New challenges demand new end-to-end strategies – not just more technologies, says Oozi Cats, CEO of Telit Communications.
It’s one of those universal truisms that any increase in openness of any sort brings with it implicit risk. From stomach troubles on foreign holidays to teenage broken hearts, we spend our lives navigating often-narrow knife edges between opportunity and threat. It shouldn’t therefore be any surprise that the increasingly rapid adoption of IoT and M2M solutions by ever wider market sectors is presenting its own particular challenges to us, both as individual companies and as a wider collective community.
It’s already clear that two issues must be urgently addressed. First comes the all-important one of keeping a continued confidence amongst both the general public and the worlds of business, government and the utilities in our ability to protect their data and systems.
However, before we can really do this, the second issue must be tackled: how do we create the right kind of environment that ensures that security is built into our products, our solutions, our companies, our markets and, especially importantly, our staff in truly holistic ways.
The high technology sector – from the early days of both the Internet and GSM – has often rolled out amazing technologies only to find that they were implicitly insecure. The end result was a sometimes embarrassing and expensive scramble to retro-fit security techniques like encryption. The Internet of Things (IoT) is too important to both our public and private lives for security to be seen as an afterthought.
Complementing this issue is another ‘softer’ issue and one to do with company cultures and organisational structures. Although things have improved, enterprise IT security departments have been seen in the past as business limiters – not business enablers. They were the ones who always asked awkward questions when some new business initiative was suggested and, because their strategic advice was ignored in a race for shortterm profit, often had to clear up the mess later.
At Telit, both these facets of the central problem are very clear to us and we recently took a pledge to expand and enhance our efforts to educate and raise awareness of what security really means: not just amongst the technology community, but also across every market sector involved and the wider general public.
How the world perceives IoT risk
When it comes to actual awareness of security pitfalls and vulnerabilities, a major survey of consumers, businesses and IT security specialists by international IT governance organisation ISACA (IT Risk-Reward Barometer, 2014) showed some interesting trends. Irrespective of region, most respondents knew about prominent data breaches of companies and most said their concerns had increased as a result. On further drilling down into the data, the research specifically addressed concerns about the IoT: vulnerabilities to hacking; usage of customer data; resale of personal information; and tracking of individual behaviours and travel. While around half of those polled said that they proactively managed their privacy settings, the rest were essentially passive, only changing things such as passwords when a specific event occurred – or not even then. Overall, despite recognising the benefits of IoT, more than a third of the ISACA members and IT professionals surveyed felt that the risks currently outweighed the benefits to enterprises.
So, what can we do to change these perceptions?
Despite its virtual nature, cyberspace displays many of the characteristics of real world geographies. Just like any city, there are safe areas and unsafe areas. Organised crime and black hat hackers have their own equivalents of seedy bars and hangouts, where vulnerabilities, tools and data are shared and swopped. Some of the larger criminal and terrorist organisations even have their own R&D operations, funded by the profits from their illegal operations. Despite this – and just like real world villains – they’ll almost always target the easiest, most vulnerable, low-hanging fruit.
The response to this, we at Telit feel, is to create our own equivalents of ‘safe neighbourhoods’ for IoT, where information and best practice is readily shared across our industry’s equivalent of the shopkeepers, business owners and householders. This ‘zero tolerance’ strategy – just as it’s worked in some of the world’s major cities – can go a long way in deterring opportunistic crooks, driving them to move on in search of easier and weaker pickings.
That said, the incredibly complex value chains involved in much M2M/IoT activity will never be secured by simple point solutions and, again just as in the real world, a broad spectrum, multiagency approach is essential. Each technology sector will be familiar with its own vulnerabilities, while each market sector will also have its own native concerns. Around these are also the general public and ordinary everyday business users who’ll often inevitably try to avoid using appropriate security techniques if they impact on how easily they can use devices or services. Any cybercriminal will tell you that the easiest parts of the whole infrastructure to hack are actually human beings….
The whole is more than the sum of its parts
Telit’s recent work provides a good example of how this multi-level, multi-agency approach can work in practice. While there are numerous national and multinational organisations out there concerned with IT and network security, risk, fraud and revenue management, we identified a number of strategic points within the entire IoT/M2M universe where active input and participation would have the greatest strategic benefit for ourselves, our customers and the wider community.
GSMA Embedded SIM project: SIMs are one of the essential building blocks of cellular connectivity, so it was essential that security principles were deeply rooted right from the start and Telit played an important role in crafting these and is amongst the first in the industry to commercialise a compliant solution – which you’ll be able to see at the Mobile World Congress in March.
ERTICO-ITS: This is a good example of sectorfocused activity, being a European organisation that promotes research and defines Intelligent Transportation System industry standards, connecting public authorities, businesses, infrastructure operators, users, national ITS associations and other organisations, both across Europe and internationally. Through ERTICO, Telit has been involved in defining secure specifications for the wider European eCall initative, which uses ‘black boxes’ deployed in vehicles to send alerts, sensor data and location information to emergency services in the event of accidents.
