M2M devices had an isolated existence in industrial plants, utilities, hospitals, transportation, and smart buildings. Security from cyber-attacks was not a concern. As M2M devices are increasingly exposed to the larger world of the Internet with application programming interfaces, their ubiquity is haunting the IT world with the prospect of pervasive and catastrophic cyber-attacks that will affect sensitive industrial controls and medical devices. A security breach could cause physical harm as large facilities are subverted.
The protection of the Internet of Things is fraught with unique challenges, especially because the software is embedded in the hardware device and is wrapped up with the core of the intellectual property. It’s often not possible to patch and update embedded software remotely and continuously to keep it safe without disassembling the hardware — at the risk of downtime and damage to the interconnected software. Some protocols, such as Modbus, are not designed to secure against intrusions. Hardware manufacturers are wary of revealing the vulnerabilities of the software, lest the information leak to malware developers or the source code find its way to competitors.
The paradigm that guided the security management of the Internet of devices using downloadable software is riven with holes that are hard to repair with known methods. Authentication plays a key role when humans use devices. By contrast, M2M devices are controlled by another device. Similarly, the monitoring of log files and events is an important source of information for detecting anomalies that point to intrusion, but it is not known to work well with the Internet of Things.
“M2M is a booming industry, and hardware manufacturers are focused on selling devices, while users are only beginning to realize the importance of third-party security specialists to remotely monitor security,” Spencer Cramer, President and CEO of Ei3 Corp. in New York told us. “Access to the source code of the embedded device controllers is needed to integrate with security software.”
His company has been in the business of securing M2M devices for the last fifteen years. It specializes in the few verticals that are already governed by standards. “We have developed a hundred custom drivers to integrate with the embedded software where standards are not used,” he said.
“Economic disincentives dissuade hardware manufacturers from taking preventive measures before security risks snowball into disasters,” Andrew Jaquith, chief technology officer and senior vice president of Cloud Strategy at Silversky, said in an interview. “Liability against damages, the absence of compulsion to disclose security breaches, and the lack of standards are some of the ways the social costs are not internalized by manufacturers. Bugs are much cheaper to fix in the early stages, and companies like Codenomicon have the technology to test for their presence,” he said.
The Internet of Things has opened a Pandora’s box of new challenges in Internet security. A new, system-wide strategy is needed to cope. The widespread ramifications of this new world of security threats need to be grasped quickly before a likely tsunami of cyber-threats has cataclysmic effects.