Machine data can be turned into actionable information that leads to better business decisions. And sometimes that doesn’t even need to involve humans. Equipment has the ability to talk to each other and share information that creates a higher collective intelligence. But sharing data also leaves a network open to outside forces and often vulnerable, if the right measures and defenses aren’t put into place. The Internet of Things (IoT) and machine-to-machine (M2M) communications are the same, and yet different, because IoT takes M2M on the Internet. One thing is for sure: It transcends governmental boundaries. Equipment can be anywhere in the world and still be part of the conversation. This group of heavy hitters in the IoT domain offer an international take on M2M communications and what the future holds.
Meet the Panel
Or go directly to the Q&A
In your estimation, which governments have been the most proactive in terms of policing the cyber world?
Bucholtz: None. Almost every government has been entirely reactive. Proactive policing requires tight regulation and oversight of all cyber communications, which is rarely possible, even in China. That said, if the question is, which countries have been the best at reacting to the threat, I would say the United States, Israel and western European countries have certainly been the most aggressive in this sense.
De Carne: During the advent of electricity we saw some countries lead in the wide application of the new technology; we can expect a similar variance today. As the United States was the first to use electricity to power assembly lines and transform manufacturing, we can expect that the United States will lead the IoT, and industrial IOT, in particular. There are two interesting reports about the propensity to use these new technologies in the different countries—one from Cisco and the second from Accenture—and in both cases the United States leads. The other countries with an high willingness to adopt the new technologies are Germany, France and Japan.
Sapale: European countries such as Finland and Sweden are proactive in terms of policing the cyber world.
Waher: Both the United States and the European Union try to police the cyber world, but both are fighting a losing battle. Perhaps the reason for this is that they are not interested in the security of the IoT solutions themselves, but see security from a national security perspective. And in such regards, centralized big-data solutions seem to be favored over more secure distributed solutions. Monitoring of data seems to be more important than threats from outside sources or issues like privacy or data integrity. Both base their recommended solutions, both from government agencies and standardization bodies, on centralized big-data solutions that are both vulnerable and easier to monitor. Both rely on intimidation to minimize the risk of hackers to utilize system vulnerabilities, instead of creating a secure infrastructure that would limit attack possibilities, even though the United States is more aggressive in this regard. Both fail to recommend secure IoT architectures. Whether this is because of a lack of knowledge of how to accomplish this or this is a lack of interest since it would also make monitoring more difficult I cannot say. One thing is clear at least: Many countries now correctly see security issues within IoT as a threat to national security.
Pollet: That’s a tricky question to answer. In terms of tracking down and prosecuting “hacktivists,” the Five Eyes countries (Australia, Canada, New Zealand, United Kingdom and United States) have probably been the most proactive. In terms of preventing or prosecuting all nefarious actors on the Web, I’d be hard-pressed to say anyone’s been particularly good at that. However, when it comes to industrial cybersecurity specifically, I would single out France. For instance, France has its own version of the NIST Cyber Framework. However, theirs is better because in addition to consolidating industry guidelines and going beyond technical controls to also address policy and governance, which ours does, too, it goes further by categorizing industries and companies based on their criticality—for example, water treatment plants versus power plants—and provides prescriptive guidance for addressing critical threats for these facilities. We don’t do that, but we should. The Middle East has also been very proactive about securing its industrial networks. This is largely because their economies rely so heavily on the energy sector, of course. The country of Qatar is the only nation other than the United States that currently has mandatory security controls for critical infrastructure networks.
Maroto: This Web page, map.ipviking.com, lists the origins and targets of cyber attacks. It is obvious that these countries need to be more proactive and do not wait for a worldwide or Europe policy. The United States, China, Russia, Saudi Arabia, United Kingdom and Israel are usual suspects, but many countries are now targets of new cyber attacks and need to react quickly. Many governments published national cybersecurity strategies four or five years ago. With new threats due to IoT, they will need to update and approve new policies soon.
Dixon: According to a recent study by ABI Research and ITU Telecom, the United States was ranked No. 1 in the Global Cybersecurity Index of cybersecurity readiness. Rounding out the top five countries were Canada, Australia, Malaysia and Oman. The study can be found here: http://www.itu.int/en/ITU-D/Cybersecurity/Pages/GCI.aspx.
