What are the realities of M2M Security?
Machine to Machine (M2M) and the Internet of Things (IoT) systems seem to be the top of the hype. Massively deployed M2M systems are promoted as the next “big thing” for the telecommunication world. At the same time, endemic security issues in the industry are raising concerns about the risk M2M imposes on our LTE deployments. This risk might threaten the vision of an expansive M2M deployment. What are the realities to the M2M security risk? Here are three things that would help clarify the real risk.
First, be mindful that we’ve been living the “connected world” of M2M since around 1994. Once the internet model emerged as the dominate force in telecommunications, innovators found ways to interconnect machines to benefit of their endeavors. People think of Nest thermostats as something new, but MIT had every thermostat wired in the late 90s. People think of the connected car as new, but On-Star was deployed and running in 1996. Moore’s law has continued to push the computational power/size factors to where today the “machines” are flexible, wearable and will soon draw power from the environment. What has changed is the cost, size, and connectivity. 3G and 4G deployments are allowing for new M2M deployments that were not possible before. The M2M security risks in the late ‘90s are no different from the risk today. Cyber-criminals will and do break into M2M devices and use them for their criminal activities. The M2M “security risk” is not a new risk, just one that has evolved with the mass deployment of M2M.
Second, recognize that cyber-criminal forces have no real deterrence. The threat of criminal abuse of M2M systems is real. But the people who break into M2M systems, when caught, cannot be legally prosecuted. All cyber-crime is international. Cyber-criminals build “criminal clouds” out of violated equipment, launch their crimes, and face no consequences. The “white hat” community will find these “criminal clouds,” tear them down, blog about them, use them to sell more “security products,” and then look for the next one. In the meantime, the cyber-criminal takes a break, learns from their mistakes, builds better tools, and then builds a better “criminal cloud.” As more M2M devices get deployed, the threat from the criminals to violate and use these devices for their criminal activities is real and just a matter of time. This is a dysfunctional economic cycle which increases the cost of business. But there are no easy answers. Organizations with M2M deployments need to put security as a top priority. Security professionals need to track down and dismantle criminal clouds and malware systems. This means that creating totally safe systems is never going to happen.
Finally, plan on one to two M2M system criminal “security incidents” for each calendar year. Yes, plan for the security break-ins. Expect them to happen. Given the threat vector, organizations that plan on effective M2M deployments need to stop thinking they can stop the criminal violation. There are tools to make the system more resilient, but there are not tools to make the system absolutely “secure.” Planning for a security break-in has two principal factors. First, the organization’s team needs to have a process to detect and react to the security violation. Proactive planning is critical. Second, have the tools ready to reset, patch, flatten, and rebuild the entire M2M deployment. Traditional vulnerability patch management does not work when managing tens of thousands of M2M elements. The lessons learned in big virtual and cloud deployments are directly applicable to massive M2M deployments.
What should a telco do to be ready for the security risk of M2M?
First, don’t avoid M2M and the IoT. Dive in full speed with profitable business models. Security issues are factors that need to be a priority with the design, but should not be a barrier to profitable deployment. As mentioned, the movement towards M2M and IoT is not new. Telecommunications companies should leverage their network investment to facilitate and benefit M2M deployments.
Second, have a health security relationship with your vendors. Companies building M2M need to think security as an integral part of their solution. This checklist is a tool that can validate whether the M2M vendor has the “security clue” that will allow for a successful deployment. “Success” in this context is an M2M solution that can survive two to three break-ins a year.
Third, build an M2M system that can be flattened and re-built in a pervasive network that can be compartmentalized. In the cloud and virtualized world, flattening a system is where you delete everything down to the base microcode, load new updated operating systems, and then deploy the configuration. This approach allows for rapid and scalable upgrade through the entire virtualized infrastructure. This same approach can be used on thousands of small systems in a massive M2M deployment.
M2M and IoT are realities of the our network today. The pervasive security issues are critical but manageable. Don’t wait.
Submitted by Barry Raveedran Greene