Right-Sizing M2M Security: The Best Security is Security Tailored to Your Application



Similar documents
WHITE PAPER Security in M2M Communication What is secure enough?

The Key to Secure Online Financial Transactions

Achieving Truly Secure Cloud Communications. How to navigate evolving security threats

Optimizing Energy Operations with Machine-to-Machine Communications

OT PRODUCTS AND SOLUTIONS MACHINE TO MACHINE

What is Really Needed to Secure the Internet of Things?

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

How To Protect Your Network From Attack From A Network Security Threat

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Injazat s Managed Services Portfolio

Unlock the Potential of Smart Water Metering with Cellular Communications

Security Issues with Integrated Smart Buildings

PCI Solution for Retail: Addressing Compliance and Security Best Practices

Easily Connect, Control, Manage, and Monitor All of Your Devices with Nivis Cloud NOC

Potential Targets - Field Devices

Increasing M2M device intelligence drive fast decisions and help new business

Security Threats on National Defense ICT based on IoT

RSA SecurID Two-factor Authentication

The Importance of Secure Elements in M2M Deployments: An Introduction

Brainloop Cloud Security

Securing Virtual Desktop Infrastructures with Strong Authentication

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Secure Authentication for the Development of Mobile Internet Services Critical Considerations

The Internet of ANYthing

Requirements When Considering a Next- Generation Firewall

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz , ICSG 2014

Seamless Mobile Security for Network Operators. Build a secure foundation for winning new wireless services revenue.

Cellular Wireless technology: Creating a link between people and the healthcare community

future data and infrastructure

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

Application Security in the Software Development Lifecycle

Securing Corporate on Personal Mobile Devices

THE RTOS AS THE ENGINE POWERING THE INTERNET OF THINGS

Managed Security Services for Data

Driving Company Security is Challenging. Centralized Management Makes it Simple.

Payment Card Industry Data Security Standard

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

Document ID. Cyber security for substation automation products and systems

How To Protect Your Cloud From Attack

Connect and Protect: The Importance Of Security And Identity Access Management For Connected Devices

BYOzzzz: Focusing on the Unsolved Challenges of Mobility, An Industry Perspective

Data Protection Act Guidance on the use of cloud computing

Ensuring the security of your mobile business intelligence

Unified Threat Management, Managed Security, and the Cloud Services Model

Maintain Fleet Management Solutions Using Wide Area Wireless Technology

Cellular Communications and the Future of Smart Metering

Readiness Assessments: Vital to Secure Mobility

Teradata and Protegrity High-Value Protection for High-Value Data

Security Solution Architecture for VDI

Securing Virtual Applications and Servers

Cisco Integrated Video Surveillance Solution: Expand the Capabilities and Value of Physical Security Investments

TENDER NOTICE No. UGVCL/SP/III/608/GPRS Modem Page 1 of 6. TECHNICAL SPECIFICATION OF GPRS based MODEM PART 4

The Gateway to a Better Vehicle Area Network. Key considerations when evaluating laptops as communications hubs for in-vehicle communications

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Securing the Service Desk in the Cloud

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

Security. CLOUD VIDEO CONFERENCING AND CALLING Whitepaper. October Page 1 of 9

Cisco Advanced Services for Network Security

Securing mobile devices in the business environment

Chapter 1: Introduction

Ovation Security Center Data Sheet

Automotive Ethernet Security Testing. Alon Regev and Abhijit Lahiri

AMI security considerations

Solving the Online File-Sharing Problem Replacing Rogue Tools with the Right Tools

Security Issues In Cloud Computing and Countermeasures

Building A Secure Microsoft Exchange Continuity Appliance

SECURITY IN THE INTERNET OF THINGS

Symphony Plus Cyber security for the power and water industries

Protecting Your Organisation from Targeted Cyber Intrusion

Ovation Security Center Data Sheet

Keystroke Encryption Technology Explained

A brief on Two-Factor Authentication

Enterprise Data Protection

The Next Generation of Security Leaders

Managed Services. Business Intelligence Solutions

Enterprise Computing Solutions

Guiding principles for security in a networked society

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Remote Access Securing Your Employees Out of the Office

