Securing IoT: The unique challenge of Machine-to-Machine communication
The Internet of Things (IoT) provides a variety of benefits for businesses and consumers alike; however, it is also creating new security challenges. Many IoT devices have poor security, and so the spread of the technology has created new vulnerabilities for criminals to exploit. Machine-to-Machine (M2M) IoT presents a particularly unique challenge; networked machines present hackers with the opportunity to interfere with the physical world, which means they pose a risk to physical infrastructure, and potentially, to human health and safety.
What is the Internet of Things?
The Internet of Things is a network of devices that interface with the world as sensors (which take an input) and actuators (which produce an output). Smart speakers such as Amazon Echo and Google Home are considered part of the IoT because they need the internet to process and execute user requests—IoT devices either send information to be processed somewhere else in order to work, or can be accessed and manipulated remotely.
The early Internet of Things had limited function and scope. When the term was coined in 1999, it only described networked RFID tags; the industry’s rapid expansion began as the emergence of faster mobile networks (4G) allowed devices to transmit more complex data at-speed. By 2010, executives at Ericsson and Cisco projected that 50 billion IoT devices would be installed by 2020, forecasts which set new expectations for the industry and fueled further growth.
Although that ambitious projection was inaccurate, the adoption of IoT has still increased rapidly since 2010.
Motivated by the increased productivity and competitive advantages that IoT provides, corporations have invested large sums into creating connected devices for consumers and enterprise alike. Gartner forecasts that the internet will host approximately 14 billion devices by 2019 year-end, rising over 75% over the next two years to reach 25 billion by 2021.
What are the security risks facing the Internet of Things?
The rise of IoT has increased global cyber security risks significantly. In their rush to get their IoT-enabled products to market, many companies have failed to implement even basic security protections. Many of these products cannot receive security updates, which means their security is irreparably broken, and they will create vulnerabilities to any networks they are attached to.
As the number of devices connected to networks increase, so do the number of avenues for hackers to exploit. 2014 research conducted by Hewlett Packard found an average of 25 vulnerabilities per-device studied, and the company estimated that approximately 70% of IoT devices are vulnerable to attack. Because a compromised device can provide access to the rest of the network it is attached to, it is difficult to overemphasize the risks these vulnerabilities create.
In addition to being used to access networks, compromised devices can also be hijacked and used to conduct further cyber attacks. In 2016, millions of people on the US East coast temporarily lost access to the internet after Dyn, an internet service provider, was attacked by Mirai—a botnet of 15 million hijacked devices. With so many devices under their control, the attack didn’t need a security flaw and succeeded based on brute force alone.
In light of these problems, cyber security experts have characterized IoT as a systemic threat. In 2016 testimony to the US Senate, then-Director of National Intelligence James Clapper characterized IoT vulnerabilities as the greatest security threat facing the US. Echoing this view, a 2019 Australian government media release described IoT as providing “a way to circumvent traditional security controls [potentially affecting] overall network integrity”.
In testimony to U.S. Congress, Bruce Schneier of IBM and Harvard stated that the rise of the Internet of Things will increase the power of cybercriminals. Recognising that such the risk of a cyber attack could cause catastrophic damage to network infrastructure, corporations such as Microsoft have called on governments to regulate the industry in order to force minimum security standards.
Machine-to-Machine (M2M) communication systems are one of the most vulnerable parts of the IoT ecosystem. Communication between connected machines typically occurs with little human oversight, which means any abnormalities in network behaviour are likely to go unobserved. Moreover, because machines affect the physical world, compromised M2M may pose a risk to physical safety and infrastructure.
What is Machine-to-Machine communication?
M2M systems are a subdomain of the IoT ecosystem and involve communication between two or more machines, a machine and a sensor, or a machine and a control device. M2M technology allows industrial machines to send and receive information to other machines without the need for a human intermediary, and as a result, has significantly increased industrial productivity by advancing the progress of industrial automation.
M2M communication may also be used to power consumer products such as washing machines, medical devices, and other mechanical devices that would benefit from increased automation or remote access and control options.
M2M communication forms the backbone of the Industrial Internet of Things (IIoT)—the networking of the controls, machines and sensors that embedded within industrial environments. The productivity advantages provided by IIoT are significant enough that they have been positioned as the vanguard of the 4th industrial revolution—a belief advocated by the German government, which has invested heavily in M2M through its “Industry 4.0” initiative.
Industrial adoption of M2M is occurring fast. The technology has become a ubiquitous part of modern industrial control systems, which provide core operational control of manufacturing, power generation and delivery, water management, and other industrial systems. As these systems are all vital elements of manufacturing and utility infrastructure, a successful cyber-attack on them could cause significant negative consequences.
What are the risks involving M2M communication?
Because they affect physical operations, the risks associated with compromised M2M networks deserve particular attention. A breached healthcare device could result in a direct threat to the health of its user. Moreover, the disruption of industrial M2M systems could cripple private or public infrastructure whose function is important to the economy or to public health and safety.
The task of securing M2M technology comes with unique challenges. Because M2M communication is typically used to facilitate automated functions which occur with little to no human oversight, it is hard to monitor for abnormalities. Further, M2M networks often include older machines that were never intended to be connected to the internet, and usually completely lack network security features.
Traditional industrial plants divided their technical responsibilities into IT (information technology), which encompassed business and administrative operations, and OT (operational technology), which encompassed the plant’s industrial operations. The rise of IIoT has eliminated this divide; cyber security professionals are now charged with securing increasingly complex OT networks and the unique challenges that come with them.
As their compromise could have profound effects on economic or public infrastructure, M2M systems provide cyber security professionals with a specialised set of responsibilities. These include understanding the unique risks of a potential compromise, knowing how to monitor automated communication, and being able to mitigate the vulnerabilities which permeate contemporary IoT. Because the risks associated with a compromise are so great, there is a high demand for professionals with the skills to safeguard M2M systems.
ECU’s cyber security courses offer the training necessary to work in the fast-evolving field of IoT and M2M security (such as via the masters in cyber security program). Demand for M2M cyber security talent will be strong for the foreseeable future—global spending on IoT security is projected to quadruple from US $1.5 billion in 2018 to $6 billion by 2023. Featuring affordable costs and a flexible schedule, ECU Online’s Master of Cyber Security is an attractive option for anyone interested in a career safeguarding Australia’s vital economic and public infrastructure.
Find out more about becoming an expert by studying ECU’s 100% Online Master of Cyber Security.