Getting IIoT to live up to the hype

Value and challenges

By Eric J. Byres, PE, ISA Fellow

There sure is an awful lot of hype these days about the Industrial Internet of Things (IIoT). One cannot attend a trade show without seeing a dozen new IIoT products or services. Every one of those new offerings promises to completely revolutionize your business and bring untold riches to your company.

But is IIoT really a game changer? Or is it just a trendy buzzword? And if it is real, how do you get it to live up to its promise at your company?

Over the past year, I have been providing security guidance for a number of IIoT projects. I have also been facilitating teams of IIoT experts in "think tanks" for Fortune 500 companies rolling out IIoT projects.

At first I was pretty cynical about IIoT-after all, haven't we been connecting smart industrial devices for decades? Network-connected remote terminal units, programmable logic controllers, and human-machine interfaces (HMIs) are nothing new. But the more I got involved in IIoT, the more I saw that it was something new. Integration was not just between systems on the plant floor. It offered corporate, customer, and partner-wide connectivity on a whole new scale. As a result, it had the potential to unlock tremendous value in the manufacturing chain and transform the way a company does business.

I also quickly discovered that, like all new ideas, IIoT is not without its challenges. These include increased security risks, the potential for information overload, a shortage of staff with the needed skill sets and experience, and unexpected effects on corporate culture. Deploy IIoT incorrectly, and you can have a big mess on your hands. So here are three IIoT best practices  I have learned that can make your IIoT project live up to its promise.

#1. Whole company involvement

IIoT is not a "wiring problem." It is not limited to the information technology (IT) department. And it is not just the concern of the chief information officer. When an IIoT project rolls out, it can affect everyone from the operator on the plant floor to the general manager.

We all know that when people do not understand how something will affect their jobs, they are often scared. When they are scared, they are likely to roadblock. Road blocking can result in projects that do not achieve their objectives-or fail outright. IIoT projects are no exception. In fact, because they can affect so many aspects of a business, they absolutely need wide-ranging involvement to be a success.

Ingersoll Rand Residential HVAC group recently rolled out an IoT solution called the Nexia Home Intelligence system. One of the things it does is enable technicians to remotely troubleshoot air conditioners. This both improves customer satisfaction through faster service response times and saves the company money by reducing unneeded or incorrectly provisioned calls.

As good as it is for the customer and the company, this new system affects how service specialists do their jobs. It changes their work day from one of constant service calls on the road to more in-office troubleshooting and preparation. Now, if the technicians felt threaten by the system, it would be easy for them to sabotage it through incorrect diagnoses or rolling out trucks regardless. Fortunately, the project was successful because the Ingersoll Rand IIoT deployment included the opportunity for the service teams to accept the IIoT concept, comment on it, and understand how it would benefit both them and the company in the long run.

This highlights how critical it is for the entire company to be involved and aligned in the success of any IIoT project. Everyone needs to have a stake in helping the project achieve the ultimate win-win scenario in the company's best interest. Thus, the project team must encompass everyone who might contribute or be affected. And it will need experience in a lot of different areas, including analytics, joint IT/OT operations, communication and management, and security designs and architecture. Everyone's skill sets and cooperation are needed to seamlessly integrate IIoT into the workspace.

So how can you get whole company buy-in? Instead of specifying IIoT projects from the top down, senior management can ensure that the necessary tools are available to its operational teams for IIoT projects. This way the people with the hands-on experience of the process, products, and customers can help the company derive real value from an IIoT deployment.

Bill Brown, the director of digital innovation at the tool manufacturer Stanley Black & Decker recently explained how his job is to offer an easy-to-use IIoT platform for the different business units to be able to roll out their IIoT vision. "The system needs to be so easy that people will adopt quickly without being told to do it," explains Brown. This enables the entrepreneurial fast thinkers and problem solvers to implement IIoT more efficiently, easily, and effectively.

#2. Focus on business value

IIoT is meant to drive business value. It is not just how you are collecting data through interconnectivity; it is why you want to do this in the first place. If someone asks you, "How does IIoT [or the data derived] make your company better?" and you are unable to answer with a specific reason, you should reconsider the project. The more specifically you can define the business value, the more likely you are to attain it.

How do you get everyone onboard so that you can indeed focus on the goal? The one strong strategy is to pilot, then scale. Start small and get some clear wins. Celebrating little triumphs goes a long way; you get the naysayers and traditionalists off your back sooner (and there will always be these types), but you can also win them over to your cause. Your opponents can become your allies.

A well-known turbine manufacturer tried this tactic, beginning small before expanding based on its initial success. One of its manufacturing products is the impellers used in centrifugal compressors, both single stage and multi-stage, bound for process gas plants, ethylene plants, mines, and wastewater treatment facilities. These impellers can range in diameter from 16 in to 72 in, either milled or fabricated from expensive alloys. This puts the component value from $100K to $400K. Having them sit around in inventory is very expensive.

Two critical post-processing operations for impellers are balancing and blade frequency testing. Specifically, impeller blade testing requires the blade frequency to be measured for each of the 17-23 blades. Before the IIoT project, it was someone's job to take these individual measurements and document them in a spreadsheet. After that, a hardcopy of the data was delivered to an engineer for review, where approval or rejection of a given blade was communicated. In the case of a rejected blade, a certain amount of material had to be removed, determined by the standard blade geometry and operational speed. The process took days to weeks to complete, translating to at least $200,000 in (wasted) inventory costs.

