Reading an article published by Hydrocarbon Processing I was struck by the statement made by Mr. Touhill the Deputy Asst. Secretary, cyber security operations and programs at the US Department of Homeland Security.
“Cyber security is not a technology issue, it’s a risk management issue,” said Mr. Touhill. “It permeates throughout every part of your company. It’s particularly important for industrial control systems, many of which are older systems that are not designed with built-in cyber security systems.
I believe that this statement is true . After all everything to do with security is all about risk. If you decide to keep your money under a mattress instead of in a bank you have decided to live with a certain amount of risk, that of being robbed or your money being destroyed in an accident (e.g. a fire).
With the older systems that are connected and not designed with security in mind you have to do your best, understand the risk, and mitigate where possible. But is it not just the older systems that are at risk. Even the most modern products are vulnerable.
On the Huffington Post I ran across this article More Safeguards Required To Protect Cars Against Hacking Attacks: Report. This article talked about how car manufacturers had inadequate features to protect against hackers taking over software controls of a car and consequently taking of the operation of a vehicle. The manufacturers were even unaware of or unable to report on past hacking incidents. Considering part of Mr. Touhill’s framework to combat cyber attacks is “Detection ” they are not even at stage one preventing cyber attacks. These are the latest and greatest products that these manufactures produce. Very modern, and yet they still have security holes. This does not give me any desire to have a “connected” car for myself.
But I thought maybe things have improved on the home front. How about those devices that allow you to monitor and control your home. Nope, no improvement since I last blogged. Check out this article from The Register Internet of Thieves All that shiny home security gear is crap, warns HP. The title says it all. If you can monitor and control you house from the internet, chances are that so can anyone else.
The HP blog that was quoted in The Register appropriately called IOT is the Frankenbeast of Information Security certainly got me wondering. The first sentence “It seems that every time we introduce a new space in IT we lose 10 years from our collective security knowledge” really points out the problem. We get distracted by the new shiny thing. And we forget past lessons learnt.
This is true. I started my career in banking systems, and other peoples money had to be kept safe. Security was paramount, we even had procures in place that said that in case of a fire the first thing we had to do was to lock up our paper code printouts (yes I am that old, back then paper was king – remember green bar paper) along with our design documents. Then we were allowed to vacate the building in a normal manner. Security was designed into the operating systems, the software, file access user ids, etc. And then the PC came along, and everything change or was forgotten. Security was not given a thought. And we still seem to be still having problems with security and data going missing. It seems that people are always leaving equipment, disks, or flash drives around where they shouldn’t, let alone cyber attacks.
So what do I take away with me from all this activity (apart from sometime wishing that I was back when everything was not connected): A belief the cyber attacks are a fact of life and will continue to be so. Thus we need to:
- Decide what information is important, and what systems are important to your organization. After all “all things are not equal”.
- Design and implement the security around those important systems and information.
- Decide what is an acceptable amount of risk for your organization.
- Keep your systems up-to-date. Manufacturers and software providers are continually trying to improve security of their products. Look a the number of security patches everyone has to apply to smart phones and other devices. Follow the recommended guides and procedures (e.g. change the default passwords)
- Don’t assume that all manufactures equipment is secure against cyber attacks.
- Have procedures in place to mitigate a cyber attack.
- Know what to do in case of an attack. How do you protect you brand, recover operations, sooth or compensate you customers
- Learn from the attack and close any security holes that were uncovered after the attack was investigated.
With all this going on, I still believe in the internet of things and the benefits that it will bring to us. But go in with your eyes wide open. You might just have to have an “air gap” in your landscape.
And yes I am still interested in a Internet enabled security system for my home, just not yet.
Use this link to read the full blog article from Hydrocarbon Processing ARC Forum
For those of you who are interested in the HP report please use this link Internet of Things Security Study: Home Security Systems Report