What is the danger of taking M2M communications to the Internet of Things?

May 19, 2015
An international panel of IoT experts identify the big cybersecurity threats.

Machine data can be turned into actionable information that leads to better business decisions. And sometimes that doesn’t even need to involve humans. Equipment has the ability to talk to each other and share information that creates a higher collective intelligence. But sharing data also leaves a network open to outside forces and often vulnerable, if the right measures and defenses aren’t put into place.

The Internet of Things (IoT) and machine-to-machine (M2M) communications are the same, and yet different, because IoT takes M2M on the Internet. One thing is for sure: It transcends governmental boundaries. Equipment can be anywhere in the world and still be part of the conversation.

This group of heavy hitters in the IoT domain offer an international take on M2M communications and what the future holds. Learn more about IoT and what it means to manufacturing at Smart Industry.

Click here to meet the panel of experts

Question: What is the biggest threat to industrial cybersecurity around the world?

Dwayne Dixon: Awareness or better yet, lack of awareness, of the vulnerability of certain systems. For an extreme example think of the Stuxnet worm that was designed to attack industrial PLCs and was used to sabotage Iranian nuclear centrifuges. There are numerous ICS and SCADA systems that sit outside traditional security walls, and they are exposed in ways as simple as poor password discipline or inadequate password storage and encryption. As the Internet of Things gains traction and smart grid technology comes into play, more connected systems, and centralized control of these systems, will lead to a higher frequency of attacks, as well as more sophisticated attacks.

Vihang Sapale: In the coming year, machines will be equipped with Internet connectivity and will have decision-making capabilities with neural intelligence. Cyber threats generated by these machines will be difficult to locate, and the life span of such threats may be short. But damages due to the threat would require a long time for healing.

Francisco Maroto: We think the biggest threat is a cyber attack against critical infrastructure, such as energy, water, communications or critical assets in industrial companies. And many governments and enterprises spend millions of U.S. dollars in protecting these critical assets, but the biggest threat is negligence in implementing security policies at all times, not just when we hear about a threat, and neglecting the defense of other devices and computers used for non-critical processes.

Martin Harnevie: There are many categories of threats both to businesses and consumers. The biggest threat among those categories will likely vary over time, depending on relative growth in market verticals and technological developments. This is determined by the potential gains of an attack in relation to the difficulty in being successful. A high growth sector would typically attract more attacks than a stagnant and mature one, simply because the specific cybersecurity required for a new sector will lag behind.

IoT is a very fast-moving market. Since secure design, both hardware and code, is a complex and tedious process; the pressure on companies to get new things to market might increasingly lead to compromises in security. In the consumer markets, the biggest threats today are password attacks and spoofing attacks. In both cases, vulnerabilities of the consumers themselves are often exploited. These types of attacks might have objectives such as gaining access to the security systems or gaining access to financial facilities or theft of private information. While identifying theft-related security issues cannot be ignored, the main concerns are related to sniffing and eavesdropping, data modification attacks and denial-of-service attacks. Across all types of applications, in a rapidly expanding market, with increasing openness and sharing of data, with a dramatically increasing number and types of devices connected, there is also the lingering concern that the biggest threats of all might be the unknown.

Samuel Bucholtz: I would say poor or lax security practices are the biggest threat. Industrial control systems are largely outdated systems with limited security, making them extremely vulnerable to attack once a network perimeter has been breached. Critical-infrastructure industries have overlooked this threat and delayed effective remediation for decades. As soon as operators began connecting these systems to the Internet, they were vulnerable; but in years past the total number of threat actors and active attacks was much lower. This is no longer the case.

State-sponsored actors certainly pose the most significant threat to industrial facilities worldwide, particularly in the United States, given the more widespread use of SCADA systems and the higher percentage of Internet connectivity. For instance, in the recent Dell Security report it ranked the United States No. 3 in the world in terms of total attacks on SCADA networks. But state-sponsored groups are most likely to target critical infrastructure or industries that can result in significant economic damages. The gravest threat common to just about every industry is destructive malware. Whether it's a Stuxnet-like piece of malware that can override legitimate processes on equipment to cause physical damage, or Shamoon-like wiper malware that can erase data and brick computers and equipment, or even ransomware, which locks up data and machines with complex encryption, this type of attack poses the most dangerous threat to facilities over the next several years.