Harnevie: There are no specific IoT regulations or policing activities in any country I know of. What exists today are from previous usages of the Internet, related to media, electronic commerce, privacy and intellectual property protection. While some of these may apply also to IoT, it concerns mainly connected devices, which are communicating with other devices in an M2M manner. This might put different requirements on both regulations and policing.
What type of network connectivity is most dependable and most secure?
Dixon: Employ encrypted messages at a bare minimum, and encrypted connections, if possible. Full VPN tunnels are even better.
Harnevie: There is no quick answer to this. You could state general things like WirelessHART is more secure than ZigBee, or that Bluetooth is more secure than ZWave and ANT, or that Ethernet LAN is more secure than RS-485- or RS-422-based networks. But such statements, even if they might appear correct on a technical level, are more misleading and deviating for the task at hand than they are helpful. IoT security is not about the selection of network technology. Instead, one must take a total approach to the whole system. It is far more important to carefully select the cryptographic overall system design and key handling than it is to select one network over the other.
Waher: As long as connectivity is concerned, older and more tested protocols are more dependable and robust. The benefit of the XMPP protocol is that, apart from being standardized by the IETF, it has been around since 1999, albeit in another setting. It was developed to solve the case of instant messaging and was developed in the Jabber project. XMPP quickly grew and is now implemented in billions of clients worldwide, and it is used in everything from instant messaging for chat and push notifications to social networking and now Internet of Things. The software is globally scalable and well tested.
Bucholtz: A hard–line, point to point, between two points is the best solution. Other than that, there really isn't any such thing as a secure network connection. Industrial facilities need to realize that every connection can be hacked by a sophisticated adversary with enough funding and enough time. The nation-state threat is what every plant should be preparing itself for. You need to go beyond the mindset of focusing solely on protection; post-breach damage control is equally important. Ask yourself, what would happen if malware was planted on the SCADA network, if remote access was gained to a particular system or piece of equipment. Then devise a plan to limit the damage, should such an event occur.
De Carne: For sure the most secure is the wired connectivity, but the side effect is the less scalability and flexibility and the cost of implementation and maintenance in particular for the retrofit and older plant.
Maroto: Whether wireless or wired, network security is a primary concern for M2M and IoT services. Wired networks are most secure than wireless, such as LTE, 3G or Wi-Fi. Increasingly, sophisticated security threats make implementing superior wireless security even more of a necessity. However, in the IoT world, network-to-network connectivity and more security features are necessary. Reliability will be needed to enable IoT apps and services.
Sapale: Network connectivity is very subjective in nature, and a particular network cannot be termed as dependable or secure. Network security in an industrial domain is different from conventional security required for, let's say, the banking and finance sector institutes sector. In the conventional model, each node, or client, is connected directly to the central server through the Internet, although the mode of communication—VPN, 3G network, DSL—may be different. In the case of IoT, the network is characterized by hundreds of sensors, which are connected to a Tier 1 gateway. Many such Tier 1 gateways are connected to a Tier 2 gateway, which ultimately is linked with the network. Most of these sensors have stringent requirements on cost and run on battery power, which limits its ability to make it secure. Let's take an example of onboard diagnostics (OBD), which is present in modern vehicles. The data is collected from all the sensors in the car using CAN protocol, which is global standard. This protocol does not need security because there is no communication with the outside world. When the data is actually transferred through OBD, then the question of security comes into picture. Here two important questions need to be answered.
1. Is data security really required in the first place to just to read diagnostic information?
2. What is the nature of security that has to be provided? In this case lot of stakeholders will have to work together to sort out the matter.
Hence the protocol selection of the IoT platform is a very subjective matter, and there are no silver bullets in this case.
Pollet: Nonroutable communication protocols that are not based on TCP/IP—analog, serial, token-ring, bus—are much more secure than TCP/IP-based communications. TCP/IP communications can be hijacked, can be intercepted, can be changed in flight and can transport hidden malware if not properly secured.
Mike Bacidore is the editor in chief of Control Design, a sister publication of Smart Industry.
Did you find this article interesting? If so, you might like to read these related articles: