We know IIoT networking is difficult. However, challenges result in opportunities. Let’s start by fast forwarding to a new and exciting art of the possible for IIoT networking: identity secured networking.
Identity-Secured IIoT Networking case study
The IIoT device securely communicates its identity and metadata to the network. The identity is a derived cryptographic thumbprint, a function of built-in, device-specific operations including hardware root of trust. In other words, it is very secure, immutable identity. And it gets better than that.
The identity controls and secures the network! If the device is reporting a location which is different than expected for that identity, we may route the data to a honeypot network. Or, we may throw an instant kill-switch on the network, and record the metadata to a shared ledger such as a blockchain. In that way, if our device was attacked by a botnet or similar, and other attacked devices also populate the blockchain, then perhaps we can thwart a botnet attack before it can do major damage.
More generally, the secure identity is used to provide end-to-end authentication, provisioning, policy, and networking. The device, identity, application and network collaborate for identity-secured IIoT networking across any set of networks and clouds. While there is work to do, you can see progress in the NetFoundry Micron Secure Connected Car demo shown at IoT Solutions World Congress with Azure as the cloud, and demonstrated at Amazon re:Invent with AWS as the cloud.
The above is just one example of how we can turn challenge into opportunity in IIoT networking. Let’s take a step back and look at the overall picture.
IIoT Networking Takes Center Stage
As IIoT moves from pilot to production, IIoT networking is moving from afterthought to bottleneck. It often takes walking down the production road to discover that best effort Internet is often not secure or reliable enough, while nailing up unwieldy and performance-compromising VPNs costs us excessive time and money.
IIoT is highly distributed and dynamic. IIoT apps often include multiple sites, clouds and business partners. Simply put, IIoT data flows don’t fit well into the MPLS, SD-WAN, and VPN architectures which were designed to support static, site-centric data flows. The answer is obvious: design networking which is purpose-built to serve the IIoT application topology.
What are the challenges to building this type of connectivity? Are there opportunities such as the identity-secured IIoT networking example described above? With IIoT networking moving into the spotlight, making or breaking IIoT business cases, deployment timeframes and operational models, we need to build our IIoT solutions before they become bottenecks.
IIoT Networking Opportunities
Since IIoT networking is largely greenfield, we have a nice opportunity to apply lessons learned in IT networking. Most importantly, IIoT can be the leader in moving to context driven networking and identity secured networking.
In IT-land, we have different identities and policies on the application side and the network side, and the two sides basically don’t talk. The network often has a coarse idea at best of the context or identity of application flows. Structures for identity and policy are often independently managed on the app side and the network side, largely because the two sides don’t talk. Security vulnerabilities are created by trying to manage two sets of policies, and the manual, hard-coded nature of network-side VLANs and firewall rules. Quality-of-Experience (QoE) is very difficult due in part to the app side and network side not talking, and the networking side getting very little context as to the actual delivery needs of the apps. This throw-the-packets-over-the-wall from the app to the network is the dominant networking paradigm. Compare to the identity-secured IIoT networking paradigm described at the start of this post, and you’ll quickly see there is a new art of the possible – a unique opportunity for IIoT networking to leapfrog what we have done in IT-networking. In fact, identity can also enable us to securely cross organizational boundaries, for example in connected supply chains.
Connected Supply Chain
IDC’s research and analysis shows that 75% of manufacturing supply chains will use IIoT and connected processes to improve productivity by 15% by 2019. Transforming the supply chain into a connected supply chain also can ultimately lead to just in time manufacturing and on-demand production. Connected supply chains save money in areas such as proactive maintenance and automated processes. Connected supply chains can lead to more revenue with faster restocks and quicker reactions to changes in demand.
It is an immense challenge to securely and reliably connect these supply chains. Consider a factory or plant full of sensors and controllers, communicating with its supply chain, which includes connected fleets and tagged containers. The connected devices and processes inside a factory or plant need to communicate information with dozens of different businesses and cloud-based analytics systems. This IIoT data sharing needs to be extremely secure, so early designs showed IIoT servers or gateways at the edge of the factory, and required us to build (n-1) VPNs to the (n) different businesses, vendors, and clouds. However, not only is it extremely expensive and slow to build and manage all those VPNs, it is insecure. As seen in the Target breach (via an HVAC network), one compromise can lead to catastrophe. We need a better solution.
