The Industrial Internet of Things (IIoT) has increased the connectivity, and correspondingly, the productivity and efficiency of the systems that it brings together. The growth of IIoT has resulted in benefits to the industrial supply chain, such as greatly improved efficiencies in utility systems. However, those benefits have been paired with a commensurate increase in risk, most notably the vulnerabilities presented by systems that have become ever more communicative. Before expanding existing IIoT systems, entities must first be informed and well-equipped to assess the associated benefits and risks presented by new technologies.
There are important differences between the Internet of Things (IoT) and the Industrial Internet of Things. The IoT is the network of physical objects, embedded sensors, connections and computers that permeates much of our everyday life. The IoT consists of helpful gadgets and is becoming prevalent in everyday items from fitness trackers, smart thermostats, and vital medical devices to connected water bottles and shopping monitors. The IoT affects consumers directly and continues to evolve within a largely consumer-driven digital ecosystem. The lineage of IoT devices, and their underlying software, can be traced alongside the development of the internet, smartphones and the operating systems with which consumers are already familiar.
The Industrial Internet of Things, like IoT, utilizes a network with sensors and various connections; but it grew not out of the consumer-oriented electronics and operating systems, but alongside large-scale industrial control hardware. Much of the software behind the IIoT was custom-developed (going back decades) as an adjunct to big, expensive pieces of industrial hardware: switches, valves, pumps and other heavy machinery. While the IoT is focused on individual consumers, the IIoT (as its name suggests) serves machines and industrial systems. The IIoT is a fundamental part of the nation's critical infrastructure. It runs our oil fields, our gas pipelines, our water systems, our dams and heavy industry; it underpins the electricity grid, our train systems, our highways and our ports.
The IIoT presents both opportunity and risk. Opportunities arising from increased adoption of IIoT technologies can include reducing operational expenses, increasing productivity and efficiency, and improving worker safety. Additionally, while the IIoT has been around for some time, new and improved technologies are accelerating opportunities for growth, innovation and value that can be derived with smart IIoT applications. While the introduction of new IIoT technologies can make the entire system smarter, integration of those technologies into IIoT increases risks. This perhaps can be aptly illustrated by a metaphor comparing two very different living organisms: a human and a fungus. The human has a brain and is capable of intelligent thought. The brain actively and passively connects the entire system (the body) and allows those systems to engage in and accomplish highly complex tasks. A fungus, on the other hand, does not contain a connected system capable of intelligent thought and physical dexterity. But with the human's complex system comes increased risk. A kick to the head or a blow to the spine can severely limit or destroy the entire system. In contrast, a fungus does not face the same risks—it's a simple but generally resilient system. In this regard, consider this metaphor in the context of a connected utility network.
By way of a real-world example, consider the power grid. To keep the lights on, generating stations, high-voltage transmission lines, substations and distribution lines must all work in tandem to get power from where it is generated to where it is consumed. Prior to the IIoT, significant human resources and capital needed to be expended to maintain the entire system. When one component failed, operators had to determine its location and assess repair needs; that process took time and money. Now, with the IIoT, sensors connect these assets and give utility operators a real-time view of the entire system. Not only can issues be more quickly detected when they occur, but the system can anticipate failure and proactively deploy resources. This connectivity saves time and money, and contributes to the system's overall resilience.
But the network that connects the entire system creates a new type of risk. Whereas the old, unconnected system was subject to a physical attack, it was unlikely that the failure of any one aspect would result in significant consequence to the entire system. Now, however, if the network fails (or is attacked), the entire system is subject to failure, and that attack may be digital, and thus can be more subtle than a physical attack. Indeed, this was precisely what happened in 2015, when the Ukraine bulk power system was the victim of a cyberattack and shut down for several hours.
IIoT systems are continually evolving, driven by new technology and needs. That technology can add to, leverage, or modify the core IIoT technology that currently exists, and can increase the existing benefits inherent with the IIoT and/or diminish the risks that come with a more connected system. Any evaluation of the value of new IIoT technology must include the critical assessment of the impact of that technology on those risks and benefits.
An effective risk analysis framework is key to evaluating where technology investors and purchasers should focus limited resources. The risk assessment approach used by the United States Department of Homeland Security (DHS) provides a useful framework through which to evaluate IIoT and the value of technologies that seek to minimize that risk. Risk (R) is a function of Threats (T) x Vulnerabilities (V) x Consequences (C); R=TVC.
Threats: Threats, at least those which flow from the nefarious activities of human beings, are a combination of intent and capability led by sophisticated state and criminal actors that seek, in the example of utilities, to infiltrate the United States electric grid. These types of threats are best dealt with at the national and international levels through the coordination of the public and private sectors. Threats can also derive from natural sources (hurricanes and earthquakes), or from human operator failure. The analytic framework remains helpful, replacing "intent" with "probability" as a guide.
