Whilst we all know that cyber attacks can be devastating, businesses need to place a particular focus on their infrastructure to ensure safety for clients and service users.
Throughout the corporate landscape there is an increasing focus on using technology and the Internet of Things to create new innovations. However, ensuring these are safe and secure needs to be a key priority for firms.
This is clearly not the case, as even major firms such as Amazon are still leaving serious flaws in their solutions. Recently, Cybersecurity expert, Yossi Atias, General Manager, IoT Security at Dojo by BullGuard, the market leading IoT security platform for Communication Service Providers (CSPs), took the stage today at Mobile World Congress to demonstrate a live hack of the Amazon Ring video doorbell, exposing a previously unknown vulnerability in the popular IoT device. The hack revealed unencrypted transmission of audio and/or video footage to the Ring application allows for arbitrary surveillance and injection of counterfeit video traffic, effectively compromising home security and putting family members’ safety at risk.
The main feature of the Ring video doorbell is two-way communication between the smart video doorbell and the user’s mobile app, which acts as a security camera and allows the user to confirm who is ringing their doorbell from anywhere in the world via the internet. Presuming the Ring owner is away from home, they can see who is at their door and then remotely open the door if a supported smart lock is installed to let the housecleaner or babysitter in, for example.
The Ring video doorbell vulnerability lies between the cloud service and the Ring mobile application. In the Ring video doorbell hack, Atias was able to change the video feed so the end user ‘believed’ they were seeing someone they know and had let in previously.
This vulnerability and more shows how open users can be to cybercrime, and also how important it is for businesses to ensure their safety, as many often have more than their own safety at sake. Data is incredibly valuable in today’s market, and many store a lot of clients’ data which could cause problems if it is stolen.
The industry clearly believes that infrastructure needs better protection, with more than half (59 per cent) of respondents to the latest social media poll conducted by Infosecurity Europe 2019 – Europe’s number one information security event – believe that an attack on the UK’s critical national infrastructure is likely this year.
As more devices, systems and infrastructure are connected to the internet, the cyber and physical worlds are becoming increasingly linked, opening up new attack vectors. According to Ciaran Martin, head of the UK’s National Cyber Security Centre (NCSC), a major category one (C1) attack on our critical infrastructure – one that disrupts essential services, or affects national security – is a matter of “when, not if”.
The responses to Infosecurity Europe’s poll also indicate that organisations in all sectors are not properly prepared to manage security effectively across both cyber and physical environments. Lack of collaboration and low levels of awareness of key legislation are the biggest problems. The challenges and complexities posed by the convergence of cyber and physical security will form a key part of the conference programme at this year’s Infosecurity Europe 2019 event.
Over two thirds (68%) of respondents say the security teams in charge of their physical and cyber infrastructures never collaborate. This disconnect leads to misaligned plans and conflicting priorities, while creating ‘silos’ that make it difficult for CISOs to gain full visibility of controls and risks across both IT and OT (Operational Technology) environments.
“Defending critical assets is a team sport,” says Nigel Stanley, Chief Technology Officer and global head of OT cybersecurity at TÜV Rheinland. “IT, physical and OT teams need to get their act together and start to share and learn from each other.”
Kevin Fielder, Just Eat’s Chief Information Security Officer, agrees. “The increasing convergence of cyber and physical environments is inevitable, but managing them in a cohesive way will strengthen enterprise security.” According to Kevin, it’s the insider threat that needs most urgent attention. “Those intent on accessing money, information or IP will often find it easier to do so from the inside – and we’re moving to a world where this can mean immediate impact to life. Hacking a building’s management systems, for example, could suppress a fire alarm or sprinkler system, or prevent people leaving.”
Only 16 per cent of respondents to the Infosecurity Europe poll were aware of the EU’s NIS Directive – which is designed to improve the security and resilience of network and information systems – and its implications. The legislation, which was put in place in 2016, sets out security requirements that apply to all operators of essential services and digital service providers (DSPs). Failure to adhere to these could leave security gaps that present attackers with ‘open doors’ through which they can access infrastructure and physical assets. UK organisations found to be non-compliant can be fined up to £17 million.
“I can’t believe that any cyber security leader in a sector impacted by the NIS Directive would be unaware of its implications for their business,” says Nigel Stanley. “Lack of commitment to secure critical infrastructure is the worst sort of negligence. Forget what the regulators demand – organisations should take the initiative and secure assets based on a proportionate cyber security and business-led risk assessment.”
Kevin Fielder believes that if the industry doesn’t take the lead, further regulation will follow. “It really is in our best interest to self-regulate and protect the public. If the industry doesn’t produce connected devices that are, by default, secure and manageable over the long term, it won’t take many real incidents for government regulations to quickly materialise.”
Victoria Windsor, Group Content Manager at Infosecurity Group, also comment on the news.
“The security challenges resulting from the convergence of physical and cyber environments will take centre stage at Infosecurity Europe 2019 – and for good reason. Operational systems in every industry are being connected to corporate and cloud environments, and the safe ‘air gap’ between IT and OT no longer exists. Cyber risk is now impacting the physical realm, and organisations must have effective management strategies in place. Technology such as unified threat management tools has a role to play, but it’s also vital that teams collaborate and communicate to understand blended cyber-physical attacks, and develop joint approaches, plans and policies.”
The industry is already feeling the affects of outages and issues with technology, for example a recent Google outage has left businesses around the world with challenges. Google users around the world complained of outages and problems with their Gmail, Hangouts and Maps accounts on 12th March. This affected their billions of users and Google is yet to identify the cause of the issue. Businesses globally will wake up struggling to get access to drives and emails. This causes a huge impact to business productivity as most rely on technology to go about their day-to-day work. This could also impact the wider economy, as a dip in workflow in the financial markets, even for only a few minutes, could cause vast financial issues if trades are not able to take place in real time.
Paolo Sartori, CEO of TransWorldCom, commented on the issue and how technological infrastructure affects so many.
“Professional services cannot underestimate how much they rely on stable technological infrastructure, including connections to their emails and data servers. Some businesses, especially smaller companies who may be trying to allocate limited funds to various aspects of their business, may try to cut corners by not investing appropriately in technological infrastructure and this will often cost a company more in the long run. Businesses need to invest in infrastructure to ensure that they have sufficient capacities and that any third party issues do not result in a dip in productivity and potentially a larger cost. This is especially important in businesses that rely on real time information such as the financial services.”
In all, companies need to be aware of the importance of their infrastructure and the affect outages or cybercrime can have on their business and clients. They also need to take steps to ensure that their solutions are entirely safe and secure. To find out more about the latest developments in this market SUBSCRIBE to Corporate Vision Magazine so that you can stay ahead of the game.