What IT and OT managers need to know about IoT standards

If your company is preparing for the Industrial IoT, there is good news and bad news when it comes to standards.



Let’s start with the bad news: IoT standards are still a work in progress. Standards are well developed and widely adopted in established areas in which IT and operations technology (OT) vendors, practitioners, and standards groups have long operated. However, in new areas, such as low-power wireless and machine-to-machine (M2M) communications, emerging standards are battling it out for dominance. In addition, there are lingering questions about how modern standards can be applied to legacy OT machinery found in manufacturing and other industrial verticals.

The good news: Despite this uncertainty, companies can still turn to a wide range of standards-based IoT solutions—as well as products that use established IT and OT standards—to get IoT projects off the ground and generating real value.

The rise of IoT standards

While the term "Internet of Things" is relatively new, the idea of connecting and controlling industrial machinery using computers goes back to the early 1960s. Information technology entered corporate and government usage around the same time.

What has changed in the decades since then is the sheer variety of technologies, as well as their sophistication, thanks to Moore’s Law and ongoing innovation. In addition, dropping costs for bandwidth and silicon has led to an explosion of connected devices, from autonomous vehicles to video cameras. It’s now possible to automate and optimize processes in ways that were inconceivable 15 or 20 years ago, using wireless and cloud services and powerful computing hardware located on the plant floor or out in the field. In a sense, Industrial IoT (IIoT) can be considered an application of evolving IT and OT standards, even while the marketplace treats IoT as a new phenomenon.

There is a vast number of emerging IoT standards. The latest Gartner Hype Cycle for IoT Standards and Protocols profiles 30 standards, 15 of which have been marked to deliver “high business benefit.” Six of those are expected to become mainstream in the next five years, including:

6LoWPAN: IPv6 over Low-Power Wireless Personal Area Networks is an IETF standard to deliver IPv6 connectivity over non-IP networking technologies such as NFC and LoRa over extreme low power, such that compliant devices can potentially run for years on battery power.

is an IETF standard to deliver IPv6 connectivity over non-IP networking technologies such as NFC and LoRa over extreme low power, such that compliant devices can potentially run for years on battery power. Contiki: an open source OS for low-cost, low-power IoT microcontrollers.

LiteOS: a Unix-like OS for wireless sensor networks.

OneM2M: a machine-to-machine service layer that can be embedded in hardware and software to connect devices.

Random Phase Multiple Access (RPMA): a proprietary standard for connecting IoT objects.

Sigfox: a proprietary low-power, low-throughput technology for IoT and M2M communications.

From this short list, it is apparent that many IoT standards have overlapping functionality, or that they target the same markets using different technological approaches. In fact, several multibillion-dollar battles are taking place as competing vendors and standards organizations vie for IoT dominance—and attempt to convince customers that their standards are the best way forward.

“The reality of a standards committee is that it's actually just as much a commercial battlefield as the open market is,” says Michael Tennefoss, vice president of strategic partnerships at Aruba, a Hewlett Packard Enterprise company. “Some technologies are less proven than others, and so the goal of the standards effort is to legitimize the technology and make customers feel safe that they can go ahead and use it, as opposed to it being proprietary and a closed system that maybe won't be developed over time.”

Are you ready for IoT? Despite massive investment in IoT, much of the impact of this transformation is yet to be felt. Learn how to approach IT infrastructure readiness. Download the IDC white paper

Tennefoss notes that just because an application or piece of hardware meets a certain standard, that does not mean it’s the best solution. He points out that manufacturer-specific extensions enable performance advantages or special features that competing products may not have. He cites the 802.11 Wi-Fi standard as an example. “You can put two Wi-Fi products side by side and see vastly different performance, security, roaming, and battery consumption,” Tennefoss says. “Standards should be considered a starting point, but it's not the finishing line.”

Gaining an edge with open standards

Open standards are key to expanding IIoT and innovation in the marketplace, says Dr. Tom Bradicich, vice president and general manager, Servers and IoT Systems, at HPE. “There’s little fear of infringement with an open standard,” Bradicich says. “Open standards also promote innovation, because since it's open, there are usually skills that exist and can be leveraged.”

He says that for established, open standards in IoT, IT, and OT, there’s a much higher chance of being able to turn to staff resources or a trusted partner to integrate a new technology onto the factory floor or out in the field. For instance, hundreds of thousands of engineers, system administrators, and technicians have experience implementing 802.11x-compliant wireless access points, hardware, and management tools. Moreover, vendors pay less in component costs and licensing fees, which leads to more competition and lower prices.

That’s not to say that proprietary or emerging open standards should be shunned. Sometimes, proprietary or new technologies serve a market niche or employ a superior engineering approach. An example would be a controller used in the manufacture of specialty pumps for industrial heating, ventilation, air conditioning, and refrigeration equipment. The controller may use emerging IoT standards as well as proprietary OT standards, without alternative products to turn to. The challenge for staff then becomes how to connect the controller to existing systems and how to handle future expansion.

IoT interoperability and legacy equipment

Bringing together disparate systems is no small feat. Most industrial facilities—whether in manufacturing, transportation, energy, or mining—have different types of compute platforms, storage hardware, application interfaces, and networking protocols. And that’s just on the IT side. When it comes to OT, additional sets of interoperability requirements are made more difficult by the widespread use of legacy equipment.

For instance, Hirotec, a medium-size factory that produces auto parts, recently took part in an IoT pilot to bring remote QA to an exhaust assembly line. There were scores of computer-numerical control (CNC) machines on the plant floor, some of them decades old, using eight different data types. It was critical for these systems—as well as newer robots, applications, and IoT sensors—to “talk” with one another and hand off data and instructions in a seamless way.

