Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Thursday, April 14, 2005

Is Machine-To-Machine (M2M) The Gap In Your Security

Over the last ten years, major changes have occurred in IT.  With the Internet driving the pace, one of the most significant developments has been the rise of IP to become the dominant protocol.  Another key element has been the decentralisation of systems, with the perimeters of organisations rapidly disappearing.  Anywhere, anytime, anyhow access is now becoming increasingly achievable.  This ‘deperimeterisation’ of the network has significantly changed the security landscape.  Organisations now need to move from a reliance on powerful gateway security to a recognition that applications, departments and network segments need their own security.  While this challenge has been recognised and addressed by many businesses, one key area has been largely overlooked - that of machine-to-machine connections (M2M).

M2M connections are endemic and can range from all the complex communications within a modern aeroplane, through to internal Microsoft servers talking to each other.  \

In manufacturing, all processes are increasingly linked automatically.  Lathes, for example, are driven by production scheduling systems and robots are managed by manufacturing systems.  In the pharmaceutical industry, production processes are very closely monitored to ensure legal compliance with FDA and other regulations.  In finance, automated linked processes are subject to close regulation; and ATMs communicate directly with their core corporate systems.  In the average organisation, servers talk to other servers all the time without manual intervention.

While these linkages provide major cost benefits, most of these internal appliances are not given the same level of security as outward facing systems.  They typically rely on gateway systems for firewall and anti-virus protection.  This was more than adequate in the past but not any longer, as has become increasingly clear to the many organisations who have had to build patch scheduling (or rush patching) into their timetables.

Unsecured IP connected devices are potentially vulnerable to a range of problems such as network viruses, trojans and hacking.  A recent report on ‘The Register’ web site described how a couple of simple web searches threw up over a thousand unprotected surveillance cameras. 

Other areas at risk include VoIP servers and VoIP devices.  Digital telephone switches can also be a problem.  The list of ‘machines’ with a potential security risk is long and includes wireless devices, video conferencing systems, data centre monitoring equipment, internal security cameras, webcams, POS devices and ATM devices. 

Real life examples include a company where production was lost for days when robots on an IP network became infected.  A pharmaceutical company had to take its systems down for two weeks, to recalibrate them to comply with Food and Drugs Administration (FDA) regulations, after needing to install urgent patches.

Telephone switch and router problems, though probably less expensive, can still run into tens of thousands of pounds.

Adding tens or hundreds of additional security devices to the IT department’s management load would have been an expensive nonsense.  Finally, patching vulnerabilities has often been dealt with on a tactical basis, so the workload and expense have not always been planned or costed.

Posted on 04/14