In a continuation of our prior post, RSM will delve into the middle market’s view on Gartner’s cyber security predictions for 2016 and 2017. Today’s article will focus on the first of the major security trends identified as having the most impact on business over the next two years: the Internet of Things (IoT).
For those unfamiliar with the concept, IoT refers to the seemingly simple concept that soon all manner of formerly “dumb” devices will soon incorporate cheap, reliable network connectivity. Examples of this concept already surround our daily lives such as home automation products that control heat and power, refrigerators that can automatically identify when some type of produce is running low and can automatically order more, and devices that can adjust water and light exposure for home gardens. While these examples are becoming commonplace for our personal lives, the most significant aspect of this trend will affect businesses.
Imagine a world where equipment can monitor its own performance and maintenance, and then automatically adjust to what it sees. It can call for repairs if needed or alert if there is an issue with the quality of the materials being produced. Groups of “smart” devices can communicate with each other and make automated decisions on overall changes in behavior of the production systems in order to maintain throughput. Sensors built into building can alert on changes in structural integrity, moisture, heat, or any number of conditions. Retailers can efficiently track how products are shipped and purchased. In the simplest terms, entire areas of business that were previously “black boxes” will not be visible and adjustable. This obviously has benefits as well as potential dangers, which is the core of Gartner’s prediction:
Worlds Collide: Fueled in part by recent unfathomable growth in the Internet of Things (IoT) arena, Gartner predicts 2016 will usher in a new era of cyber security in which boundaries and delineations between the digital and physical worlds increasingly converge, requiring a fundamental rethinking of the traditional cyber security model that focused only on ensuring the confidentiality, integrity, and availability of data—new models will require incorporation of physical safety considerations around both people and environments.[i]
To summarize Gartner’s point, we are quickly approaching a time in which a cyber-attack can affect the physical world. Hackers could shut down production lines or instruct the systems to damage themselves. Attackers could re-route shipments, change HVAC or hydraulic settings, or mangle inventory data. Where a data thief previously had to steal the documented intellectual property related to a delicate manufacturing process, now they can simply reverse engineer that IP by reading the sensors embedded within the related equipment. Most importantly, we are now at a point in time where it is plausible that a cyber attacker could kill someone via manipulation of safety or operating parameters of equipment or vehicles.
So how do mid-market organizations move confidently into this new, inevitable era? Our recommendations include:
- Segmentation – First and foremost, as organizations incorporate “smart” devices into their environment they should plan to restrict how these systems can communicate with each other and with the rest of the network as a whole. When possible, deploy these assets into areas of the network that are isolated in that they can only talk to each other and all communications to the broader environment are strictly controlled. This will help prevent situations in which a compromise of the broader environment will allow an attacker access to the smart devices, or compromise of the devices will provide an entry for the attacker to the broader environment.
- Egress and Ingress Controls – Unless it is absolutely necessary these new devices should not be exposed directly to the Internet. Companies should make every attempt to place firewalls or other solutions in front of these devices in order to control inbound and outbound traffic. Attackers are now purposefully trying to find networked devices that they can compromise remotely and then using these systems as an entrance into the corporate environment. Setup firewalls to allow the devices to communicate only to known safe IP addresses using only approved ports and protocols.
- Understand Device Behavior – Organizations must be aware of how these networked devices will communicate with other systems and third parties. Many of these new systems are configured to “phone home” to their manufacturers for a variety of reasons (e.g. checking for updates), but this behavior is often poorly documented and communicated. This creates a situation where an organization has devices inside of its network communicating with 3rd parties without their knowledge. This has led to situations in which attackers have compromised the 3rd party and used this access to enter client environments, examples in which the 3rd parties have pushed system updates without warning resulting in service interruptions or system damage, and examples of 3rd parties using these devices to gather exorbitant amounts of data on the client environment (aka. “spying”) without the client being aware. Organizations should not deploy networked devices within their environment until they understand how the systems will behave and how it communicates with 3rd parties.
- Understand Device Maintenance – Similar to the above point, organizations should not deploy these devices until they understand how they can be safely configured and maintained. A systemic issue within the IoT field is that of devices being deployed that cannot be patched or hardened. If a security issue is identified within the device, the customer must simply accept it. Organizations should confirm with the manufacture that the device could be patched and maintained over time and that default accounts can be removed or changed.
- Understand Inter-Device Communication – Organizations should investigate and understand how these devices interact with other systems. The most common issues found within this area is that the systems talk over insecure protocols that are easy to intercept and manipulate, and that the communications are accept without the device validating that they are from a valid source. In these situations, an attacker could alter a valid message (e.g., change a critical warning from a machine sensor to say that everything is safe) or send malicious messages to a device which the device accepts without question. (e.g. telling a device to shut down a piece of machinery) Companies should validate with the manufacturers that these devices communicate using security protocols and have some valid method of authenticating messages.
- Understand Liability – For organizations that want to deploy networked devices that will interact with customers (e.g. devices customers deploy in their homes, devices in stores that track customer behavior, devices deployed in other companies to monitor equipment, etc.) a risk analysis must be performed to fully understand the liability this could entail. If the device could be compromised and allow an attacker into the customer environment or allow theft of customer data, the financial repercussions could be significant.
Watch for our next blog post, which will cover the next 2016-2017 Cyber Security prediction, Software Defined Security.