Today we are seeing the rise of Internet of Things or IoT whereby literally billions of devices are increasingly being connected to the Internet, and sharing the information and data they collect. These could be simple devices like a thermostat or light bulb, or more complex devices like CCTV cameras and so-called smart bins.
This inter-connectedness and ability to share information can bring intelligence and efficiency that could not have been imagined in the past. Today, buildings can optimize their performance to ensure they are meeting not only the requirements of the occupants in terms of comfort and security but also they meet mandatory environment or legal requirements. No longer it is necessary for the council to send trucks around daily or multiple times a day to empty rubbish bins because the bins can hold more rubbish (or recycling) thanks to an integrated compactor. When it approaches the full mark, it contacts the local council to advise that it needs emptying. These are two simple examples of how connectedness and intelligence help improve performance and efficiency.
There is, however, a downside to this increasing level of connectedness, and this relates to security. With the explosion of devices that are now being interconnected along with the sensitivity of many of these devices, there is a need to ensure that these devices are being connected with a high degree of security.
For an example of what could possibly go wrong when the bad guys are able to take advantage of exploits in an IoT environment, look no further than the movie Die Hard 4.0 starring none other than Bruce Willis. While somewhat dated today, the movie illustrates what could potentially happen should attackers are able to take control of buildings and critical infrastructure such as traffic control systems.
While this movie may seem fanciful in its portrayal of what capable hackers could potentially accomplish, it is important to understand that security comprises a series of counter-measures to reduce or mitigate both the likelihood of an attack and the severity thereof. While it may seem like commonsense, there are many common or routine tasks which are required to improve security that are still not being implemented. Let’s take a look at a few of these.
- Change default usernames and passwords: Most, if not all devices, have default usernames and passwords that can easily be found by a child using a search engine. Default passwords should be changed immediately, and even better is to also change, delete or disable the default username as well.
- Don’t share passwords: Every user of a system should have their own username and password. This ensures that when that user leaves the organization, their account can simply be disabled or deleted and there is no need to change the shared account details for every system the user had access to (which in reality just doesn’t happen).
- Use strong authentication: Using strong passwords that have a reasonable length with a combination of letters, numbers and special characters, and don’t include dictionary words which ensures that passwords can’t be easily compromised. Better yet is to use digital certificates with the keys that are generated within a token or device which not only delivers strong authentication but also provides non-repudiation.
- Use centralized authentication: Using a centralized authentication system such as Active Directory, RADIUS or LDAP simplifies the process of managing user information as there is a single system that needs to be administered instead of multiple systems.
- Restrict access: Access to systems should be restricted to the minimum level that is required for a user to perform the tasks they need to perform. In addition, firewalls should be used to segregate and isolate systems so that an issue or attack on one system is less likely to impact other systems.
- Integrate redundancy: Redundancy should be integrated to ensure the system continues to operate in the event of a failure or attack. In many cases, the cost of lost business is far greater than the additional cost of redundancy.
- Don’t forget physical security: Security is about layers and one of those layers is physical access. If an attacker can obtain physical access to a system, their task will be made simpler so be sure that physical access is only available to those that need it.
- Maintain backups: From time to time, things will go wrong, and when this happens, it’s important that you have a backup that is off-line and stored in a different physical location.
While these steps may seem simple and common-sense, there are many IoT systems today where the level of security in use leaves much to be desired. There are many additional things that can be implemented but ensuring that each of the above steps is undertaken will go a long way toward improving the security of systems that are deployed today.
By- Scott Penno – Regional Marketing Manager, APAC, Allied Telesis