|Companies need to increase the knowledge within their business on the range of cyber-vulnerabilities|
At one time, embedded devices, such as access control components communicating with application software, used proprietary protocols like RS485. Use of proprietary protocols kept these devices safe from attack. However, in this article TDSi Technical Director Mike Sussman explains that the growth of the Internet of Things (IoT) involves a move toward IP-based systems and open standards that leaves modern systems, including embedded devices, more likely to be targeted by a wide range of criminals.
Cyber-attack ‘s impact on IoT devices
So, what exactly are the vulnerabilities and impact on cyber-attacks on IoT devices? Let me give you one example. In a typical access control system, if someone tries to enter an invalid PIN more than four times, then the reader would be locked and an event raised upon which action can be taken. What about invalid passwords when logging in to an embedded system? I bet that the majority of systems will let you keep trying without any preventative shutdown measures in place. With the power of modern computers, it wouldn’t take too much to run a brute force attack to obtain the password and therefore gain access to the device. In fact, at the recent Mobile World Congress, a leading security expert used a brute force attack to gain access to poorly protected CCTV cameras. You might say that this doesn’t impact security; however, if I were to say that one camera was in a primary school and another monitoring retail tills and payment terminals, would this change your mind?
Is security industry prepared for breach in cybersecurity?
Adoption of policies such as Cyber Essentials, a key Government requirement for those supplying them, as well as increased security policies such as ISO27001 and membership of bodies such as the Cyber-security Information Sharing Partnership (CiSP) should be the norm for anyone working within the security field
Do we, as an industry, address these issues? I’d say that at the moment very few companies are addressing this level of detail (but I bet some will now!). The industry is changing, and there is a lot of focus on identity fraud and preventing physical access to buildings; however, we now need to look at what can happen when people take over the access control system remotely – open doors (or even lock personnel inside). It is fairly easy to utilise “off-the-shelf” embedded processing boards and build an embedded device with no security. Unless you work within the security field you might not even think of these threats and just concentrate on the application.
Ways to tackle cyber-threats
So how do we address this? Companies need to increase the knowledge within their business on the range of cyber-vulnerabilities and keep abreast with what is happening within the threat landscape. Adoption of policies such as Cyber Essentials, a key Government requirement for those supplying them, as well as increased security policies such as ISO27001 and membership of bodies such as the Cyber-security Information Sharing Partnership (CiSP) should be the norm for anyone working within the security field. Unfortunately, this is not the case.
All companies should increase their cyber knowledge and ensure that there is a security specialist within the development teams. Increased testing of embedded devices through the likes of penetration testing also helps to identify vulnerabilities and, once resolved, increases security.
These are interesting times, and even more challenging than in the past because the attack landscape is constantly evolving. As an industry, we need to work together to share knowledge and experience that will keep us one step ahead of the attackers.