Vulnerabilities: These represent avenues for attack or system failure, and include the attack surface (access points that an unauthorized user can exploit to enter or extract data). While a number of access points on the IIoT systems may provide more avenues for attack, the vulnerability can depend more critically on the protections from attack embedded in each access point and how those access points integrate with the broader system.
Consequences: This represents the severity of a given issue if it were to occur. For example, if one power plant goes down, does the entire system shut down or are there redundancies that minimize the effects of that loss? What would be the loss, in terms of dollars, or lives, or both?
To complete the cost-benefit analysis, we submit that a similar assessment can be made for the benefits of IIoT technologies, such that Benefit (B) is a function of Opportunity and Value. For example, transmission utilities recognized the opportunity and value of applying IIoT technology to substations and switching stations, thereby allowing the utilities to maximize the use of those assets while monitoring their operational efficiency in real time. Conversely, a given IIoT technology may be able to allow for more information to flow, but that information may not provide any value. For example, attaching a sensor to a transmission line that provides information about the ambient air quality may be an opportunity, but it provides little value to the system and therefore little overall benefit.
In evaluating new technologies, investors and policymakers should focus on the effects on the variables set forth above. Keeping the focus on the R = T x V x C formula as a framework, risk reduction can be achieved by reducing any of those three variables (conversely, Benefits can be achieved by increasing Opportunity or Value. A technology may be focused on reducing consequence, such as an approach to an integrated network that can quickly isolate and bypass a system failure before it spreads to the rest of the system (for example, new grid technology that can contain and bypass a transmission failure before that failure trips the rest of the system). In contrast, a technology could have the effect of reducing vulnerability. And of course, some technologies could do both.
All stakeholders investing in the IIoT should understand how to assess these new technologies. Technologists should assess their own processes and understand where to invest further resources to improve their product. Investors and owners of IIoT-connected critical infrastructure are best to focus their limited resources on those technologies that provide the greatest benefits and most effectively reduce risks. Policy makers and lawyers must be able not only to assess these technologies, but also to understand how they work together to reduce the risks to—and increase the opportunities of—the integrated IIoT system.
 For more background on the Industrial Internet of Things, see "The Industrial Internet of Things and the Law," Day Pitney Whitepaper, Sept. 28, 2017, available here. See also "The Industrial Internet of Things: The Railway Law Revolution of Our Time," Bloomberg BNA Privacy and Security Law Report, Nov. 20, 2017.
 For example, IIoT systems now allow utilities to continuously understand how demand is changing in real time and can assist utilities in managing maintenance costs associated with managing their power generating, transmission and distributing resources. Crews can be deployed in real time or at convenient times prior to predicted failures, efficiently using human and capital resources and reducing the overall costs.
 In December 2015, Russian hackers were able to use phishing emails to gain control of Ukraine's electric grid and cause blackouts across the country. See "Critical Infrastructure and the Internet of Things," Tobby Simon (Jan. 2017).
 Although possible, it is unlikely that technologies would reduce threat, either human or natural, with one significant exception: it is possible that intent could be affected if nefarious human actors are aware of decreased vulnerability or consequence—bank robbers are less likely to want to rob a bank if they know it has high-quality locks or little money in the safe.
Day Pitney Alert
Effective January 1, 2020, the new privacy law in California, the California Consumer Privacy Act (CCPA), will impact companies nationwide. Recent actions by the California Governor and Attorney General have provided some much needed clarity as to the law’s requirements to assist companies in their compliance preparations.
On October 18, Steven Cash will be speaking on a panel, "Becoming A Risk-Oriented Advisor," at the 2019 Family Wealth Alliance Fall Forum in Chicago, IL.
On October 7, Steven Cash spoke at "Cybersecurity: Tension Between Innovation and Security," an event presented by the Connecticut Power and Energy Society (CPES) and held at Yale University in New Haven, CT.
Steven Cash moderated a panel discussion hosted by Culper Connect, an alumni association of former United States Government public servants from the U.S. Intelligence Community.
Day Pitney sponsored a program, "Parade of Corporate Horribles: Responding Ethically to a New Problem Around Every Corner," presented by the Westchester/Southern Connecticut Chapter of the Association of Corporate Counsel (ACC).
Day Pitney Press Release
Kritika Bharadwaj and Sophia Browning are quoted in an article, "Businesses Seek CCPA Clarity As California AG Issues Dire Warning," published by Compliance Week.
Tom Zalewski is quoted in an article, "Careful Care: Health Care Companies Must Be Aware of Legal Risks That Come with New Technology," published by ROI-NJ.
Day Pitney Press Release
Steven Cash was quoted in an article, “Mystery in Mueller Probe: Where’s the Hacking Indictment?,” published by The Hill.