Progress and standards
The underlying principle of M2M communications isn't particularly new, as similar technology has been used for decades at power stations, water utilities, building control and management systems, and the like, usually in the more recognisable form of supervisory control and data acquisition (SCADA) systems. However, according to engineering manager Aviv Abramovich from Check Point, these systems are typically custom implementations, often running proprietary operating systems, and without any particular standard to follow.
"We're in that creative curve, where people are looking to capitalise on the opportunity."
"They weren't designed with security in mind when they were designed. The designer did not expect them to necessarily be connected to the internet [or] a public access network. They probably more anticipated that they would be behind a secure network, and they made some assumptions on how it works," Abramovich said.
Palo Alto Network's global product marketing lead, Chris King, also chimed in, using medical devices as his example.
"You look at CT scanners, you look at MRI scanners, you look at dialysis machines, and all these kinds of medical devices: they're on an internet. They talk IP, and they have massively vulnerable operating systems. They're running embedded versions of Windows."
Curiously, while King sees off-the-shelf operating systems such as Windows as making devices more vulnerable, Abramovich thinks that the opposite is more often true, since there is more support from vendors, and more frequent patches than systems that were written once and long forgotten.
"With smart meters, and to an extent ATMs, and to an extent SCADA systems, the rollout of patches and updates tends to be slower than you would normally have compared with your home PC, where you get a normal update every week or so or every month," Abramovich said.
Like the operating system debate, while most experts see a role in the use of M2M-specific standards, their effectiveness is yet to be seen.
Ian Yip, who is NetIQ's product and business manager for its Identity, Security & Governance portfolios, said that he is positive that in recognition of security becoming a hot issue, many in the industry, and especially those in the academic field, are working toward standards that could be adopted to govern M2M communications.
"There's working groups, there's varying protocols, there's a lightweight version of IPv6 you can use on M2M type of communications, but it's not full IPv6," Yip said.
"If you look for things and discussions online or in publications in this area, a lot of the information is from universities or research groups. Companies are starting to look at it, but only if they have a business case to do it."
Yip said that these standards now have a greater focus on security, with many aiming to get it right while they can, rather than repeat the mistakes of utilities before them.
"Security is part of the discussion, because everyone who does the research around this is educated enough to understand the implications of not building security into M2M protocols, M2M standards, M2M communication upfront. We made mistakes on the internet, and now we're having to retrofit security, and with M2M you're even more exposed. So, thankfully, they're trying to deal with it upfront," Yip said.
"There's never been a standard that's obviated all security concerns."
While King applauded the initiative of addressing security from the get-go, he also expressed his doubts at how effective such standards might be, stating that what works in theory isn't always practical to implement.
"You have one of two things that come out of standards bodies — and I'm not belittling standards efforts at all here — but typically, they are too strong and thus hard to adopt, or too weak and thus incomplete. That said, it always comes down to implementation. In my experience, there's never been a standard that's obviated all security concerns.
Likewise, Oracle vice-president of Strategic Programs, Industries & Exalogic Michael Counsel said that it is too early to pick a "winner" in terms of a standard that addresses security.
"We need to see the whole picture before we can really think about whether or not we've satisfied the risk requirements of our consumer or the organisation of the customers that are using it. It's going to be some time before there's enough of the tooling, enough standardisation, that you cover all bases," Counsel said.
To him, the whole picture includes those inventors and forward-thinking engineers who are coming up with new uses for the technology in order to judge what is really needed for security in these standards.
"We're in that creative curve, where people are looking to capitalise on the opportunity, and those customers and those great inventors will be looking at ways to utilise it. They'll be looking at solving their problem, and any de facto would-be standards would actually still be lagging behind the creative process that's going on in their labs right now."
It's entirely possible that despite the work by research groups, standards and possibly security could be circumvented entirely if a powerful enough company stepped up, according to Yip.
"A certain large one comes to mind in the shape of a fruit. They could potentially do it — they've got enough money to do it — if they want, but there is a risk of getting into it too fast, especially when things like the standards aren't quite set yet, and the security mechanisms haven't been quite worked out yet," he said.
"It's either going to take a standard for the industry to agree on, or a very powerful vendor to make things work, so that everyone kind of says, 'Well, that works, so I'm just going to use that for the pure ease of use.' It might be completely proprietary, but all we really care about is that stuff works and stuff's secure, in that order, unfortunately."