The need for an IIoT networking solution for connected supply chains is also an opportunity. As we described above, IIoT can benefit from identity-secured networking. Adding in context-driven networking, the best networking for connected supply chains is to do application layer micro-segmentation with least privileged access in a software defined perimeter architecture. Ok, way too many technical terms! It all results in one simple concept: Each vendor only gets access to the specific data or app which that vendor is authorized to access. NetFoundry implemented this architecture to secure financial transactions for cleverDome across multiple financial institutions. Each vendor gets access to an AppWAN – a private, specific network overlay which is isolated from the rest of the world. This means that if the vendor is compromised, like the Target HVAC example, then all the other data is safe (unlike the Target HVAC example). Even better, AppWANs are centrally defined and managed, at the application layer, eliminating the need for (n-1) VPNs to (n) vendors. Finally, these IIoT AppWANs for connected supply chain are integrated with your identity, IAM, IIoT platform, and cloud solutions, and are context-driven and identity-driven at the most granular levels, for example, an individual may be only authorized to consume data inside its AppWAN for specific IP addresses, ports or time of day.
IIoT Networking Challenges
It is slow and expensive to work with telecom carriers to deploy custom hardware, circuits and VPNs. Additionally, since SD-WAN and VPN architectures were not designed for the IIoT application topology, you are also saddled with complex security problems as you try to band-aid the old architecture to meet the needs of the new application topology.
SD-WAN helps with your “on-net” data – the data you can bookend between SD-WAN CPEs. However, you can’t bookend most of your IIoT data – you can’t deploy custom SD-WAN CPE appliances at all your IIoT, private data centers and cloud sites. Meanwhile, SD-WAN uses legacy IPsec technology to carry Internet-data. Good enough most of the time, but not all the time. VPNs are similar. They will work fine for some IIoT deployments. In other cases, the costs, complexity and time of nailing up (n-1) VPNs to (n) different sites, and then supporting them, is simply a non-starter.
Fortunately, new, software-only, Internet-optimized, IIoT platform integrated solutions are now available to help you meet your need for agile, secure, performance-optimized networking, across any set of networks and clouds.
IIoT Connectivity Solutions
We recommend you answer the following questions as you evaluate IIoT networking solutions:
- Does the solution restrict you to certain telcos or Internet providers?
- Does the solution add hardware or operational complexity to your IIoT deployment?
- Does the solution enable your IIoT app to reach any site or cloud?
- Does the solution provide security and performance over the Internet?
- Does the solution positive or negatively impact your IIoT app performance?
- Is the solution integrated with your IIoT app and platform?
In some cases, NetFoundry’s IIoT networking will best meet your needs. NetFoundry’s IIoT AppWANs are the next-generation of SD-WAN – the ‘sexy and innovative’ generation according to Forbes. IIoT AppWANs give you control of the network. Security and performance travel with your IIoT app. IIoT AppWANs provide you with app-specific overlay networks, secure and performant even across the Internet. You and your apps control your network. You make network an asset in your IIoT initiative, rather than a barrier.
And it gets better! NetFoundry’s IIoT AppWANs are software-only and built to integrate with leading identity providers, IAM systems, IIoT platforms and clouds. For example, NetFoundry is a founding member of Linux Foundation’s EdgeX Foundry – an innovative open sourced IoT edge solution. In addition, IIoT AppWANs are secure-by-design, leveraging software defined perimeter (SDP), zero trust access, app-level micro-segmentation, least privilege access, and virtual network function (VNF) architectures to secure, protect, and isolate your IIoT app from attacks such as DDoS, Man-in-the-Middle, botnets, and spoofing.
Regardless if NetFoundry or another solution best meets your IIoT networking needs, we believe that the greatest obstacles to IIoT networking are also opportunities. Opportunities to create networking paradigms which are purpose-built for IIoT’s unique needs, and opportunities to control your network without being shackled by specific telcos, hardware, circuits or clouds. We are excited by the innovation you can bring to your IIoT applications with new paradigms such as identity-secured networking and context-driven networking. If you want to tell us how we can best meet your IIoT networking needs, please contact us, or get started with a free trial of NetFoundry’s networking solutions.