Are you prepared to answer M2M/IoT security questions of your customers ?

In the next phase of M2M market development that is moving towards an Internet of Things (IoT) future, security will require a holistic approach and must become a core component of an enterprise’s consideration when using M2M to achieve business objectives”.

When holding briefings with operators, M2M security and privacy issues come up occasionally, however when I need to prepare a meeting with other industry customers to talk about the “Internet of Things” phenomenon, I am sure that some of their questions that they will  ask me will be related with security and data privacy issues. So better be prepared to answer their questions.

But as security becomes more of a priority, it also becomes more complex. Enterprise customers are very confused about the problem of M2M security, and imagine how consumers feel.

Luckily for you, you are reading now this blog that includes links to some of the best articles, M2M vendors, standards organizations and expert’s opinions of this key topic for the adoption of machine-to-machine (M2M) technology.

Let´s see next what analyst, M2M vendors, industry associations, governments and customer are doing around Security and Safety in the M2M/IoT Universe

Some M2M Analyst opinions

Andrew Rose, a principal analyst at Forrester Research says that security incidents involving IoT implementations are already occurring. “Most examples are from a lab or test environment, although real examples have occurred, few are willing to assign blame to external attackers due to the concern that may cause.”

Frost & Sullivan consider that “Further Progress In M2M Toward Internet Of Things Requires A Focus On Security Risks”. “One of the common comments from M2M vendors when asked about enterprise adoption of more secure hardware in the lower levels of an M2M network is that current M2M deployments do not actually require a higher level of security. However, in future scenarios, security risks could be magnified or prevalent because of the way M2M applications will be delivered.  “Traditional M2M deployments have security solutions embedded within the network, with the integrity of the underlying communications network being boosted by existing network security solutions,” explained Senior Industry Analyst, ICT, Yiru Zhong. “M2M value chain participants – integrated chips manufacturers, SIM card vendors, manufacturers of M2M modules and communication-enabled devices as well as connectivity network providers – have always embedded security solutions within their own products. One of the common comments from these vendors when asked about enterprise adoption of more secure hardware in the lower levels of an M2M network is that current M2M deployments do not actually require a higher level of security. However, in future scenarios, security risks could be magnified or prevalent because of the way M2M applications will be delivered.”

Similar recommendation is provided by ABI research: “Most M2M applications are lacking the basic security requirements that have been a defacto standard for information and communication technologies elsewhere. If not addressed sooner, this weak link could throttle the successful adoption of M2M in healthcare, industrial installations, and consumer homes.

Beecham Research – Security in M2M has recently shot up the priority list for enterprise users, as shown in recent surveys conducted by Beecham Research. More info in this blog: Security in M2M Solutions: At Any Price?.

PipelineHow secure is M2M ? –  Although improving security of both the M2M devices and communications networks for these applications is crucial, the importance of M2M security will only increase as M2M applications evolves into active infrastructure management.

ZDNet post “M2M and the Internet of Things: How secure is it? And analyze the words of the representatives from Oracle, NetIQ, Check Point Australia, Palo Alto Networks, and Verizon Business about security challenges.  It is clear that the security debate is not only focus on which embedded operating system use in the devices, it is about security in SIM cards, it is about security in the cloud, it is about security in the M2M protocol, it is about prevent attacks like denial of service (DoS), it is physical security, it is about lack of skilled, experienced implementers, it is …. In summary as Oracle´ Michael Counsel said “We need to see the whole picture before we can really think about whether or not we’ve satisfied the risk requirements of our consumer or the organization of the customers that are using it.”

What the Internet of Things means for security: Bob Violino, a freelance writer who has covered business and information technology for more than 25 years,  advice IT and security executives might want to start thinking about the security aspects of IoT today, even if they have no immediate plans to link objects via the Internet.

Cathal McDaid, a security consultant at AdaptiveMobile, suggest five threat points that need to be understood, with underlying weaknesses addressed for better M2M security.

  • First, M2M connections can go unchecked.
  • Second, the upgrade mentality for security does not apply to M2M.
  • Third, the devices are not always mobile
  • Fourth, less sophisticated devices need more protection.
  • Finally, the risk, overall, for M2M is more profound

 M2M Standard Organizations

My first recommendation is you take a look at Dr. Markus Tauber presentation “Security Considerations in M2M Communications” last month during the ESTI M2M Workshop 2013 event. Dr Tauber is Project Manager, ICT Security in the Safety & Security Department the Austrian Institute of Technology (AIT).

Secondly, The Machine-to-Machine Standardization Task Force (MSTF) of the Global Standards Collaboration (GSC), a group of major Standards Development Organizations (SDOs) centered on the International Telecommunication Union, a specialized agency of the United Nations, was created during the GSC-15 meeting in Beijing, China, in September 2010. The GSC MSTF aims to facilitate global coordination and harmonization in the area of M2M standardization by reaching out to a broad range of participants in the field and openly sharing relevant M2M information

And finally my last recommendation if you really have time and interested in this topic is read this IEFT draft document :“Security Considerations in the IP-based Internet of Things draft-garcia-core-security-06”. This Internet Draft presents an overview of the security aspects of the envisioned all-IP architecture as well as of the lifecycle of an  IoT device, a thing, within this architecture.  In particular, they review the most pressing aspects and functionalities that are required for a secure all-IP solution.

Security in M2M Industry sectors

Healthcare and Security are also two of the vertical sectors mentioned in this new: http://m2mworldnews.com/2013/11/08/90310-healthcare-and-security-important-enablers-for-m2m-communications-m2m-challenge-looking-for-new-solutions-in-these-areas/#sthash.B6FxjiIG.dpuf that will growth faster next 2-3 years,  and security and safety is a key component to guarantee end user adoption in both of them.

Deployed standards today are by verticals

  • Smart Metering: IEC 61850 (consolidation under EC M/441 standardization mandate),
  • Smart Grids: IEC 62351 (extensions under EC M/490 mandate)
  • Electric vehicle to Grid communication: ISO 15118 (developments under EC M/468 mandate)
  • Industrial Control Systems: IEC 62443
  • Clearly, banks and other financial institutions’ data is a bonanza of actionable data for hackers and malicious insiders. Therefore, it is imperative for banks to get their keys under secure management. Read this post for “Securing Machine-To-Machine Connections Through Encryption Key Management

 M2M Security Layers

As Rémi Demerlé, director of global partnerships for Telenor Connexion, suggest (See more at: http://analysis.telematicsupdate.com/v2x-safety/telematics-m2m-and-end-end-security#sthash.VLmeTbvi.dpuf ), M2M security is usually created in layers:

  • Hardware layer –
    • Sensors – Devices – Components – Modules – Modems – Gateways – Servers – Telco Equipment
  • Connectivity Layer
    • SIM card + Networks
  • Highly Reliable Software layer
    • Embedded software – OS – Protocols – Platforms – Terminal application.

Each layer supports some aspect of security, which means there are a number of potential weaknesses including hijacked SMS or corrupt GPRS transmissions.

M2M Hardware Layer

 

  • Sensors – Sensors widely used in the energy industry to monitor industrial processes are vulnerable to attack from 40 miles away using radio transmitters, according to alarming new research. Researchers Lucas Apa and Carlos Mario Penagos of IOActive, a computer security firm, say they’ve found a host of software vulnerabilities in the sensors, which are used to monitor metrics such as temperature and pipeline pressure, that could be fatal if abused by an attacker. Apa and Penagos studied sensors manufactured by three major wireless automation system manufacturers.
  • M2M Routers vendors
  • M2M Gateways vendors
  • SIM cards security –  Many M2M devices contain a standard SIM card to enable independent connection. The SIM plays a key role as the central security and access-control entity for establishing network connectivity.  SIMalliance members are Eastcompeace, Fundamenture, Gemalto, Giesecke & Devrient, Incard, KONA I, Morpho, Oberthur Technologies, Valid, Watchdata and Wuhan Tianyu. Please visit website of each SIM alliance member for further information.
  • Telco Equipment :

Connectivity Layer

Note: I will write another post to analyze M2M security in the main Telco Operators.

The fact that the often high expenses involved in deploying many M2M solutions and given the low ARPUs for operators offering 2G/3G M2M connectivity is sometimes an excuse to avoid include security discussion as openly as other M2M requirements. Other analyst like Kathryn Weldon – Principal Analyst for Enterprise Mobility at Current Analysis- have the same opinion (Are M2M Communications Secure?).

In this Gemalto presentation “Security in Machine-to-Machine Communication:The role of the Telecommunication Operator”, Francois Ennesser present good examples of M2M attacks and recommends Telecommunication Operators to take advantage of their advantage position in the M2M Value Chain to assist M2M customers in securing their M2M applications.

AdaptiveMobile Machine to Machine Security: The Company recommend MNOs should seek to work with security providers that can deliver a range of targeted defenses and controls against specific M2M threats. Applying a ‘one-size-fits-all’ approach does not work within M2M.  The AdaptiveMobile Network+ Protection Platform provides carriers with a fully featured M2M security platform, with multi-tenancy access for enterprises to set up, administer and monitor their own M2M applications and devices.

 Highly Reliable M2M Software Layer

Software Embedded

  • Microsoft Windows Embedded – Microsoft provides one trusted platform to gather, store and process your organization’s data—from devices on the edge of your network, to developer tools, back-end systems and services. This solution portfolio allows your enterprise to drive a new level of business intelligence.
  • Linux – The Mihini project delivers an embedded runtime running on top of Linux, that exposes a high-level Lua API for building Machine-to-Machine applications.
  • Wind River – Wind River® offers a complete software development environment for customers to jump-start their next-generation connected device development. The company provide powerful and customizable security capabilities for protecting devices and data. Learn more about this issue and how Wind River can help.
  • Oracle – Only Oracle delivers a comprehensive platform for the entire M2M architecture. From the Java platform to embedded data-management systems, from back-end database, big data technologies, middleware and analytics technologies to extreme performance hardware that turns data into insight, Oracle is the only company that delivers an integrated, reliable, and secure platform to meet your IoT and M2M needs today and into the future.
  • Mesh Sytems – The MeshVista® cloud-based M2M platform is a best-in-class, standards based, field-proven suite of hardware, firmware, middleware, and application software on which customized, OEM customer applications are built and deployed. All M2M solutions delivered by Mesh Systems use this feature-rich, IP-based platform and customers value its reliable, scalable and secure architecture. Its device to cloud architecture enables OEMs to connect, monitor, manage and control remote devices cost-effectively and in real time. This third generation cloud-based M2M platform is provided on a Platform-as-a-Service basis to OEM customers using the Microsoft cloud.
  • M2Mi –  M2Mi uniquely offers M2M Automation and M2M Cyber Security solutions which together form the essential platform for the M2M and IoT economy.
  • MerlinCryption  – Delivering The Smart-World’s Smart-Encryption® solution to companies that need a security component, MerlinCryption helps M2M partners solve challenges and create new opportunities. By embedding encryption technology into their solution, partners provide their customers a complete integrated offering with flexible and compliant iron-clad security.

M2M Cloud Vendors – Private and Public Cloud

Note: I will write another post to analyze M2M Cloud that will include security.

 M2M application service providers

ABI research´s Competitive Assessment ranks eight M2M application service providers in terms of the security aspects of their M2M software platform. The vendors assessed are: ABO Data, Numerex, Gemalto, ILS Technology, Axeda, Sierra Wireless, Giesecke & Devrient, and Novatel Wireless. The vendors were assessed against a total of eight different criteria: four in Implementation, and four in Innovation. These are as follows: Implementation (market share, global footprint, vertical markets, and partners) and Innovation (application security, network security, connectivity, and product and strategy development).  MNOs have been excluded from this report and hardware modules and terminals were not taken into account in this Competitive Assessment; only software platforms were considered.

  • ABO Data – All our applications are based on Plat-One® Service Delivery Platform, a rich set of M2M oriented services bundled together into a structured, elastically scalable, distributed, cloud-ready architecture.
  • Axeda – ranked first in the Implementation category
  • Gemalto – A working partnership to advance M2M technology.
  • Giesecke & Devrient GmbH – G&D covers the whole M2M value chain.
  • ILS Technology – A Telit Company was the overall winner of ABI research rank.
  • Novatel Wireless –  M2M modules – Industry leading performance low-power modules
  • Numerex Corporation –  M2M platform environment is characterized by a high level of elasticity, scalability and reliability
  • Sierra Wireless –  In order to help you tackle  potential threats, Sierra Wireless proposes the Security library for Open AT.

M2M Platforms

Machina Research published a white paper a few months ago on platforms and that included a list of things they should be compared on. https://machinaresearch.com/news/white-paper-m2m-platforms-are-re-cast-for-the-age-of-the-internet-of-things/. You can contact them for their expert opinion on where each one actually fits and how good they are in security.

 Data – Big data, big privacy issues

Note: I will write another post to analyze M2M Big Data  that will include security.

By reading the report and surveys from The Economist Intelligence Unit: “THE INTERNET THINGS BUSINESS INDEX: A quiet revolution[FM1] [FM2] [FM3] , you will understand that Data are thus a fundamental component of the IoT’s future. Fitting sensors to a potentially infinite number of “things” will generate untold amounts of new information. The challenge of ensuring data protection and privacy also looms large. The survey respondent’s alert to concerns about data privacy: three in five respondents (60%) agree that lack of trust and concerns about data privacy are hampering consumer uptake of the IoT.

Summary

M2M communication applications and scenarios will continue growing and lead the way to new use and business cases. Due to the nature of M2M scenarios new security threats will emerge so special emphasis in new requirements for security need to be addressed by the whole M2M ecosystem.

Advanced concepts of security must be considered to make sure no breach in software, hardware, communication and physical security jeopardize the acceptance of M2M/IoT applications by Enterprises and Consumers.

We know that finding or developing the perfect concepts for absolute M2M security protection and privacy is probably not feasible, but we need to convince every customer in every industry to have a very strong business case with security requirements to adopt M2M technologies for their business.

As enterprises and people perceive the benefit and have found a balance between the cost of the safe use of M2M technology and the inherent risk, they will not worry so much about the risks.

For additional information please contact: francisco.maroto@oies.es


3 Comentarios

  1. Pingback: Do not stop asking for security in IoT | Paco Maroto's IoT Blog

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s