If cybersecurity were an automobile, a key performance indicator would be miles per cyberattack, with infinite as the desired metric (i.e., miles before the next cyberattack)!

The cybersecurity challenge for information technology (IT) stakeholders is enforcement of digital security across all managed assets (computers and network elements) to prevent malware infections and consequences thereof. In contrast, what is the cybersecurity challenge for operational technology (OT) stakeholders?

Value creation in IoT

The weaponization of cryptography by ransomware and supply chain exploits to deliver malware by nation-state actors and the cybercrime syndicate have clearly drawn the battle lines for both IT and OT stakeholders in the years ahead. The onus is squarely on product security architects, chief technology officers and data officers to meet the challenge.

For value creation in OT environments, the solution must amplify operational integrity and safety of connected devices in industrial manufacturing and control systems and provide explicit protection controls against cyberattacks. The mindset in IT is to expeditiously apply security patches and plug gaps based on vulnerability assessments and published threats.

The motivation in OT is to ensure a high degree of trustworthiness and availability in operational equipment linked to business revenues. Remediation activities in OT ecosystems (to recover assets and restore normalcy after a cyberattack) disrupt production systems and result in lost revenues. Therefore, operators must protect OT assets to lower cyber insurance premiums and costly payouts, via:

• Immutable device identity with a root of trust anchor (such as a secure element)
• Cryptographic key protection on the device (in a trusted keystore)
• Identity attestation for zero trust with mutual authentication of connected things
• Data (messaging) integrity with low latency and digital signing for tamper resistance
• Data (telemetry) privacy with secure and quantum-safe key exchange

Benefits of modernization

The benefits of infrastructure hardening and modernization (i.e., digital transformation) must include the following incentives for collaboration with original equipment manufacturers (OEMs):

• Zero coding for quick start
• No reengineering of line of business applications
• Interoperability between brownfield and greenfield devices
• Operational efficiencies for field operators

Solution architecture for IoT

The solution architecture for product security architects and field operators must achieve the following objectives for unified IT-OT workflows and return on investment:

• Achieve compliance and cyber insurance objectives (as applicable to the industry sector)
• Unified workflow for IT-OT convergence
• Secure onboarding to assist network operations center (NOC) operators
• Automation for key and certificate lifecycle management
• Condition-based maintenance to assist both device management system (DMS) operators and OEMs
• Remote recovery on security incident for security operations center (SOC) remediation actions
• Trusted device intelligence for artificial intelligence (AI) and machine learning (ML) training models

The economics of IoT

The economics of modernization programs will require forecasting the total cost of operation (TCO), reducing expenses with operational efficiencies, ensuring that the appropriate grade of protection is available to devices, and building resilience to prevent service outages that may be triggered by sophisticated cyberattacks. The choice of deployment model will vary based on the forecast TCO — namely, as a cloud SaaS, enterprise managed on-premises, or a security service provider managed on-premises solution, and will require:

• No impact on the cost of goods (COGs) for OEMs
• Utility model services that reduce the TCO with volume-based subscription pricing
• Grade of protection-based service tiers to protect heterogeneous devices in the ecosystem

The milestones of protection

Unlike multi-layer detection controls, protection is a holistic trust solution that requires a chain of trust from the first mile to the last mile:

• On the first mile, code signing certificates provide supply chain protection.
• On the middle miles, SSL certificates provide data protection.
• On the last mile, identity attestation certificates provide zero-trust protection.
• On the device, explicit trust controls provide device protection.

Trust is transitive and protection requires explicit and verifiable trust — with integrated digital security and device protection.