The Industrial Internet of Things promises a quantum leap forward in automation, centralized management and a wealth of new data and insight that is often too tempting to pass up. But automating a factory floor or a fleet of vehicles is far from simple, and many would-be IIoT adopters are going about the process all wrong, according to experts.

To make an IIoT transition a success, the process has to be led by the line-of-business side of the company – not IT. Successful IIoT adopters frame the entire operation as a matter of digital transformation, aimed at addressing specific business problems, rather than as a fun challenge for IT architects to solve.

Robert Golightly is a senior product marketing manager for Aspen Technology, and he describes himself a 40-year manufacturing veteran with “a healthy and wholesome disrespect for IT,” which, he says, too frequently has an insufficient understanding of how a given company’s line of business actually operates.

“This ought to be driven by an expected business outcome,” he said. “Rather than just laying claims that ‘I’ve now connected all my assets’ or those kinds of things – what business transformation did you really achieve?”

This issue is essentially universal – whether the company in question is trying to leverage IIoT to address supply chain issues, operational excellence or any other business problem, and regardless of the industry in which it operates.

“I think we’re guilty of asking ourselves an incomplete set of questions,” said Golightly. “We’re asking the right questions about how we connect A to B, but I think that the question we’re missing is that, in this new world where we’ve torn down the silos and we have better information, does it really change the way we make decisions?”

IIoT projects need operational technology pros, not just information technology pros

According to 451 Research IoT practice director Christian Renaud, approaching IIoT from the operational side – via what he calls “the OT door” as opposed to the IT door – is a much more intelligent way to think about implementation.

If an IT person has a wall full of CCNAs and so on in his or her office, it’s a safe bet that that person is a member of the Cisco tribe, for example. But OT experts will have certifications of their own. The only way for IT types to get in that door, according to Renaud, is partnership with the OT companies that already know how to make it inside.

“They’re absolutely going about IIoT all wrong … because they’re coming through their traditional IT channels,” he said. “Honestly, when you look at our survey data about who’s actually in charge of that purchasing decision, it’s the CEO, the CFO, and maybe one more line-of-business guy that’s a digital transformation guy. You know where the CIO is? He’s over there at the kids table eating chicken McNuggets.”

The specificity of the requirements for an IIoT project means that the operational side of the business will generally have a far better idea of what’s needed than the IT side.

“An IT and an OT guy walk into a restaurant, and the IT guy goes, ‘I’d like a cow and a knife and a match.’ And the OT guy goes, ‘I’d like a steak,’” said Renaud.

The security risks of doing IIoT wrong

One of the great misconceptions about the IIoT is that it’s a brand-new concept – factory floors and utility stations and other major infrastructure have all been automated to one degree or another for decades. What’s different, however, is the newly interconnected nature of this technology.

Steve Hanna, senior principal at Infineon Technologies, said that the security risks of IIoT have grown rapidly of late, thanks to a growing awareness of IIoT attack vectors. A factory that was never designed to be connected to the Internet, with plenty of sensitive legacy equipment that can be 30 years old or older and designed to work via serial cable, can find itself suddenly exposed to the full broadside of remote bad actors, from Anonymous to national governments.

“There’s a tool called Shodan that allows you to scan the Internet for connected industrial equipment, and you’d be surprised at the number of positive results that are found with that tool, things like dams and water and sewer systems,” he said.

The most common oversights, according to Hanna, are a lack of two-factor identification, allowing hackers to compromise equipment they find via things like Shodan, and direct interconnections between an operational equipment network and the Internet.

“We saw that, for example, in the Target attacks of 2009 – they came in through the HVAC system. The HVAC contractor had installed a cellular modem so that they could remotely log in and they wouldn’t have to roll a truck in the middle of the night if there was a problem with the HVAC.”

This story, “You’re probably doing your IIoT implementation wrong” was originally published by Network World.