Cybersecurity concerns have permeated society with incidents of malicious threats, data loss and stolen information—a trend that cannot be ignored with the growing connected environment and internet of things (loT).
For those providing physical security and integrated systems, the need for buttoned-up cybersecurity-as-a-solution is a dire necessity. As physical security combines with access and identity management, computer, building and automation systems are potentially at risk.
According to researcher Gartner Inc., the loT is here. Gartner forecasts 14.2 billion connected things in use in 2019, with the total to reach 25 billion by 2021, producing immense volumes of data. The research group also revealed security as the most significant area of technical concern for organizations deploying IoT systems.
Requirements stack up
New rules and regulations seeking to quell the risk of open systems are cropping up everywhere. The California Consumer Privacy Act, slated to go into effect Jan. 1, 2020, includes minimum levels of security required for companies to protect personal and employee information. Other states and countries have similar laws and initiatives.
Some five years ago, the National Institute of Standards and Technology (NIST), Gaithersburg, Md., developed the NIST Framework for Cyber-Physical Systems, a compendium of voluntary standards, guidelines and best practices to manage and mitigate cyber risk. In June, NIST released a report: “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks” (NISTIR 8228), the first in a planned series to help IoT users protect themselves, their data and their networks from potential compromise.
Underwriters Laboratories (UL), Northbrook, Ill., has focused on cybersecurity for over two decades, starting with payments, networking equipment and healthcare industries. The UL IoT Security Rating and other advisory, testing and compliance services. UL provides trusted third-party support with the ability to evaluate the security of network-connectable products and systems, and vendor processes for developing and maintaining products and systems with a security focus.
“Cybersecurity efforts at UL include, for example, the UL 2900 standards and the Cybersecurity Assurance Program (CAP),” said Gonda Lamberink, senior business development manager, Identity Management and Security Division, UL, Melville, N.Y. “UL addresses security needs across many different connected ecosystems and incorporates other emerging global industry standards and frameworks as well. One example is for CTIA [which represents the U.S. wireless communications industry], where UL is an Authorized Testing Laboratory for cybersecurity. It’s important for electrical contractors to ask what their vendors do to provide security in their products.”
As threats have expanded, so has UL’s response—creating robust baseline security applicable to a broader customer base, including a focus on consumer loT, for example.
“A single device or network could end up as collateral in a bigger attack,” Lamberink said. “Risks come from connectable products and devices or software. The focus for consumer devices is to establish a baseline level of security, with any active device having reasonable security inherent in the product. One example of that would be not allowing default passwords.”
What it means to contractors
Lamberink said electrical contractors installing security have an important responsibility that, if not taken seriously, presents potential liability.
“It’s not just the manufacturer that is considered responsible; it’s potentially also the distributor and the installer, as in the example of the European Union Cybersecurity Act,” she said. “Security is critical to the overall reputation and branding of the business and ensures you are providing quality systems to your customers. Electrical contractors need to start asking questions to their manufacturers and may need help from a third party. Hopefully, in the near future, you will see products that have gone through loT security testing and carry security labeling accordingly.”
Rob Simopoulos, co-founder at Defendify, Portland, Maine, said businesses simply cannot ignore cybersecurity. ECs and systems integrators, he said, store a large amount of customers’ sensitive data. This includes, but is not limited to, facility floor plans, network topology diagrams, IP address schema and device passwords. In addition, many firms are programming and deploying devices directly onto their customer’s networks, exacerbating the situation.
He said more than 60% of small businesses have stated they have had a cyberattack on their organization in the past 12 months.
Simopoulos offered several scenarios of how a systems integrator’s business could be affected:
- A healthcare organization recently underwent an ethical hacking test and learned its video surveillance system was wide open to the internet with the default password still in use. This may have allowed an attacker to have full camera view into their facility.
- A 200-person company’s finance manager had their email compromised by attackers, who began sending new bank payment details to their unknowing customers. Many of the company’s customers actually made payments to the attackers. The criminals’ methods included auto-deleting messages and auto-forwarding rules programmed to send incoming replies directly to the attackers. Further investigation discovered the finance person’s password had been compromised and was available on the dark web. Furthermore, an assessment determined the company email accounts lacked technical safeguards such as two-factor authentication. Both of these weaknesses contributed to the vulnerability.
- An untrained employee of a manufacturer interacted with an attack email, launching ransomware, which spread to infect computers on the network, including devices running the plant. Without proper backups of the manufacturing systems, the business was down for weeks, unable to provide product to their customers.
Simopoulos added that contractors need to be aware that not all IoT device manufacturers take a security-first approach. A manufacturer may be developing and releasing products without key security features that other manufacturers include. ECs should research IoT devices in depth prior to purchase and deployment.
According to Simopoulos, third-party vendor assessments are a growing trend in cybersecurity affecting small businesses. These enterprise companies are sending their vendors third-party assessments that include detailed questionnaires asking about the cybersecurity practices they have in place. These assessments include questions such as the following:
- Do you have cybersecurity policies and plans in place?
- Have you completed a cybersecurity assessment on your business?
- Have you ever conducted penetration testing (ethical hacking) on your networks?
- Do you train your nontechnical teams on cybersecurity?
- Do you conduct phishing simulations on your employees?
- What cybersecurity technology do you currently have installed on your computers and networks?
“Many businesses are caught off guard when they receive these requests,” Simopoulos said. “We have seen businesses receive them immediately after securing a purchase order for a new project and even from their best customer they have worked with for years. Preparing proactively for these assessments is essential. Organizations need to have cybersecurity programs in place as part of normal business practice.”