Which nations have the best cyber security efforts?

Samuel Bucholtz is co-founder of Casaba Security (www.casaba.com), a cybersecurity firm in Redmond, Washington. Bucholtz specializes in secure software development, advanced program analysis tools, threat modeling concepts, code review, penetration testing and network security. He’s also performed deep reviews of crypto implementations for secured network protocols and custom authentication schemes, as well as hardware device testing of embedded devices. Bucholtz also was a contributing author to “Hacking Exposed: Web Applications.”

Nicola De Carne’s passion is connecting the unconnected. He is CEO of Wi-Next (www.wi-next.com) in Milan, Italy. He is a hands-on researcher whose primary focus is on changing the Wi-Fi paradigm. Wi-Next works to bring industrial production data closer to systems for advanced analytics and intelligent management decisions. It was recently honored in Gartner’s Cool Vendors in Italy 2015 report for its work with the industrial Internet of Things (IIoT), including Wi-Next’s patented Network Operating System, a dynamically reconfigurable mesh network based on open industry standards.

Vihang Sapale is the founder of Embionics Technologies (www.embionics.com), an IoT/M2M product design house in Pune, India. He is an embedded-system professional with experience in industrial-automation design and holds a bachelor’s degree in engineering from Pune University. He’s been involved with the design and deployment of complex products such as satellite communication panels, engine control systems and wireless sensor networks. Embionics specializes in competitive analysis, technology, design and commercial launch.

Peter Waher is co-founder and CEO of Clayster Laboratorios (www.claysterchile.wix.com/claysterchile) in Chile, an IoT solutions company that originated in Scandinavia but that now operates on four continents. Originally a mathematician, commercial pilot and computer games developer, Waher has worked 20 years with computer and device communications, from low-level development in assembler for resource-constrained devices to high-level system design and architecture. He’s a participant in various standardization efforts within IEEE, IEC, ISO, UPnP and XSF, working on standards for the Internet of Things. His work with Smart Applications for the Internet of Things and the development of the IP-TV application, Energy Saving Through Smart Applications, won the Urban Living Labs global showcase award in the Cultural and Societal Participation and Collaboration Tools category.

Jonathan Pollet, founder of Red Tiger Security (www.redtigersecurity.com) in Houston, is an "ethical hacker" specializing in industrial cybersecurity. He consults for a broad range of manufacturers, energy companies and other critical infrastructure industries. He's presented SCADA security workshops to the FBI, DHS and Utility Telecom Council, and he’s spoken at industry events such as Black Hat, Kaspersky Security Analyst Summit and The Chertoff Group Security Series.

Francisco Maroto is managing director and founder at OIES Consulting (www.oies.es) in Madrid, Spain. He has more than 20 years of international experience with information technology and IoT/ M2M communications. Prior to OIES, he led communications development teams in the Europe, Middle East and Africa (EMEA) market and has helped numerous startup companies with their technology and information-system implementation. He also speaks on M2M communications and IoT at numerous live events.

Dwayne Dixon is a technology sales and business development executive in the Minneapolis area with more than 25 years of experience in high-tech environments. He has had numerous roles at firms including IBM Global Services, Xerox and Dun & Bradstreet, as well as his most recent position as vice president of sales and strategic partner management at Logic PD (www.logicpd.com). He publishes The DixonTech Report (www.dixontechreport.com ), a newsletter focusing on big data, IoT and digital disruption. 

Martin Harnevie is an international consultant, author and critic on the Internet of Things. From 2004 to March 2015, he was the CEO of SensMaster (www.sensmaster.net) in Sweden. Harnevie has experience in leading the development of sensor networks and active RFID technologies, including fitting legacy machines with wireless connectivity, wireless asset tracking and sensor networks for defense materials security, as well as for environmental monitoring in buildings, oil and gas and automotive manufacturing. He has a master of science degree from Chalmers University of Technology in Gothenburg, Sweden, and he studied economics at the University of Gothenburg in Sweden.