Working with vendor partners was central to getting the IoT pilot off the ground. Hirotec turned to PTC’s ThingWorx and HPE ProLiant to deliver predictive analytics, simulation capabilities, and anomaly detection. Another PTC product, KEPServerEX software, connected applications and IoT devices on the edge to ThingWorx. Rounding out the picture were HPE Edgeline converged systems to help control equipment and process the massive amounts of data generated at the edge. Even though the devices and equipment used different standards, the IoT architecture was able to get everything working in concert.

Bradicich points to Edgeline’s wide support of IT and OT standards as key to enabling interoperability. He uses a convention dubbed the “three C's”—connect, compute, and control—to frame how Edgeline fits within the wider IoT and standards ecosystem. The Edgeline has built-in support for an array of standards on all three dimensions. They include:

PXI, an OT standard for integrated data acquisition (DAQ) and control systems

x86, a hardware standard that supports high-performance computing, analytics, and real-time control

Standard IT connectivity, such as Ethernet, Infiniband, and Fibre Channel, as well as industrial networks, such as CAN and SCADA

Bradicich likens the Edgeline to the iPhone, in that many diverse functions are combined into one system, along with a universe of applications. “Edgeline is the smartphone for the edge,” Bradicich says. “New efficiencies and industrial applications are popping up because we have done a first-of-a-kind integration of OT and IT, with open standards.” This enables the Edgeline series to plug and play with IoT sensors, applications, storage, control systems, robots, and other types of IT and OT functions.

Standards and IoT security

Another part of the standards puzzle relates to security. It’s a big concern, and not only because of a series of harmful IoT security incidents involving unpatched IoT devices. At the company level, spending on IoT security has taken a back seat to hardware, software, and systems expenditures. According to Gartner, 25 percent of known enterprise security attacks will target IoT networks by 2020. Yet only 10 percent of enterprise security budgets will be devoted to IoT.

There’s also the presence of legacy equipment. In a typical offshore oil rig or manufacturing plant, staff do not have a rip-and-replace mindset. A CNC machine or precision drill might be used for 30 years or more. And while encryption standards may protect data on newer edge equipment, how does that protection extend to a 23-year-old pump that has never been patched?

According to Aruba’s Tennefoss, the OT world has an entirely different philosophy when it comes to security. “For many years, OT and IT had a very different definition of trust,” Tennefoss says. “In the OT world, trust equals reliability, and if it's working, don't touch it. Whereas trust, of course, in the IT world has to do with the veracity of the data and the authenticity of the identity of the device and its intents and purposes.”

Tennefoss says it’s not uncommon for OT and IT systems to be air-gapped by mutual agreement. OT teams don’t want IT staff applying patches or rebooting systems, as it will interrupt processes that are central to operations. And on the IT side, security managers don’t want unprotected systems touching corporate networks.

“There are some very good standards that exist today that could be applied directly to the OT world,” Tennefoss says. “That's great for new devices that are being deployed, so long as the manufacturers and the customers follow those standards. But you have this hidden world of the installed legacy base, which is largely unprotected. How do you address that and reassert trust in a legacy world?”

Tennefoss continues, “That's not a standards issue. That's an implementation issue.”

Aruba’s approach to legacy OT equipment is “no data left behind,” he explains. “We have a whole suite of solutions to enhance the security of the existing installed base.” He cites mechanisms include profiling IoT networks to understand what’s on them, all the way up to elliptic-curve encryption to protect highly classified data.

“Probably the real place to focus is on the security of the infrastructure, because that's where the threats are greatest,” Tennefoss adds. He cites Aruba’s IntroSpect User and Entity Behavior Analytics (UEBA) technology, which uses machine learning to determine if people or devices are behaving in an anomalous manner, as well as ClearPass, a central repository for security policies that can tie into security products offered by other vendors, including Palo Alto Networks, Check Point Software, Fortinet, VMware, MobileIron, Microsoft, and Splunk.

“The dirty little secret about IoT is that it's fundamentally untrustworthy,” Tennefoss says. “You not only need solid standards that define security and good processes for everything from key management to storage of certificates and encryption and what not, but you also need a mechanism to ensure that they're actually implemented.”

Creating “pervasive security standards” for IoT

As billions of IoT devices come online in the next five years, the threat of a massive security breach or attack will increase. Companies have already been taken offline by attacks involving PLCs, video cameras, and even industrial safety systems. Could new IoT security standards help protect corporate assets and critical infrastructure?

HPE’s Bradicich thinks “pervasive security standards” could simplify the onboarding of IoT devices and help protect IoT data.

“I believe the most exciting thing is to be able to securely connect through standards so that you can quickly add a new thing,” Bradicich says. He reasons that open standards that could seamlessly and securely connect new devices would speed the adoption of IoT by not only streamlining setup processes, but also by reassuring consumers and corporate users that devices and data will be protected. “That all said, there are many IoT deployments in production today, helping businesses who are not waiting on new standards—which means one of the highest risks in IoT today is not having an IoT strategy.”

A lot of work remains to be done, however. While some emerging IoT standards such as MatrixSSL address network security, others require security add-ons or additional implementation steps. For instance, Message Queuing Telemetry Transport (MQTT) transmits data in clear text, requiring additional security mechanisms for mission-critical IoT implementations.

And then there is the security gap when it comes to sensors, actuators, and drives. While the networks connecting such devices can be secured, there are no security standards at the device level, which has huge implications for facility integrity and personnel safety. The International Society of Automation recently created a working group to better understand the gaps, with an eye toward developing standards around such devices.

IoT standards: Lessons for leaders