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

Permeo Technologies WHITE PAPER. HIPAA Compliancy and Secure Remote Access: Challenges and Solutions

Introduction to Cyber Security / Information Security

3 Marketing Security Risks. How to combat the threats to the security of your Marketing Database

SECURITY IN THE INTERNET OF THINGS

Managing Privileged Identities in the Cloud. How Privileged Identity Management Evolved to a Service Platform

Strong Authentication for Secure VPN Access

Cyber Security: Beginners Guide to Firewalls

AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

SafeNet Data Encryption and Control. Securing data over its lifecycle, wherever it resides from the data center to endpoints and into the cloud

SafeNet Data Encryption and Control. Securing data over its lifecycle, wherever it resides from the data center to endpoints and into the cloud

HP Security Solutions for Microsoft

Transcription:

Right-Sizing M2M Security: The Best Security is Security Tailored to Your Application

Introduction Security continues to be a hot topic in all areas of technology, including machine-tomachine (M2M) applications. Today, most analysts agree that the security risk is relatively low, chiefly because M2M is still a growing technology and has not yet reached the kind of critical mass that would attract significant attention of hackers. But M2M is growing very quickly. Cisco estimates that there will be 25 billion connected devices by 2015 and 50 billion by 2020 1, so this will likely change in the near future. As concluded in a September 2012 GigaOM Pro report on the subject, As the volume of M2M devices and associated data increases, so too will the probability of hackers and malware writers targeting these systems to exploit networks, steal data, hijack systems, and compromise workflows. The report even details a number of scenarios researchers are studying that represent potential avenues of attack, from wirelessly transmitted computer viruses infecting onboard systems of vehicles, to man-in-the-middle attacks between wireless endpoints to intercept and manipulate data. These and other examples do represent a potential threat, at least at some point in the future. The question is what should enterprises using M2M and OEMs developing M2M solutions be doing right now to protect their applications? The obvious answer may seem to be everything they can. In practice, however, the goal for an M2M application should not be to provide the most security. It should be to provide the right level of security for that specific device and application. This is because the question How secure should this application be? is a more complicated question than it may appear. The phrase M2M application encompasses a full ecosystem that extends beyond the device itself, including the cellular network, the Machine Subscription The future M2M world will be one of automated devices operating in the background, where systems will transparently collect, process, share, and aggregate huge volumes of information about devices, individuals, and businesses. The data alone is a tempting target, but so too are the devices and networks to which M2M systems attach. While there s little evidence of M2M hacker attacks, data theft, or malware infections, the increasing volume of data and devices in use will eventually make M2M systems as much of a target as mobile devices, networks, websites, and PCs are today. Lawrence M. Walsh, GigaOM Pro 1. http://share.cisco.com/internet-of-things.html 2

Identification Module (SIM), the M2M cloud management platform, and the back-end enterprise application, all of which have unique security capabilities and considerations. Even on the M2M device itself though, security is not straightforward. Unlike a PC or mobile phone, most M2M devices don t have a full operating system to support advanced antivirus or antimalware software, nor enough processing power to run such software if they did. Indeed, even full-scale encryption mechanisms can represent too great a burden for the microprocessors and available bandwidth in many deployed M2M devices. Is the answer then to build every M2M device every connected sensor in every car, truck, toll station, appliance, industrial equipment, utility meter, etc. with a full operating system and high-powered chipset? Is such a scenario justifiable, even if it were economically feasible? The answer to all these questions is a definitive no. Rather, the smartest M2M security is security that is tailored for the specific application. To do this, one needs to understand three essential truths about security: First, some level of security is always necessary. No enterprise would deploy a system that afforded free reign for attackers, and no legitimate M2M vendor in the marketplace today would build one. Second, no system can ever be 100 percent secure. Security is less a goal to be achieved than a calculation of the time and resources necessary to crack a system. No hacker would spend more time and resources breaking a system s security than the value of what that security is protecting. Put another way, it doesn t make sense to install a $1 million security system to protect a $100,000 house. A banking application therefore requires much more security than a simple power monitoring application for a consumer home. Additionally, no system will be secure forever. Security must align with the expected lifetime of the solution. It should be secure enough for the threats faced today, but upgradable to defend against future threats. Third, security always means constraints. The more security a system employs, the higher the costs to build and operate it, the more usability will suffer and the more restricted it will be in the features it can support. Ultimately, too much security can be just as problematic as too little. Consider a real-world example such as two-factor authentication (i.e., requiring a user to enter a password plus a one-time code sent via text message to access an application). It may make sense to use this level of security for applications that make credit card purchases online. It does not make 3

sense to require it every time a user opens a connected e-reader. And in fact, using that mechanism for that application will marginally increase security at best, but significantly diminish the user experience and increase costs. Keeping these three truths in mind, what does the right level of security mean? It means: The devices, applications, and data are secure enough for all use cases they will support. The application can offer powerful features. The application is easy to develop, deploy and maintain, in a cost-effective way. Fortunately, any enterprise or OEM can achieve the right level of security for its M2M application, both today and in the future. The key is to work with vendors that understand not just security, but have deep expertise and extensive field experience in M2M itself. Security Aspects of an M2M Application What are the security risks that an enterprise or OEM should consider in an M2M application? Figure 1 details the types of threats that should be accounted for in each element of the M2M application chain. Figure 1. Overview of M2M Security Threats Components involved App Framework / Agent Protocols: M2M Protocol (OMA-DM, M3DA...) Wireless module FW SIM Cellular Network M2M Services Data warehouse Protocols: M2M Protocol Web APIs Enterprise server & application Lack of availability Physical attack (stolen SIM, etc.) DoS attack Unauthorized command (i.e. configuration change) Not scalable embedded application Radio Jamming Infrastructure Scalability DoS attack Infrastructure availability Infrastructure scalability Physical attack DoS attack Physical attack Data spying Unauthorized command Malicious software installation GSM radio spying Network sniffing Man in the middle APIs hacking Network sniffing Data alteration Unauthorized command Malicious software installation Man in the middle APIs hacking Intrusion App hacking - exploit known bugs O/S hacking - exploit known bugs Server hacking - exploit known bugs Server hacking - exploit known bugs 4

Enterprises and OEMs will use a variety of mechanisms and techniques to address these threats in each segment of the M2M chain. Ultimately, however, all of these techniques revolve around four key areas of M2M system security: trust, upgradability, robustness, and encryption. Trust The concept of trust in an M2M application is about verifying that commands or instructions coming in to a device or server are legitimate and coming from a verified source. The M2M cloud management platform, for example, must be able to verify that data coming from both deployed devices and enterprise applications can be trusted. The back-end enterprise application must use strong authentication to verify that it can trust data from the cloud management platform. And, the enterprise or M2M solution provider must be able to control access rights across all components of the system, and ensure that anyone accessing or configuring system settings is authorized to do so. These trust mechanisms, and especially authentication mechanisms, are what prevent an application from being compromised by an illegitimate command or malware being uploaded from an unauthorized source, and that allow the cloud management platform and enterprise application to assure that data they receive are legitimate. Embedded applications use the same concepts to assure trust as any other networked system: authentication and authorization. In an M2M application, these include: Use Case: Trust in Automotive M2M Applications Trust must be enforced at all levels of an application. This is especially important in automotive M2M applications, where a security breach could quickly become dangerous. Wireless connectivity may be used by the manufacturer to upgrade software, monitor and prevent engine problems, or connect the vehicle to the repair center. Drivers may use M2M services such as location services in case of theft, remotely open or start the vehicle, or access entertainment services Securing these applications requires the following: The wireless modem must authenticate the modem manufacturer servers for upgrade requests. The vehicle must authenticate the manufacturer servers for maintenance/ diagnostics applications. the location/start/stop/ alert application must authenticate the third-party service. The user must have the rights to manage all third-party apps. Open M2M protocols: Open protocols like M3DA (see callout box) operate between the cloud management platform and the connected devices to provide secure, trusted communication. Open protocols like M3DA provide stronger security than closed mechanisms, as their algorithms are tested and proven by a large community of users. With closed protocols, 5

security is dependent upon obfuscating the algorithm. If a hacker is ever able to reverse engineer the protocol, it can easily be cracked. Two factor authentication: This method requires the presentation of two authentication factors in order to reinforce the access control to the cloud service. The user is requested to present login credentials. The cloud server then sends a one-time password (OTP) to the user s mobile phone, that the user will enter to complete the login process. This authentication mechanism prevents unauthorized access with a stolen password and PIN code. OAuth: The OAuth open-source authorization standard protects communication between the M2M cloud management platform and the backend enterprise application, assuring that both cloud and enterprise application elements are legitimate and authorized to send and receive data. Upgradability The most dangerous security threats are the ones that have yet to be discovered. That s why the most important M2M security attribute is upgradability. (This is the same principle governing antivirus software for a PC: The only effective antivirus solution is one that can be constantly updated as new threats are discovered.) To maintain security in a constantly evolving environment, enterprises and OEMs must be able to update M2M devices and applications quickly and remotely, across thousands or millions of deployed devices. Micro M2M Data Access (M3DA) An Open Source Protocol When an M2M device is running a full operating system, enterprises may be able to draw on a variety of IP security features to protect their application. But what about lightweight M2M devices that don t have a full operating system and have limited CPU power? For these kinds of M2M endpoints, M3DA can provide essential security capabilities. M3DA was developed by Sierra Wireless within the Mihini project, part of the Eclipse Foundation M2M Industry Working Group, to protect communications between deployed M2M devices and cloud management servers. It provides a set of strong, open-source security mechanisms built specifi cally for M2M applications providing the right level of security while consuming minimal bandwidth and CPU resources. M3DA security mechanisms include: Encrypted password autoregistration between device and server Strong authentication (based on the algorithm used in OMA-DM authentication) using a unique password for each device-server pair Strong encryption based on AES, confi gurable with up to 256-kb keys For more details, visit: http://m2m.eclipse.org 6

An effective M2M application should therefore employ an M2M cloud management platform with robust, field-proven update management capabilities. It should use digital certificates and integrity checks on update packages to authenticate that software updates are legitimate. Since updates can cause unexpected issues, it should offer means to easily revert back to the last revision if necessary. And, it should provide comprehensive application management tools across deployed devices and the cloud management platform. Finally, to support software updates in the most efficient manner possible, M2M devices and cloud management platforms should support patch upgradability, allowing enterprises and OEMs to update parts of device software without having to replace the entire firmware package across thousands of deployed devices in the field. Robustness Enterprises need confidence that their M2M application will provide the highest possible reliability and availability. But assuring availability goes beyond protecting against denial of service (DoS) attacks; high availability must be built into the design of the M2M application itself. The robustness of an M2M application is a function of: The robustness of each component in the system (software, hardware, devices and servers) and their tolerance to faults and attacks Lifecycle management capabilities of the system to diagnose issues in devices and other system elements in an efficient way The overall scalability of the architecture, including the embedded application and server-side elements In fact, the main availability issue that enterprises have when deploying embedded applications is not DoS attacks, but flawed application designs that do not account for the unique characteristics of M2M applications with thousands or millions of devices operating in the field simultaneously. A robust M2M application should be built using an M2M-specific software stack, such as the Sierra Wireless M2M stack, that includes design elements and fault tolerance mechanisms that allow M2M applications to remain available even when operating at massive scale. 7

