Getting smart on security
Manufacturers across all sectors have invested heavily in Internet of Things (IoT) devices with some impressive results. A whole host of products are now being manufactured which have internet connectivity built-in, from consumer gadgets for the home, to smart cars, wearables, medical devices and intelligent machinery. Devices as varied as thermostats, garden equipment and watches are all constantly monitoring, communicating about, and reacting to changes in their environment.
It seems there is no end to the possibilities this presents. The upside is that we have greater control and functionality at our fingertips; with the ability to operate devices remotely comes improved productivity.
However, there are hidden risks. In the pursuit of greater functionality, we also need to consider the challenges that this connectivity creates as information flows between machines and devices. The key issues of data privacy and security must be addressed; stories of security breaches in which hackers have remotely taken control of connected cars or medical devices raises significant concerns about consumer safety.
While the IoT era promises great commercial and technological opportunities it also comes with added responsibilities. Fundamentally, we need to address the security risks inherent in IoT devices right from the outset of product design to ensure the safety, security, and privacy of consumers is maintained.
The connected world
Embedding internet connectivity in ‘things’ is transforming the world around us at an astonishing rate: it has been predicted by Technology Analyst firm Gartner that there will be 21 billion things connected on the internet by 2021. There are huge revenue opportunities from these innovations across a host of industries and growing demand is expected in sectors such as the Utilities industry in which smart meters and smart appliances are rapidly being rolled out.
However, as more devices come on to the market, there have been growing calls for tighter controls around the standards for IoT connectivity. According to a survey for global cybersecurity association ISACA last year2, 75 per cent of IT professionals said they thought device manufacturers were not implementing sufficient security measures in devices. Despite calls for the industry to get smart on security, IoT devices present some specific challenges. Many devices aren’t easy to update or patch, leaving them vulnerable to compromise. They also provide a point of weakness to a network and for hackers to gain access to other, more valuable data. Shortcuts in the development process, and overlooking non-functional security aspects may save costs in the immediate term, but could ultimately be a false economy.
To better understand how to fix security issues, we need to firstly understand the challenges that come with designing and manufacturing products that don’t have ‘traditional’ security controls.
Cost – When systems are designed with low cost components, the addition of security features may increase the cost of the devices.
Performance – IoT devices typically have minimal memory, storage and processing power. Adding security capabilities such as encryption and authentication may compromise system performance such that it is unusable or cannot perform its primary function.
Interface – many connected devices have limited user interfaces and the systems are not supported in the same way as they would be in an enterprise. This poses problems when errors occur or systems can’t be updated or patched.
Software design and maintenance - the software within IoT devices typically uses different software languages which, if poorly architected, do not provide the same protections as more modern languages. Additionally, update cycles and device lifecycles are take longer to implement and may not be installed at all, which can leave a device exposed to vulnerabilities.
The software that is embedded in the hardware and which runs the ‘things’ isn’t subject to the same update cycles as software in PCs and mobile devices. If a user can’t update the software for their smart refrigerator, and a vulnerability is detected, fixing the problem may not be straightforward. When devices are unpatched, vulnerabilities can be exploited to gain access to data or even track user behaviour. And making one small change could have big implications for the devices’ functionality.
Building security in
Software security needs to be a fundamental part of the design process and should be a primary concern along with the cost, reliability and usability of the product. Security needs to be built in from the start rather than considered as an ‘add on’ at later stages of development which can create challenges related to the performance and usability of a product.
This starts with threat modelling: identifying and addressing the security risks associated with a system, tracing those risks through to the development and verification of security controls, and finally performing penetration testing – looking for vulnerabilities that a hacker could exploit. All of these activities are done to identify security risks, and make informed decisions on where to most effectively deploy development resources.
During the development process, there are two key areas two focus on. The first is to remove any unnecessary functionality which reduces the attack surface. The second is to ensure that a secure update mechanism is in place so that organisations can respond to vulnerabilities once a system is released.
This all requires the support of the executive leadership; a top-down approach within an organisation is essential in ensuring that these processes and best practices to shore-up security aren’t overlooked in favour of speeding up time to market or reducing costs. In an increasingly web-connected world, it’s time to step up security measures to ensure that the IoT era can reach its full potential.
Dan Lyon is Principal Consultant, Cigital
Follow @ManufacturingGL and @NellWalkerMG
Siemens: Providing the First Industrial 5G Router
Across a number of industry sectors, there’s a growing need for both local wireless connectivity and remote access to machines and plants. In both of these cases, communication is, more often than not, over a long distance. Public wireless data networks can be used to enable this connectivity, both nationally and internationally, which makes the new 5G network mainframe an absolutely vital element of remote access and remote servicing solutions as we move into the interconnected age.
Siemens Enables 5G IIoT
The eagerly awaited Scalance MUM856-1, Siemens’ very first industrial 5G router, is officially available to organisations. The device has the ability to connect all local industrial applications to the public 5G, 4G (LTE), and 3G (UMTS) mobile wireless networks ─ allowing companies to embrace the long-awaited Industrial Internet of Things (IIoT).
The router can be used to remotely monitor and service plants, machines, as well as control elements and other industrial devices via a public 5G network ─ flexibly and with high data rates. Something that has been in incredibly high demand after being teased by the leading network providers for years.
Scalance MUM856-1 at a Glance
- Scalance MUM856-1 connects local industrial applications to public 5G, 4G, and 3G mobile wireless networks
- The router supports future-oriented applications such as remote access via public 5G networks or the connection of mobile devices such as automated guided vehicles in industry
- A robust version in IP65 housing for use outside the control cabinet
- Prototypes of Siemens 5G infrastructure for private networks already in use at several sites
“To ensure the powerful connection of Ethernet-based subnetworks and automation devices, the Scalance MUM856-1 supports Release 15 of the 5G standard. The device offers high bandwidths of up to 1000 Mbps for the downlink and up to 500 Mbps for the uplink – providing high data rates for data-intensive applications such as the remote implementation of firmware updates. Thanks to IPv6 support, the devices can also be implemented in modern communication networks.
Various security functions are included to monitor data traffic and protect against unauthorised access: for example, an integrated firewall and authentication of communication devices and encryption of data transmission via VPN. If there is no available 5G network, the device switches automatically to 4G or 3G networks. The first release version of the router has an EU radio license; other versions with different licenses are in preparation. With the Sinema Remote Connect management platform for VPN connections, users can access remote plants or machines easily and securely – even if they are integrated in other networks. The software also offers easy management and autoconfiguration of the devices,” Siemens said.
Preparing for a 5G-oriented Future
Siemens has announced that the new router can also be integrated into private 5G networks. This means that the Scalance MUM856-1 is, essentially, future-proofed when it comes to 5G adaptability; it supports future-oriented applications, including ‘mobile robots in manufacturing, autonomous vehicles in logistics or augmented reality applications for service technicians.’
And, for use on sites where conditions are a little harsher, Siemens has given the router robust IP65 housing ─ it’s “dust tight”, waterproof, and immersion-proofed.
The first release version of the router has an EU radio license; other versions with different licenses are in preparation. “With the Sinema Remote Connect management platform for VPN connections, users can access remote plants or machines easily and securely – even if they are integrated in other networks. The software also offers easy management and auto-configuration of the devices,” Siemens added.