TIA’s TR-50 – The Telecommunications Industry Association’s (TIA) TR-50 initiative is developing an M2M Smart Device Communications framework able to work across different underlying wired and wireless links, using well- defined Application Programming Interfaces (APIs) that are agnostic to the specific vertical application domains such as Industrial Automation, ehealth and Smart Grids. Once again, Telit has been influential in developing specifications in both this and related protocols.
oneM2M – Telit has also been deeply involved in addressing key security issues within this organisation on a more generic basis, effectively creating a standard of standards that can be applied across multiple industry sectors, consolidating work carried out by more specialised groups.
5G – While it currently seems to be true that if you ask a room full of radio engineers for their definitions of 5G, you’ll get more definitions than engineers, work is already moving apace in this domain. Unlike previous network-focused standards, 5G will be the first to consider and incorporate the unique needs of machine communications – including security. Telit here, again, has been involved right from the earliest days, ensuring that issues around machine connectivity – and especially security – are incorporated from the ground up.
Integrating security – from the quantum level upwards
The fractal nature of our industry – where there are the same levels of complexity at each stage up from microprocessor to the networked product – means that there’s a critical need to address security at the most basic levels of manufacturing and circuit design. This also extends to ensuring that where new firmware is distributed to remote devices for dynamic updating the whole path is secure.
With our 2013 acquisition of ILS Technology, Telit added critical expertise in data security. Take, for example their secureGATE solution, specially created to help semiconductor fabrication plants protect their design and manufacturing processes from digital infiltration and attack; while their secureWISE offering monitors and secures traffic to and from each tool on the factory floor.
This kind of ground-up, silicon>component>system strategy is especially important when it comes to securing the Connected Car – or the ‘Smartphone on Wheels’, as some now define it, with its own IP address. As new functionalities are added to this platform, such as driver assistance systems, theft prevention, intelligent traffic management and more, each must be protected, both singly and when they’re operating in unison.
While the CAN bus and other architectures continue to evolve, increasing in speed and functionality, some suppliers have brought in specific point countermeasures to address individual elements in the digital command, content and control chain, such as secure keys, encrypted data, message filtering and the like. By contrast, Telit’s strategy has been to create a much wider, all ncompassing environment –ATOP, m2mAIR Mobile and deviceWISE – implementing multiple measures using state-ofthe- art bank transaction-level security where keys and certificates are used in each communications element and module. In fact, the ATOP module even has a dedicated processor to store keys and process encryption algorithms to protect the entire vehicle from digital attack.
Telit m2mAIR in particular offers Shield, a new service specifically designed to detect and protect against attacks at the device itself – essentially shutting down the communications module and recording attack data to transmit once the attack is complete, while deviceWISE, on which our m2mAIR Cloud offering is based, has been named the most secure M2M application enablement platform on the market two years running by leading research firm ABI, thanks to its file-level access policies which leverage and build upon the expertise behind secureWISE.
Adopting inclusive policies and strategies
A famous French statesman once observed that “war was too important to be left to the military”. The same applies to M2M/IoT security – it’s far too important to our entire world to be left solely to the security experts, excellent though they might be in their respective fields. Indeed, the sheer breadth of security issues that can impact different aspects of the M2M/IoT universe – cryptography, identity theft, authentication, physical and plant security, access control, social hacking and so on – urgently require the imposition of truly holistic operational security frameworks by companies working in this space. In this context, a number of risk analysis and management methodologies already exist which can be adapted for M2M/IoT environments.
Much like our broader ONE STOP. ONE SHOP. offering, we believe the first step to solving an industry-wide problem is cknowledging it. Just like the boy who cried ‘wolf’ in the children’s tale, it may be unpopular with our industry peers to point out potential security risks associated with the M2M/IoT domain, but we’ve never shied away from such a challenge. We encourage you to talk to your suppliers and the many industry and technology organisations now sharing best practice advice about how they can help protect your mission-critical data at every possible entry point – from edge to HQ’s IT department. Then you’ll be able to determine for yourself whether your devices are secure at the edge, your data is secure in transit and arrives at your enterprise systems without tampering.
We see end-to-end cyber-protection for IoT data and privacy as a fundamental requirement for providers in our space. While there have been some recent high-profile security and privacy breaches in the news, that doesn’t mean that today’s connected consumer needs to be suspicious of the many services and benefits that the Internet of Things provides. Telit and its subsidiary companies are deeply committed to data security across the entire value chain and are actively engaged in defining and building the standards of security around device communications.
Oozi Cats has 25 years of experience in creating and leading business ventures. In 2000 Cats founded Telit, then an Israeli start-up for high level engineering and distribution in the field of wireless communications. In 2002 Cats led Telit to
acquire a bankrupt GSM/GPRS handset company in Italy and restructured its human resources & strategy to become an M2M platform. In 2005 Cats took Telit Communications PLC public on LSE (AIM) raising about GBP 20M. With the funds in place Cats globalised the company by adding to its cellular GSM/GPRS core competence also CDMA, EVDO, UMTS and later also HxPA & LTE. Since then, Mr. Cats has led Telit to become a leading enabler of the Internet of Things by bringing together, through a series of acquisitions, all the pieces of the IoT puzzle including hardware, software and services across the entire M2M value chain.