In your estimation, which governments have been the most proactive in terms of policing the cyber world?

Bucholtz: None. Almost every government has been entirely reactive. Proactive policing requires tight regulation and oversight of all cyber communications, which is rarely possible, even in China. That said, if the question is, which countries have been the best at reacting to the threat, I would say the United States, Israel and western European countries have certainly been the most aggressive in this sense.

De Carne: During the advent of electricity we saw some countries lead in the wide application of the new technology; we can expect a similar variance today. As the United States was the first to use electricity to power assembly lines and transform manufacturing, we can expect that the United States will lead the IoT, and industrial IOT, in particular. There are two interesting reports about the propensity to use these new technologies in the different countries—one from Cisco and the second from Accenture—and in both cases the United States leads. The other countries with an high willingness to adopt the new technologies are Germany, France and Japan.

Sapale: European countries such as Finland and Sweden are proactive in terms of policing the cyber world.

Waher: Both the United States and the European Union try to police the cyber world, but both are fighting a losing battle. Perhaps the reason for this is that they are not interested in the security of the IoT solutions themselves, but see security from a national security perspective. And in such regards, centralized big-data solutions seem to be favored over more secure distributed solutions. Monitoring of data seems to be more important than threats from outside sources or issues like privacy or data integrity. Both base their recommended solutions, both from government agencies and standardization bodies, on centralized big-data solutions that are both vulnerable and easier to monitor. Both rely on intimidation to minimize the risk of hackers to utilize system vulnerabilities, instead of creating a secure infrastructure that would limit attack possibilities, even though the United States is more aggressive in this regard. Both fail to recommend secure IoT architectures. Whether this is because of a lack of knowledge of how to accomplish this or this is a lack of interest since it would also make monitoring more difficult I cannot say. One thing is clear at least: Many countries now correctly see security issues within IoT as a threat to national security. 

Pollet: That’s a tricky question to answer. In terms of tracking down and prosecuting “hacktivists,” the Five Eyes countries (Australia, Canada, New Zealand, United Kingdom and United States) have probably been the most proactive. In terms of preventing or prosecuting all nefarious actors on the Web, I’d be hard-pressed to say anyone’s been particularly good at that. However, when it comes to industrial cybersecurity specifically, I would single out France. For instance, France has its own version of the NIST Cyber Framework. However, theirs is better because in addition to consolidating industry guidelines and going beyond technical controls to also address policy and governance, which ours does, too, it goes further by categorizing industries and companies based on their criticality—for example, water treatment plants versus power plants—and provides prescriptive guidance for addressing critical threats for these facilities. We don’t do that, but we should. The Middle East has also been very proactive about securing its industrial networks. This is largely because their economies rely so heavily on the energy sector, of course. The country of Qatar is the only nation other than the United States that currently has mandatory security controls for critical infrastructure networks.

Maroto: This Web page, map.ipviking.com, lists the origins and targets of cyber attacks. It is obvious that these countries need to be more proactive and do not wait for a worldwide or Europe policy. The United States, China, Russia, Saudi Arabia, United Kingdom and Israel are usual suspects, but many countries are now targets of new cyber attacks and need to react quickly. Many governments published national cybersecurity strategies four or five years ago. With new threats due to IoT, they will need to update and approve new policies soon.

Dixon: According to a recent study by ABI Research and ITU Telecom, the United States was ranked No. 1 in the Global Cybersecurity Index of cybersecurity readiness. Rounding out the top five countries were Canada, Australia, Malaysia and Oman. The study can be found here: http://www.itu.int/en/ITU-D/Cybersecurity/Pages/GCI.aspx. 

Harnevie: There are no specific IoT regulations or policing activities in any country I know of. What exists today are from previous usages of the Internet, related to media, electronic commerce, privacy and intellectual property protection. While some of these may apply also to IoT, it concerns mainly connected devices, which are communicating with other devices in an M2M manner. This might put different requirements on both regulations and policing.

What type of network connectivity is most dependable and most secure?

Dixon: Employ encrypted messages at a bare minimum, and encrypted connections, if possible. Full VPN tunnels are even better. 

Harnevie: There is no quick answer to this. You could state general things like WirelessHART is more secure than ZigBee, or that Bluetooth is more secure than ZWave and ANT, or that Ethernet LAN is more secure than RS-485- or RS-422-based networks. But such statements, even if they might appear correct on a technical level, are more misleading and deviating for the task at hand than they are helpful. IoT security is not about the selection of network technology. Instead, one must take a total approach to the whole system. It is far more important to carefully select the cryptographic overall system design and key handling than it is to select one network over the other.

Waher: As long as connectivity is concerned, older and more tested protocols are more dependable and robust. The benefit of the XMPP protocol is that, apart from being standardized by the IETF, it has been around since 1999, albeit in another setting. It was developed to solve the case of instant messaging and was developed in the Jabber project. XMPP quickly grew and is now implemented in billions of clients worldwide, and it is used in everything from instant messaging for chat and push notifications to social networking and now Internet of Things. The software is globally scalable and well tested. 

Bucholtz: A hard–line, point to point, between two points is the best solution. Other than that, there really isn't any such thing as a secure network connection. Industrial facilities need to realize that every connection can be hacked by a sophisticated adversary with enough funding and enough time. The nation-state threat is what every plant should be preparing itself for. You need to go beyond the mindset of focusing solely on protection; post-breach damage control is equally important. Ask yourself, what would happen if malware was planted on the SCADA network, if remote access was gained to a particular system or piece of equipment. Then devise a plan to limit the damage, should such an event occur.

De Carne: For sure the most secure is the wired connectivity, but the side effect is the less scalability and flexibility and the cost of implementation and maintenance in particular for the retrofit and older plant.

Maroto: Whether wireless or wired, network security is a primary concern for M2M and IoT services. Wired networks are most secure than wireless, such as LTE, 3G or Wi-Fi. Increasingly, sophisticated security threats make implementing superior wireless security even more of a necessity. However, in the IoT world, network-to-network connectivity and more security features are necessary. Reliability will be needed to enable IoT apps and services.

Sapale: Network connectivity is very subjective in nature, and a particular network cannot be termed as dependable or secure. Network security in an industrial domain is different from conventional security required for, let's say, the banking and finance sector institutes sector. In the conventional model, each node, or client, is connected directly to the central server through the Internet, although the mode of communication—VPN, 3G network, DSL—may be different. In the case of IoT, the network is characterized by hundreds of sensors, which are connected to a Tier 1 gateway. Many such Tier 1 gateways are connected to a Tier 2 gateway, which ultimately is linked with the network. Most of these sensors have stringent requirements on cost and run on battery power, which limits its ability to make it secure. Let's take an example of onboard diagnostics (OBD), which is present in modern vehicles. The data is collected from all the sensors in the car using CAN protocol, which is global standard. This protocol does not need security because there is no communication with the outside world. When the data is actually transferred through OBD, then the question of security comes into picture. Here two important questions need to be answered.

1. Is data security really required in the first place to just to read diagnostic information?

2. What is the nature of security that has to be provided? In this case lot of stakeholders will have to work together to sort out the matter.

Hence the protocol selection of the IoT platform is a very subjective matter, and there are no silver bullets in this case.

Pollet: Nonroutable communication protocols that are not based on TCP/IP—analog, serial, token-ring, bus—are much more secure than TCP/IP-based communications.  TCP/IP communications can be hijacked, can be intercepted, can be changed in flight and can transport hidden malware if not properly secured.

Mike Bacidore is the editor in chief of Control Design, a sister publication of Smart Industry.

Did you find this article interesting? If so, you might like to read these related articles:

Aging Digital Infrastructure Warrants Investment in New Technology

Remote Access Here or There

What Manufacturing Facilities Need to Know About Network Security

Is Network Security Jeopardized by Barbie?

Is the Industrial Internet of Things just the latest name for machine-to-machine connection?