Why smart technologies have increased your digital risk
The rise of the internet of things brings many business opportunities, but also fresh risks. What do businesses need to be aware of in this new era?
In late 2014, the nature of business cyber risk changed. An unnamed German steel mill came under cyber attack. In the past this may have meant losing data, possibly some lost productivity and potentially some reputational damage for the affected company, but this time it was different. The attackers were able to disrupt control systems to such an extent that one of the mill’s blast furnaces could not be properly shut down. The result was massive damage.
In December 2015, the potential for cyber attacks to affect the real world was demonstrated once again. A cyber attack on the Ukrainian energy grid left more than half a million properties without power. A simultaneous attack on communications systems prevented an effectively coordinated response, worsening the response time and economic damage caused.
There is no perimeter
It used to be that security consultants built walls around the organization. The strategy was to put in a perimeter and keep intruders out.
That doesn’t work anymore: with the internet of things, where so much is connected, there is no perimeter. No organization can say, “That’s mine inside this perimeter and anything outside it I can disregard.” The intruders are already inside the network.
Think about your weakest link: think about how big the attack surface is when everything is connected and everything is visible.
New opportunities – and new threats
Smart meters and thermostats are a great case in point. There’s no longer a box on a wall that only the meter reader or property owner can access. Now it’s a live connection on 3G or Wi-Fi.
This brings both opportunity and threat.
For energy consumers, a connected meter or thermostat makes managing their energy consumption much easier, and can bring money-saving improvements to temperature management. For energy suppliers, there is an opportunity to reinvent the billing relationship completely to make it more simple and accurate, building trust and, in time, extending services into the customer’s smart home or office.
But on the threat side, if every single connected object is subject to cyber attack, smart technology is vulnerable.
The blending of IT and OT
Smart devices are pieces of information technology (IT) and are designed as such. However, they are increasingly being connected to, and controlling, operational technology (OT). And OT was not designed to be connected to the internet.
Like the German steel mill or Ukrainian energy grid, connected systems could be exploited to cause real world, physical damage as well as damage to data. Mixing IT with OT may create additional vulnerabilities that we just don’t know about yet.
The one thing we do know is that the convergence of IT and OT creates an even bigger attack surface. So organizations need to ensure an integrated approach to digital that includes cybersecurity from the onset.