Canadian Underwriter
News

Companies urged to ‘consider the risks’ of non-computing devices connected to global networks


November 21, 2014   by Canadian Underwriter


Print this page Share

There is an increase in the number of cars, industrial control systems and other non-computing devices that are connected to a global computer network, some of these devices are sold without “thorough security and functional testing” and are therefore “easier targets” for criminals than personal computers, yet most corporate information technology departments “are not responsible” for managing the security of such devices, IBM Corp. warned in a recent report.

On top of that, there are 1950s-era industrial control systems that have no “inherent” Internet Protocol capability yet still connect to the public Internet through gateways, noted researchers from IBM’s X-Force research group, which studies computer security.

Related: Canadian Underwriter‘s November Cover Feature: “Things Connected”

IBM’s X-Force Threat Intelligence Quarterly, 4Q 2014 includes a section on the “Internet of Things,” or IoT, which encompasses a broad range of devices such as cars, medical devices, home automation systems and industrial control systems.

“The latest trend is to connect anything with computing power to the Internet, including vehicles, implantable medical devices, and smart utility meters,” IBM reported. “Even objects that traditionally haven’t been computerized, such as household appliances, toothbrushes and drinking cups are being instrumented and connected.”

Computerized devices “connect to a local network, then to a global network — usually the Internet,” Armonk, N.Y.-based IBM stated in the report, adding there are exceptions, including some industrial control systems and secure government computer networks.

“Traditional” computing devices, including mainframes, servers, desktops, laptops, routers and switches “all connect to local networks (although service provider devices may be connected directly to the Internet),” IBM stated.  “Malicious actors intent on taking control of data, identities and passwords have been investigating and making use of Internet-connected devices that are not securely developed, making them easier targets than PCs, laptops or tablets.”

Eight authors contributed to the Threat Intelligence Quarterly, including Chris Poulin, research strategist for IBM X-Force. That organization studies vulnerabilities to computer systems, including exploits, active attacks, viruses and other malware, spam, phishing and malicious web content.

“It’s critical now, more than ever, for organizations and the employees utilizing this nascent technology to consider the risks as they connect to the enterprise safety zone,” the X-Force researchers said of IoT. “Most IT departments, however, aren’t responsible for managing the physical security of these ‘things,’ and this could signal a holistic shift in how all aspects of security are managed within the enterprise.”

Quoting from a forecast from Framingham, Mass.-based International Data Corp., IBM noted IoT will represent 30 billion connecting “things” by 2020, up from 9.9 billion last year.

Related: Willis Group warns energy firms of cyber risk, predicts increase in insurance capacity in upstream market

IBM X-Force recommends several security measures for IoT devices, including strong authentication and access control.

“When users access the data on ‘things’ or control them — usually through a cloud service from the user’s mobile device — it’s crucial to ensure that the user is who he or she claims to be,” IBM advised. “You wouldn’t want a thief to be able to unlock and start your car with a simple username and password, especially considering the recent spate of credential compromises and the knowledge that most users choose simple passwords.”

X-Force referred to SplashData’s list of the 25 “worst” passwords of 2013. That list includes  passwords which are said to be easy to guess but commonly used — such as “password,” 123456, qwerty, 111111, letmein and trustno1.

Non-computing devices can also have software bugs that can be exploited by hackers.

“Hardware manufacturers are often not experts in software development, including web applications that may reside on the ‘thing,’ or exist as a cloud portal and mobile apps,” IBM warned. “Manufacturers of ‘things’ are coming up with new product ideas every day and may rush their products to market without implementing a security development lifecycle or conducting thorough security and functional testing.”

There is a wide variety of industrial automation systems, IBM reported.

Some Supervisory Control and Data Acquisition (SCADA) systems “are embedded beneath concrete in plant floors, buried there as long ago as the 1950s – that they don’t have inherent (Internet Protocol) connectivity, but are connected to the Internet through IP gateways.”

Other SCADA systems can be “controlled over a dial-up line by an operator console that may be segmented from the rest of the IT network, with no Internet connectivity or ability to control the SCADA system from outside the factory

network,” IBM reported. “In contrast, newer industrial control systems are built on general-purpose operating systems, such as Windows and Linux and are designed to be connected to an IP network.”


Print this page Share

Have your say:

Your email address will not be published. Required fields are marked *

*