Anand Gijare: Organized cyber crime is coming as the biggest threat to the world. As industries are moving to accept IIoT and putting sensitive data online to ease global access, there is an increase in organized cyber-attack syndicates who hire professionals and graduates to hack the data. It has been transformed from a garage-based or basement-based hacker mentality into a sophisticated business that is equipped with a multitude of tools and technologies. New advancements in data storage such as cloud, data transmission through software-defined networking and facility access to data on mobile devices have expanded the span of victimizing any company, whether small or large, at the same cost.

Jonathan Pollet: Nation-grade malware is a big threat. Industrial facilities simply aren’t prepared for it. This malware could be of any number of varieties from cyber-espionage to sabotage-oriented. Stuxnet, Flame and Shamoon are all good examples of the capabilities that are out there. However, nation-states aren’t the only threat. Organized crime and “hacktivists” are growing much stronger and sophisticated. The problem with cybersecurity is that high-grade malware eventually trickles down to lower-level operators.

What may have originally been developed by a state is caught by a security firm eventually and analyzed, and the samples travel into the research community and from there go into the “Dark Web,” where they’re accessed and utilized by cybercriminals and hacktivists. With nation-states, there is a greater degree of destructive potential and overall danger, but at the same time there is likely to be more restraint. With cyber criminals, the motive is limited to money, which makes the operations more limited. With hacktivists, there’s no real external control, no clear or consistent motivation and often no ability for the attacked to negotiate. Nation-grade malware in the hands of a hacktivist is probably the worst case scenario for any industrial facility.

Peter Waher: The biggest threat to industrial cybersecurity is the lack of understanding of Internet protocols, or the Internet as a medium by decision makers and traditional manufacturers of industrial automation systems and services. Lack of knowledge allows decision makers to buy and install systems with huge security issues from well-known providers without being able to judge if they are secure or not. At the same time, the manufacturers might be completely unaware that their traditional M2M solutions, which might never have had problems before, have enormous security holes in an IoT setting.

When traditional M2M solutions transmit to the IoT, such security issues are often uncovered when legacy protocols, legacy architectures or legacy patterns are reutilized on the Internet. The simplest way to make a traditional M2M solution an IoT solution is simply to use the Internet as a medium of message transport. But since such solutions were normally designed to run in closed and monitored environments, they often use proprietary protocols or protocols otherwise lacking in security features necessary for safe use on the Internet. The solution is often the short-term solution of encrypting communication and sealing off the solution to outside parties. But this is not really a good solution for IoT and often only provides an illusion of security.

First of all, the most common encryption method is TLS, and it only encrypts the transfer of data between nodes on the network; it does not include end-to-end encryption, which would secure the data. Secondly, if this is not done well, which it often is not, it leaves important security holes that knowledgeable people can exploit, while at the same time creating a false conviction that the solution is secured. If done well, on the other hand, it still leaves important components vulnerable, since the architecture is flawed. Instead of solving the problem it only transfers the responsibility of the security of the system from the manufacturers to the operators, who might not be well-equipped to handle such a responsibility.

By closing off the M2M solution, you further eliminate two of the cornerstones of the Internet: openness and interoperability. The difference between a traditional M2M solution and an open interoperable IoT solution is that you envision simple and seamless integration between systems and services on the Internet. Such requirements will often demand operators of closed and sealed M2M systems to open up access to the systems to third parties and manually configure the system accordingly, which often requires considerable amounts of time and expertise to do it right. Even if the original system is set up in a secure fashion, each such manual reconfiguration may uncover even more security issues, because the operators do not understand the details of the system and make false assumptions. By simply encrypting legacy M2M communication, you create an instable IoT architecture, where small errors made by well-meaning operators create large security issues for the entire system.

To create a stable, secure and interoperable architecture for the IoT, a completely new approach has to be made. While encryption might be necessary in some cases, it is not sufficient. And, in some cases, it might not even be needed. Encryption is not the solution to security for an interoperable IoT solution. New communication paradigms, communication patterns and architectures have been used for the IoT, in order to create stable systems for the IoT that are both secure and interoperable. I’ve described such patterns and architectures in more detail in “Learning Internet of Things”.

Read all panelist bios here.

Main image courtesy of jscreationzs at FreeDigitalPhotos.net 

About the Author

Mike Bacidore | Editor in Chief

Mike Bacidore is chief editor of Control Design and has been an integral part of the Endeavor Business Media editorial team since 2007. Previously, he was editorial director at Hughes Communications and a portfolio manager of the human resources and labor law areas at Wolters Kluwer. Bacidore holds a BA from the University of Illinois and an MBA from Lake Forest Graduate School of Management. He is an award-winning columnist, earning multiple regional and national awards from the American Society of Business Publication Editors. He may be reached at [email protected]