The Internet of Everything and the built environment: the changing threat landscape
Martin Lee, technical lead threat intelligence, CISCO, explains why smart buildings bring a new range of potential vulnerabilities that need management and mitigation.
CISCO defines the ‘Internet of Everything’ as “as bringing together people, process, data, and things to make networked connections more relevant and valuable than ever before - turning information into actions that create new capabilities, richer experiences, and unprecedented economic opportunity for businesses, individuals, and countries” but as well as bring opportunities is also changes the threat landscape.
The Internet of Everything is being created through continuing technical advances. Computers are getting smaller, more powerful in terms of functionality, yet drawing less electrical power. These features coupled with the ubiquity of WiFi, 3G, 4G and mesh networks means that small computing devices can be embedded within the most mundane devices that previously had operated autonomously — like a toaster or copy machine —and connect them to the Internet. These devices can then report on local conditions to a central server that can understand the wider environment, and then receive instructions on how to modify their operation to achieve maximum efficiency.
The implication is that these devices can deliver just the right amount of service when required and switch off, or deliver reduced service, when they are not required. This can result not only in improved level of service, but in decreasing waste through improvements in efficiency, which in turn reduce carbon emissions and decrease operating costs. These devices are going to drive better management of energy in the built environment. Networks of sensors and actuators working together with a central management server will act to form a ‘smart building’ that reacts to the external environment and the activities taking place within the building. Unlike many technological innovations, smart buildings are unlikely to have that ‘wow’ factor driving uptake. It is far more likely that the integration of smart building technology into the office will be incremental and driven by proven energy efficiencies and a clear return on investment to landlords.
Information processing takes place primarily within buildings. For many years security professionals have deployed and audited procedures and equipment to assure the integrity of buildings so that only authorised individuals have access. However the deployment of networked devices controlling heating, cooling, ventilation, water supply, etc. within a building exposes a new range of potential vulnerabilities that need management and mitigation.
Permanent damage can be caused to information systems if the data centre / center air conditioning is disabled. Equally, water dripping from an overflowing cistern that is constantly being replenished even though it is full due to a faulty sensor or actuator can wreck electronic equipment. Additionally, an office without water and functional washrooms is one where the workforce cannot operate without breaks.
We’ve recently seen attackers launch denial of service attacks against financial services organizations in an apparent attempt to occupy and distract security teams while more sophisticated attacks to compromise systems is undertaken. We can envisage the scenario where poorly protected environmental control systems that have not been subject to any security oversight are compromised by an attacker who switches the air conditioning to full heat and waits for the security operations team to take a break to cool down before launching an attack on sensitive systems.
Attackers may be able to send fake sensor readings to a server, send unauthorised commands to an actuator, or simply take control of the command system. We can be certain that vulnerabilities will be discovered in the software contained on these devices that will need patching. But who will be responsible for patching these systems, and how quickly will this be performed? These risks will require policies, procedures and mitigations to manage the risk to an acceptable level.
Security professionals are constantly seeking to reduce the scope of security audits. However, as the Internet of Everything permeates the built environment, we need to start considering the wider environment as part of the scope of the security analyses to ensure that the security goals of the smart building devices are compatible with the security goals of the organization that occupies the building.
Not every smart building will necessarily require state of the art defences / defenses to protect its networked devices, but information security professionals need to be aware of the possibility that there may be vulnerable devices controlling the building environment and services. Security pros need to know the right questions to ask landlords to ensure that the security of the building control systems meets the needs of the information processing taking place within the building. As an industry we need to start thinking about the security implications of the Internet of Everything, because one thing is for sure, sooner or later these systems will come under attack.
The 2013 European Computer Audit Control and Security (EuroCACS) / Information Security and Risk Management (ISRM) Conference will take place at Hilton London Metropole on 16-18 September 2013. To register or to see a list of speakers, please click here.
•Date: 15th August 2013 • World •Type: Article • Topic: BC: facilities and buildings