Last week I attended a Honeywell Process Solutions user group event in San Antonio because my love of the smart home is actually surpassed by my love of industrial IoT. This Honeywell division makes software and a few physical products to help companies that make paper, refine oil and handle other processes (as opposed to manufacturing physical devices).
It is a different world, y’all.
There are plenty of things I learned from the people in old-line manufacturing that could and probably should be transferred to the rest of the world as connectivity and data analytics are adopted into even the most mundane processes. The biggest ones are around security.
The way these companies look at security is different from what we’re used to. We spend a lot of time in the tech world thinking about the technological underpinnings of IoT security, in part because so many devices have utterly neglected them. But there’s more to security than encryption and secure computing modules.
These risks might be equipment that can cut off an employee’s leg or a burner that can roast a group of people in seconds. Dealing with these types of risks gives them a far more practical mindset when it comes to evaluating security risk. They look at cybersecurity as an extension of the risk management practices already employed at the plants.
While in the IT world people seem ready to throw up their hands in the face of people trying to phish employees, plant operators are coming up with training plans to educate workers, as well as processes that should ensure that employees aren’t accidental risk vectors.
For example, a breach at a paper pulping plant could mean a plant shutdown, which leads to a specified cost in terms of lost production and costs to restart the plant. Yet paper pulping isn’t as essential as something like electricity generation or keeping a nuclear plant secure, so the cybersecurity experts at Honeywell recommend that those paper plant operators don’t have to be as secure.
These are the sort of tradeoffs every company has to make regarding security, but in the manufacturing business, they have a clear understanding of the economic and welfare costs of a security breach, allowing them to map to a layered set of security best practices. The consumer device industry could use something like that. (If they did, they’d probably have to admit both the risk of keeping users’ personal data stored indefinitely on servers and its inherent value in case of theft.)
Not everything can map directly, but I did walk away respecting that when it comes to security and assessing risk, the IT world can learn from the manufacturing world.