Security in the Age of IoT
IoT or the “Internet of Things” refers to the growing trend of network connectivity and shared intelligence between disparate devices. Nowhere is this evident in our practice, than in our automation and video surveillance solutions.
"Your network is a dynamic entity that can change from day to day. Regular risk assessments are critical in identifying risks in this ever-changing landscape"
Historically, automation and video surveillance solutions were a luxury, affordable only to an elite few. These solutions lacked intelligence, connectivity, were cumbersome to use and most importantly, expensive.
In the last few years, countless startup companies have pushed the envelope on price, features, interconnectivity, and ease of use, issuing in a new era of increased demand and availability. These solutions are not only appealing to businesses concerned with security or compliance requirements but surprisingly, consumers wanting new “smart home” features as well.
Today, these solutions provide a range of services, including automated door-lock systems, alerting for everything from leaking facets, to light and temperature control, smoke alarms, video surveillance and, they can even make your coffee for you. All of these services can be accessed through your smart devices taking ease of use to a new level.
As many of these features are now able to demonstrate a clear ROI by reducing costs, for example with home lighting, demand is growing by leaps and bounds.
The increased interconnectivity, combined with the wealth of information shared between devices has not come without some problems. As ease of use has grown among users, ease of abuse has increased as well. Earlier this year, Synack tested 16 products in four categories: cameras, thermostats, smoke/CO detectors, and home-automation controllers. They found that almost all devices could be compromised within 20 minutes, and suffered from a range of problems including weak passwords policies, open ports, built-in backdoors, and lack of encryption.
Cameras, it turns out, are the worst offenders, according to Synack, who found that some manufacturers use obfuscation and not encryption to send the video signal. In other words, they count on a hacker not knowing how the data is sent to protect the video feed. Considering the ubiquitous nature of surveillance cameras, especially their use inside our homes, it is a frightening thought to think anyone could be watching us or our children at any time.
Overall, the demand for these products is outpacing the security and standards for these products. The industry has yet to develop a basic set of standards to protect consumers and businesses alike. We must view these systems as an extension of our computers and networks, and demand the same level of accountability from the manufacturers; else we risk the greatest of threats to our safety and privacy.
Despite the inherent insecurities with some of these solutions, there are several things we can do to securely implement these solutions.
• Deal only with reputable manufacturers that stand behind their products. Reputable vendors actively address vulnerabilities by publicly acknowledging them and releasing patches to address them.
• Regularly check for updates to your equipment. This is part of the lifecycle costs of owning and using your devices, it cannot be ignored. If you feel the manufacturer is not responding to known threats or vulnerabilities, contact them. If that doesn’t work, take your issue to Twitter and if they still don’t respond, replace that system and avoid doing business with that vendor in the future.
• Scan your networks. Regular risk assessments are a requirement for most compliance regulations for a reason. Your network is a dynamic entity that can change from day to day. Regular risk assessments are critical in identifying risks in this ever-changing landscape.
• Have your solutions installed by professionals who understand security. There are a lot of people who can turn a screwdriver and are physically capable of installing some of these solutions. What they lack though, can ultimately cost you your privacy and your sanity.
• Use secure password practices. Many installations are left using default passwords. These should always be changed, using password complexity best practices to ensure only authorized individuals know the passwords. If you acquire a building that uses these solutions, you should immediately change all passwords. Changing these passwords periodically is a great idea anyway, and will only help strengthen your security.
• Be sure to protect the points of access for your controls. If you access your system through your smart phone, be sure to employ a PIN, encryption, and if possible, remote wipe capabilities in case your phone is lost. When you replace the phone, all access to your controls must be removed from the old phone.
Rapidly evolving technologies, such as home automation and video surveillance are a dramatic example of the potential uses for technology, but we must be careful to understand their potential abuses. If implemented and maintained correctly, these systems have the potential to dramatically increase our ability to manage our homes and business facilities, while adding security, safety, energy efficiency and peace of mind. We all benefit when companies understand the potential as well as the liability, and have the necessary security experience to securely implement these solutions and capitalize on the opportunities afforded by this ever-evolving vision of the Internet of Things.
Assurance, not Compliance - Using the 20 Critical Security Controls
End-to-End Solutions are a Dead End: the Road to the Future is OPEN
By Nancy S. Wolk, CIO, Alcoa - Global Business Services
By John Kamin, EVP and CIO, Old National Bancorp
By Gregg T. Martin, VP & CIO, Arnot Health
By Elliot Garbus, VP-IoT Solutions Group & GM-Automotive...
By Bryson Koehler, EVP & CIO, The Weather Company, an IBM...
By Gregory Morrison, SVP & CIO, Cox Enterprises
By Adrian Mebane, VP-Global Ethics & Compliance, The Hershey...
By Lowell Gilvin, Chief Process Officer, Jabil
By Dennis Hodges, CIO, Inteva Products
By Gerri Martin-Flickinger, CIO, Adobe Systems
By Walter Carvalho, VP& Corporate CIO, Carnival Corporation
By Mary Alice Annecharico, SVP & CIO, Henry Ford Health System
By Bernd Schlotter, President of Services, Unify
By Bob Fecteau, CIO, SAIC
By Kushagra Vaid, GM, Server Engineering, Microsoft
By Steve Beason, Enterprise CTO, Scientific Games
By Steve Bein, VP-GIS, Michael Baker International
By Jason Alan Snyder, CTO, Momentum Worldwide
By Jim Whitehurst, CEO, Red Hat
By Alberto Ruocco, CIO, American Electric Power