The term was misused to the benefit of security vendors, companies that were compromised, governments, consultants, gurus and a variety of others to the point now that even if APT is used properly it will be misunderstood by most that hear it. We may already be at that point with IIOT and probably need to discard the term for a set of more accurate and descriptive terms.