Securing the Industrial Internet of Things: Strategies, Standards, and the Chain of Trust

We’ve all heard of the Internet of Things (IoT) and the Industrial Internet of Things (IIoT). While IoT typically serves consumer applications, IIoT drives industrial operations, linking operational technology (OT) with enterprise systems, business processes, and advanced analytics.

According to the Industrial Internet Consortium (IIC), an IIoT ecosystem fuses industrial control systems (ICS) with enterprise data flows. Unlike traditional OT, IIoT devices are highly interconnected—both to each other and to cloud services—while still interacting directly with the physical world via sensors and actuators. This dual nature expands functionality but also widens the attack surface, making cyber threats a pressing concern for critical infrastructure.

To mitigate these risks, the U.S. Department of Energy (DOE) has partnered with Intel on a program that enhances security at the power‑system edge. The initiative focuses on creating secure gateways for legacy (brownfield) equipment and field‑programmable gate array (FPGA) upgrades for new (greenfield) devices, all while preserving uninterrupted energy delivery.

Intel’s Sven Schrecker, chief architect of IoT security solutions and co‑chair of the IIC security working group, emphasizes that security must be woven into the entire design process. He identifies five core principles for IIoT development:

• Safety
• Reliability
• Security
• Privacy
• Resilience

Design engineers often focus on implementing secure chips, software, or platforms, yet they must also align with corporate security policies. Schrecker notes, “The security policy must be authored jointly by IT and OT teams so that everyone knows which devices are authorized to communicate.”

Building a Chain of Trust

A prevailing recommendation is to establish a robust security policy and chain of trust from the outset. This chain should endure through design, development, production, and the entire lifecycle of a device, embedding trust in the hardware, network, and supply chain.

Haydn Povey, board member of the IoT Security Foundation and CEO of Secure Thingz, argues that security responsibilities span four organizational layers:

• CxO level
• Security architect
• Development engineer
• Operations manager

Development engineers must translate corporate policy into concrete security controls, including product identification, secure update mechanisms, and chip‑level safeguards. Operations managers, on the other hand, oversee OEMs that manufacture IIoT components, ensuring each electronic part carries a unique, verifiable identity throughout the supply chain.

Robert Martin, senior principal engineer at MITRE and IIC steering committee member, highlights the fragmented nature of connected industrial systems. He warns that even minor changes in microprocessors can unintentionally alter software behavior, and without clear accountability, failures may go unaddressed. “In building trades, changes that affect safety are regulated and certified,” he says. “Software‑based technologies lack a comparable framework.”

>> Continue to page two of this article on our sister site, EE Times: “Designer’s guide to IIoT security.”