The news has been filled lately with stories on new types of devices being hacked. From GPS, to cars, to baby monitors, all sorts of strange devices are being hacked, and taken over by cybercriminals. In addition, the advent of malware such as Stuxnet and Flame, has proven that SCADA systems are vulnerable to attack, meaning our critical infrastructure isn’t as secure as we once imagined it to be.
We often forget that the Internet of things isn’t about consumer devices and critical infrastructure only – the enterprise faces myriad risks on a daily basis.
Unfortunately, BYOD is drowning the enterprise – clever devices with not so clever security are attaching to the enterprise network daily, posing a very real risk. According to Jayson O’Reilly, director of sales and innovation at DRS, although most harm caused these days is digital, the threat of physical harm is not far off.
“One only needs to imagine the potential consequences of attackers taking over an airport’s air traffic control, or a country’s waters supply. There are very real consequences.”
These potential consequences mean that our thinking around security needs to be adjusted. The Internet of Things is driving new security concerns, that need new measures to make the Internet safe, he says.
A major issue faced by embedded systems and machine-to-machine (M2M) is the crossing over of physical and logical security, as a vulnerability in the one could possibly affect both. Cyber security depends a lot on physical security, as threat actors who can gain physical access to a machine, can in almost all cases use that access to further their nefarious aims.
Any device that plugs in to the network must be protected to ensure that it cannot be used as a conduit for further malicious activity, explains O’Reilly. Businesses must bear in mind, that over and above a business’ sensitive data, a compromised network allows access to all other security controls, such as video cameras or and access controls.
“The blurring of these boundaries, and the addition of systems to the IT infrastructure, is making the lines of what is or is not a targetable asset unclear. However, what is clear is that what must be protected goes way beyond information. Physical systems must be safeguarded too.”
He says this is where forensics and situational awareness come in – everything needs to be tracked and monitored, and how each system works clearly understood, particularly how they relate to other systems.
A proper security plan must be in place, and designed holistically. A team dedicated to governance and organisation, that is responsible for the overall design and implementation of policies and procedures is a big help, says O’Reilly.
Businesses must ensure that the needs of all departments and all stakeholders are met, and that any security protocols and measures have the flexibility to be managed across the various silos, without impacting on efficacy.
There is no doubt that the integration of physical and logical security domains will lead to better all-round security for any business, he stresses. “A good starting point is to ask several questions, such as what the most important information and assets for protecting are, where they are located, and how security can be built around them.”
Combining logical and physical security processes and tools reduces complexity in the management of the security infrastructure, and at the same time dramatically increases an organisation’s visibility into its resources – making the detection of problems far easier. It also helps prevent security incidents, and offers a platform to better respond to and mitigate any incidents that do occur, he concludes.