At our M2M Waveguide Events that toured Montreal, Ottawa, Toronto and Calgary in October, one question surfaced in every city – yep “What about security when we start connecting everything to the enterprise?”… To which our industry partners represented by – Niclas Andersson, Director with the Deutsche Telekom M2M Competence Center, Eric Simmons, General Manager M2M with Rogers and Larry Zibrik, Vice President, Market Development with Sierra Wireless emphasized that weaknesses are mostly at the end points and not the cellular air-link AND that the level of security required is commensurate with what you are trying to protect. Clearly, you don’t need much security to protect sensor data reporting the water temperature of a coffee pot or the internal temperature of a cow – taking from a couple of real world examples. Yes, really!
Wavefront then facilitated an M2M Security Round Table mid November where we brought together operators of major infrastructures – BC Hydro SmartGrid and Port of Vancouver with industry vendor experts, Wurldtech, Elliptic Technologies, Sierra Wireless as well as BCIT to surface the issue, needs, approaches and some very telling stories to shed light on what I’ve dubbed – The InSecurity of Everything.
Here are some interesting and telling points from our M2M Security Round Table
- Connecting all sensors – traditionally SCADA type devices with vulnerabilities – to the internet is giving an IP address to things that use to be secure because you could not access the wires that connected them – this is bringing cyber security concerns into the enterprise causing physical security to merge with cyber security in all organizations.
- There are now statistics that show the level and frequency of attacks is on the rise but no one likes to talk about how they got hacked as it is damaging to reputation.
- The business case for a Security Development Life Cycle or SDLC is generally based on maintaining operations and creating a need for “future-proofing security”. The easiest way to stop a power generating facility for example, is to change the set point on an emissions sensor and the plant will shut itself down.
- The business case for security around any major port is pretty simple in that most countries simply can’t afford to have a major port shut down
- The weakest link is often at the endpoints: In early SmartMeter deployments, the optical ports on the meters – originally included to allow manual firmware upgrades – were compromised when businesses started up offering to reduce your electrical bill for a small onetime fee – a side channel attach. The proliferation of all sorts of low cost connected widgets that operate on any number of various basic Linux operating systems have lots of back doors left wide open – our kids know how to take over these things.
- Security elements are often included in systems design but the associated costs result in these measures being removed through the procurement processes that consider only the “cost now” and not “the total cost of ownership” – productivity loss that results from poor security practises is substantial.
- Many hardware end points have the ability to support firmware upgrades after deployment, it is surprising the number of devices that never get updated – leaving back doors wide open.
- People often know what they need to do but they don’t always do it.
- The rate of threat attempts is increasing and most are unintentional so you need to think about being at risk even if you don’t think you are a target.
- On distributed denial of service (D-DOS) attacks, these are often a bunch of kids with nothing better do.
- A few D-DOS algorithms that can get into your IP camera can bring down your internal network by pinging your connected coffee pot or photo copier.
- Not all threats come knocking on your hardened front door firewall but get in via a trusted employee who connects their BYOD to your network – behind your firewall.
Next, our Round Table focused on identifying a set of common themes on what could be done next to progress the world forward, concluding that building a broader general awareness and broader discussion of the need for Security Development Lifecycles – SDLC – inside organizations would both help and be doable: hence this blog, a whitepaper to follow and this subject will surface again in a panel discussion at the Wavefront Wireless Summits in February.
Do what you know needs to be done – just don’t stop doing.