The extra days in held inventory were quite a significant cost on its own, but with the addition of the extensive manual processing and paperwork approval, this was a prime area for implementing IIoT technologies with automation and machine intelligence.

By automating the process via IIoT and adding intelligence into the blade-ring test machine, multiple problem areas-transcription errors, man hours, held-up inventory, and consequent expenses-were addressed. All of the tasks are repeatable, and could therefore be completed autonomously. The operator is immediately informed of pass/fail results, and alerts can be sent remotely to the engineer if approval is required. It was not a big project per say, but the process got clear wins and a huge return on investment (ROI). That helped people within the company understand why they would want to support another, larger IIoT process in the future.

#3. Design security and robustness in from the start

The best IIoT systems are those designed from the very beginning with security and robustness in mind. They include elements such as automated failback features, an increased tolerance for short-term failures, and security monitoring within the system operations plan. Brown of Stanley Black & Decker explains that his company's IIoT deployments could not be centered in the cloud-they needed to be able to work on premise. "If the Internet connection goes down, your system still needs to function."

Experts such as the chief security architect of Polyverse Corporation, Steven C. Venema, recommend reviewing the ISA/IEC 62443 standards (formerly known as the ISA99 standards) as a preliminary road map toward partitioned architectures for the industrial control system (ICS) and supervisory control and data acquisition domain. "Partition your equipment and systems designs," Venema cautions, "to allow security components to be updated on a faster cycle than other operational components." As "the complete security life-cycle program for industrial automation and control systems," ISA/IEC 62443 consists of 11 standards and technical reports. It introduces the concepts of zones (groupings of logical or physical assets that share common security requirements based on criticality, consequence, and other such factors; equipment in a zone should share a strong security level capability) and conduits (paths for information flow between zones). ISA/IEC 62443 standards provide requirements based on a company's assessment of cyberattack risks and vulnerabilities.

Within the oil industry, a large refinery created a security architecture that effectively protected its operations based on these standards. In its oil refinery process facility, the company had multiple operations (with basic control, safety, and HMI/supervisory systems). It also had considerable wireless and remote communications needs, both for maintenance and for communications to downstream customers.

To secure its operations, the company divided its systems into zones and subzones-depending on operational function, security capabilities and requirements, perceived risk, and process level-to best adjust the security requirements for each particular operation. After analyzing potential threat sources, the company relocated the safety integrated system in each operational unit to its own zone (instead of being part of a basic control zone). Conduits were defined and documented, breaking down the overall system into manageable chunks. The zones and conduits were then implemented with industry security appliances, including firewalls and virtual private networks, which were tried and tested. The technologies introduced into the control systems also made significant improvements to plant performance and productivity, and the company successfully continued to use and maintain ISA/IEC 62443 standards as a framework for security improvements.

In your IIoT security checklist, strategize to ensure and implement the following proactive and protective measures:

  • Design security in from the start. Never leave it as an afterthought.
  • Enlist expert help. Fuse a team of senior management and security specialists who can communicate and work together to design protective strategic measures that work seamlessly with the plant's (and whatever products or services therein) functionality and features.
  • Compartmentalize IIoT solutions into security zones to prevent the spread of malware throughout the plant. In tandem, integrate security best practices during each phase of the developmental process on the plant floor.
  • Monitor your IIoT system continuously to understand vulnerabilities and manage emerging threats. It is essential to detect issues as early as possible.

IIoT should not be a raw or experimental practice. It must be designed reliably and with evolving security systems that are punctually followed and updated. Otherwise, it is no different than installing a burglar alarm system in your house . . . and never bothering to turn it on.

IIoT - A new way of examining an old problem

"IIoT is an evolution . . . it is moving legacy systems into the new age of technology to take advantage of everything [that] new technology and connectivity have to bring."-Vimal Kapur, president of Honeywell Process Solutions

At its core, IIoT is not a new technology. It takes advantage of some new technologies, but it is actually a new way of examining an old problem. We have always had the data-test results, analytics, asset management information, maintenance information-but it has often been inaccessible, overlooked, or obscured in our operating procedures. IIoT lets us rethink the way industry integrates the data buried in our manufacturing process.

Effectively implementing IIoT is a continuous process that demands strategic planning, a focus on company goals, the coordination of teams with diverse skill sets, and an investment in quality security measures. The adoption of IIoT brings immediate benefits, such as improved reliability and reduced downtime. Simultaneously, it also enables long-term benefits by establishing a platform for continuous development and offering a greater ROI by integrating information quantity and quality.

By creating a forward-thinking company culture, by maintaining corporate focus, and by designing IIoT systems with appropriate security measures, your business can overcome obstacles and strategically implement IIoT best practices to gain an immense competitive advantage in the digital future.

Want to learn more about successful IIoT deployments?

Download your free copy of the technical report The Industrial Internet of Things: Secrets for Unlocking Business Value in the Digital Future at http://info.convetit.com/industrial-iot-unlocking-secrets.

About the Author

Eric J. Byres, PE, ISA Fellow is one of the world’s leading experts in industrial control system and IIoT security. Byres is the inventor of the Tofino Security technology, which received numerous industry awards and was licensed by industry giants such as Honeywell, Schneider Electric, and Caterpillar. Today, it is probably the most widely deployed ICS-specific firewall in the world. Byres provides technology and market guidance to companies entering the IIoT market, as well as security policy guidance for established companies involved in the operation of critical infrastructures.

Reader Feedback

We want to hear from you! Please send us your comments and questions about this topic to InTechmagazine@isa.org.