The machines are talking to each other. Are we sure who's listening?
As more and more machine-to-machine (M2M)-enabled devices are embedded into just about every object imaginable, it only takes one determined hacker to create a whole lot of trouble.
Though there is little reason to suspect that individual manufacturers are being targeted for attack, the increasing use of connected devices inside plants and along supply chains creates the potential for M2M security lapses, experts say. And without close attention to security, the vulnerabilities can be exposed at great cost.
Manufacturers use M2M technology to enable a device or piece of equipment to communicate to another machine or person potentially anywhere along the supply chain. "The surface area for attack is huge," said Stuart McClure, founder and CEO of Cylance Inc., an Irvine, Calif.-based cybersecurity startup.
More on M2M
Find an introduction to M2M technology
Learn about cloud's role in M2M
"If I was an adversary, I would attack the supply chain of Siemens or Honeywell or one of the other major manufacturing platforms and just go to town," McClure continued. "It would be so simple."
Vulnerabilities could be introduced into the source code tree, he said. From there, hackers could exploit the device in the field or inside the manufacturer. Or they could "trigger patching to make sure it includes back doors," he said. "There are a lot of different ways to get in."
In the worst-case scenario, truck fleets could be rerouted, conveyor belts could be jammed, chemicals could be mixed and gasses could be over-pressurized.
The primary security issue with M2M technology is that "the devices are listening and therefore are susceptible to attack," said Tom Shafron, chief technology officer at Clear2there, a provider of M2M connectivity based in Oklahoma City. "Now you have a port open. You have vulnerability. Devices can't really be sure who's trying to talk to it and control it."
Manufacturers not only want to automate what they're doing inside their facilities, Shafron said, but they want to connect with their partners along the supply chain. Now, their processes and infrastructure are all linked together. They're notified of a delivery coming, they see it via GPS, it opens their system, the inventory management system takes over and the robots are told what to do, he explained. As these networks get more entwined, it becomes more and more difficult to mitigate an attack.
The larger-scale risk is a system-level attack, not focused on an individual manufacturer, but rather an attempt to disrupt infrastructure, Shafron said.
"Someone with bad intentions could send commands out to every device that's listening to turn on at the same time, for example," he said. "The scale of havoc that could cause could take down large amounts of infrastructure."
Determining the scale of M2M security risks
All of this isn't necessarily a cause for panic. "Just because there's a threat, doesn't mean there's a real risk to the business," McClure said. "It just depends on what kind of infrastructure they're managing with their physical devices."
"Nobody really wants to take down a Nabisco cookie plant," he said.
Security threats to M2M devices are somewhat overblown, according to Steve Hilton, principal analyst at Edinburgh-based Analysys Mason.
"Security within the M2M environment is a huge issue," he said. "People spend a lot of time and money trying to prevent these kinds of things from happening, just as they would with any IT solution. They'd be foolish if they didn't."
But Hilton thinks of M2M technology's security risks are the same as any other type of IT. "We know how to secure things in the IT world," he said. "But hacker types are bizarre people and can be remarkably persistent looking for chinks in the armor. Sometimes they do it just to prove they can."
Addressing M2M security gaps
It's no time for manufacturers to rest on their security laurels, the experts agree. There are steps they can and should take to make sure their M2M capabilities are secure.
"There are really two ways to think about security: You either prevent the attack from occurring, or you throw your hands up and say, 'We're going to be hacked no matter what,' and provide immediate, real-time response capabilities," McClure said. "I tend to believe an ounce of prevention is worth a pound of cure."
Prevention starts with quality M2M vendors that have a track record for providing security, Hilton said. Next, it's important to look for vulnerabilities at each "touchpoint" -- where one piece of connected equipment touches another or where a platform touches an application. "At all of those touchpoints, there are weaknesses," he said.
To address these weaknesses, Shafron stressed that M2M devices have to be the initiators of communication. "The idea is that the infrastructure can have no open ports whatsoever," he said. "If no ports, controllers or devices are listening, there's no point of attack … no way for someone to send false protocol information out to your devices."
Unfortunately, too much of M2M technology hasn't been designed this way, he said. In this case, the connected ecosystem needs to be sitting behind an intermediary that blocks direct access to the connected devices. And that intermediary can only make outbound requests to a dedicated piece of infrastructure or server.
"Now nothing can talk directly to those devices," Shafron said. "You can be sure that the only thing that can talk to those devices is the intermediary, and it's not open to any inbound communication."
Will these measures be enough to protect manufacturers from security breaches? Shafron cautions that it's too early to be sure. "If we begin to design our systems properly now, we're going to be OK. If we wait five years from now and have tens of millions of systems open to individual points of attack, both residential and industrial, we're going to run into a situation where something bad could happen," he said.
Another key issue to remember, McClure pointed out, is that "these devices can cause physical harm … everything from being able to kill a patient with a biomedical device to killing large groups of people by polluting a water supply," he said. "There's an endless list of potential attack vectors in that world that would predicate a different look and a priority on those kinds of devices."
Hilton stressed that while there is an abundance of opportunities for hackers, businesses are ready to face them.
"We have connectivity, we have SIM cards and we have connected devices. We have applications, platforms and system integration services," he said. "But we also have security and audit services. And we have business continuity and disaster recovery too. We've gotten used to these things and found ways to mitigate the risks."
Follow SearchManufacturingERP on Twitter @ManufacturingTT.