Feature Article
Towards Right-Sizing Security for M2M Solutions:
A Practical Approach
Jon Howes, Beecham Research
Security for M2M solutions is a current focus for Beecham Research,
with a report that identifies a new balance and new opportunities emerging
in the market. This paper discusses the issues and approaches to security in
M2M that are making a real difference.
over, connected objects communicate at a far faster rate than humans, and
any adverse effects can arise independently, resulting in damage before it
can be mitigated.
M2M Solution Security a High Priority
Many past and current M2M solution developments have provided both
connectivity and security through the use of the secure capabilities of the
SIM cards within embedded cellular modules, and at the other end of the
M2M solution through the security in the cellular wireless network. In fact,
the module plus the SIM has been rightly seen to provide sufficient security
for the demands of those systems and their perceived threats.
An M2M solution chain is complex with multiple suppliers, technologies
and communications, and will likely grow in complexity. As M2M solutions
have become more widespread and more critical, more areas are identified
where security needs to be added. For example, some connected devices’
embedded systems developers have identified a need for encryption and
decryption of varying strengths from sensors; here, the first approach, which
can be sufficient for many M2M solutions, is to integrate off the shelf chips
that provide encryption and decryption.
As pressures on the level of required security increase, many have
recognised that the protection of secured communication subsystems does
not extend to all parts of the remainder of the supply chain. M2M solutions
are increasingly incorporating Elements of Security at different points in the
supply chain. These may involve hardware, operating systems, embedded security and the application layer and other parts, and are being independently
developed by several different supply chain players for a variety of needs.
A recent survey conducted by Beecham Research of leading M2M solution providers in North America, Europe and AsiaPac found that ensuring
end to end security was their highest priority for current M2M projects.
This is indicative of the growing requirement.
Figure 1. Beecham Research Survey of leading M2M providers
Reports of data loss and corruption, access intrusion and distributed denials of service are growing at an alarming rate. For example for Industrial
Control Systems, in 2011, the year after the discovery of Stuxnet, more than
five times as many vulnerabilities were reported compared to the previous
five years. These discoveries of new vulnerabilities doubled again in 2012.
These and other documented examples of security breaches illustrate the
potential for harm. For this reason, security solutions for all manner of IT
projects including those in M2M are gaining in importance.
M2M systems comprise a complex chain of connected systems and
devices; hence the M2M community is right to be concerned about their increasing targeting by attackers, particularly via the Internet. For this reason,
end to end M2M security has shot up the priority list. Whilst there has been
an aversion in the market to discuss security issues openly, and the threat of
hacking M2M-based operations is relatively low at present, this state of affairs is unlikely to continue. A major attack could have a significant impact
on M2M market development and public trust.
However, the meaning of a system’s security and requirements are not
fully understood. Despite much talk about ‘end to end’ security, the ‘ends’
are not always clearly defined. Security is too broad and eclectic a concept
to define, and its definition and implementation depend on its value to the
solution. As security solutions are defined by the perceived threat or threats
of the system in question, the meaning and requirements for security are
different in different M2M vertical market segments.
In business critical applications/operations, data security and the physical integrity of remote devices tend to be paramount. Hence any failure
that prevents delivery of the service is a threat. By contrast, in consumer
applications such as telehealth and smart metering for example, the
security of personal information is already becoming an issue of greater
concern. New risks arise when devices are inextricably linked in an M2M
delivery chain; for example, a persistent identifier could link the data back
to the device from which it was collected or back to an individual. More
4
www.RemoteMagazine.com
Evolving ‘Elements of Security’
Killing the M2M Patient?
Assuring end to end M2M security will likely involve more than one
specialist vendor in these Elements of Security. The challenge is for the
multiple elements provided by these vendors to be dynamically linked
together to form an end to end chain, in order to mitigate a specific threat.
Identifying the nature of that threat will be key, and will necessitate input
from sector specific experts. We should not forget the role of the customer
and end user; suppliers of technology may provide design expertise, but
customers and ultimately end users must understand their business and the
business implications of these design choices.
Figure 2. Diagrammatic Representation of the M2M solution supply chain, with participants and
suppliers, including those providing ‘Elements of Security’
http://www.RemoteMagazine.com
Table of Contents for the Digital Edition of Remote - M2M Special Issue 2013