The interconnection of industrial devices creates unprecedented cybersecurity challenges
M2M devices had an isolated existence in industrial plants, utilities, hospitals, transportation, and smart buildings. Security from cyber-attacks was not a concern. As M2M devices are increasingly exposed to the larger world of the internet with application programming interfaces, their ubiquity is haunting the IT world with the prospect of pervasive and catastrophic cyber-attacks that will affect sensitive industrial controls and medical devices.
A security breach could cause physical harm as large facilities are subverted.
Unique vulnerabilities in embedded systems
Securing IoT is uniquely challenging. Unlike traditional IT systems, IoT devices often run embedded software tied tightly to the hardware. Updating this software usually means disassembling the device—an intrusive process that risks downtime or damage to interconnected systems.
Some of the most widely used communication protocols, such as Modbus, were never designed with security in mind. And many hardware manufacturers hesitate to disclose vulnerabilities for fear of aiding malware developers—or giving away intellectual property to competitors.
The traditional approach of patching downloadable software simply doesn't apply in the IoT world. Security flaws are harder to fix, and detection mechanisms like authentication and log monitoring—effective for user-driven systems—don't translate well to M2M environments, where machines interact directly with other machines.
Security can't be an afterthought anymore
"M2M is a booming industry, and hardware manufacturers are focused on selling devices, while users are only beginning to realize the importance of third-party security specialists to remotely monitor security."
Spencer Cramer, President and CEO of ei3 Corporation.
Cramer points out that accessing the source code of embedded controllers is often essential to integrate security software effectively. His company has specialized in securing M2M systems for over 15 years, focusing on verticals with established standards. "We've developed over 100 custom drivers to integrate with embedded software in cases where no standards exist," he added.
The economics of cybersecurity in IoT still tilt in the wrong direction:
- Manufacturers have little incentive to address security until a breach occurs
- There's no liability for damages
- No mandatory breach disclosures
- A lack of standards—all of which allow manufacturers to externalize the social costs of poor security
"Early intervention is far more cost-effective," said Andrew Jaquith, CTO and SVP of Cloud Strategy at Silversky. "Companies like Codenomicon already have the technology to detect bugs before products hit the market."
A system-wide strategy is urgently needed
The Internet of Things has unlocked a Pandora's box of cybersecurity threats—complex, pervasive, and capable of real-world consequences. But while the risks are vast, so are the opportunities to address them with foresight and coordination.
What's needed now is a unified, system-wide approach to IoT security—one that includes:
- Proactive device testing
- Clear standards
- Improved collaboration between IT and OT
- The involvement of third-party security experts
The next wave of cyber-attacks isn't a question of if, but when. The time to prepare is now.
This article contains excerpts from Kishore Jethanandani’s article for The Mobility Hub.