Encryption A secure M2M application must protect the transmission of private and confidential data. This entails data encryption and secure transmission technologies across multiple segments of the M2M application between deployed devices, the M2M cloud management platform and the enterprise application. If the M2M cloud management platform is operated by a third party, for example, an enterprise may wish to encrypt all data as it travels from device to cloud to enterprise application using a secure virtual private network (VPN). In other cases, however, part of the data from the device may be encrypted while other data are not. Some power monitoring applications, for example, may encrypt consumption data for a home or business but not encrypt other non-sensitive data reported by the meter, such as its wireless signal strength. A payment application should use a more sophisticated M2M gateway that can support the strongest possible encryption and transmit that data via a secure VPN. Securing the Cloud Data Center Use Case: Privacy in Metering Applications The level of encryption required depends on the nature of the application. So how much privacy is necessary in a typical metering application? A smart meter connected to the smart grid transmits no sensitive fi nancial information comparable to a point-of-sales payment terminal, for example. There are no secret codes or bank account numbers involved in the transmission just electricity consumption values. Should metering data be transmitted unencrypted then? The answer is probably not. A hacker who could access this data could tell, for example, if someone is currently at home, has been away for a long time, etc. Therefore, customers may expect that only utility companies will have access to these values, and that these values be transmitted and stored in an encrypted format. Even so, other operational values acquired by the meter (i.e., wireless For applications that require maximum security, signal strength, meter status or health, enterprises may prefer to use a private access point etc.) need not be encrypted. name (APN) network that contains only authorized devices in the application (i.e., no other devices use the network), and that does not connect to the Internet but links only with the M2M cloud via a VPN. Finally, enterprises should use HTTPS to assure a secure connection whenever communicating with the cloud management platform and the enterprise application. Just as important as securing communications between M2M devices and servers, enterprises must assure that the M2M cloud management platform they use employs 8

strong security measures. This is especially important when relying on a third-party cloud management provider, such as the Sierra Wireless AirVantage M2M Cloud. A secure M2M cloud offering should provide: Secure shared data warehouse that assures that deployed devices can only register to the appropriate server Flexible data retention policies that can be defined and implemented based on the enterprise s unique requirements Robust disaster recovery features to protect the M2M application, including: - Highly resilient infrastructure that can assure 99.982% uptime (i.e., Tier 3 data center) - Daily backup of all data to a remote site - Nonstop monitoring and alerting - Fast recovery times (24 hours or less) in the event of a disaster - Ongoing testing of disaster recovery attributes Enterprises should also look for M2M cloud partners that are certified for compliance with industry standards for data center security (i.e., SAS 70 Type II, ISO 27001) and that are members of the Cloud Security Alliance. Sierra Wireless: Field-Proven Experience Providing the Right Security for M2M When trying to evaluate how an M2M system might be vulnerable and the kinds of security measures that make the most sense to protect it, nothing is more valuable than field-proven experience managing millions of deployed M2M devices. Sierra Wireless is the worldwide leader in M2M, with proven, longstanding deployments in financial services, automotive and many other industries where secure communication is a core requirement. Sierra Wireless proven track record in M2M includes: Over 15 years of experience building, implementing and securely managing large-scale M2M applications in real-world deployments, winning the trust of the world s largest enterprises and MNOs 9

First and largest provider of M2M solutions for the automotive industry, providing secure products and cloud M2M services for some of the largest automotive OEMs, and managing millions of connected devices in the field every day Extensive experience securing M2M payment systems worldwide, including partnership with the worldwide leader in connected payment terminals The most comprehensive M2M portfolio in the industry, including M2M hardware, software, development tools and libraries, seamlessly integrated with M2M cloud services, all designed to interoperate and provide end-to-end security Proven secure M2M services and upgradability, with field-proven capability to manage and remotely upgrade thousands of devices in the field M2M industry leadership, including pioneering innovations in M2M scalability and availability, and a lead role in the development of open-source M2M security mechanisms with the Eclipse M2M Working Group initiative To find out how Sierra Wireless can help you deploy your M2M application securely and effectively, visit www.sierrawireless.com. About Sierra Wireless Sierra Wireless is the global leader in machine-to-machine (M2M) devices and cloud services, delivering intelligent wireless solutions that simplify the connected world. Our solutions are simple, scalable, and secure, and enable customers to get their connected products and services to market faster. For further company and product information, please visit www.sierrawireless.com. 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information