True Analytics™ - Energy Savings, Comfort, and Operational Efficiency
Internet Isn’t Broken
What We Put On It Is
Director of Cypersecurity,
Building & Facility Control Systems,
can’t take credit for the title for this article. I paraphrased a
statement Dan Kaufman, Director of the Information Innovation Office
for DARPA (Defense Advanced Research Projects Agency), Department of
Defense made in a 60 Minutes interview with Lesley Stahl (link to interview). His exact words were “I
don't think the Internet is broken. I think the things we put on the
Internet are broken. What we're doing is we're putting a lotta devices
on it that are unsecure.”
When the internet was in its infancy, even the best forecaster could not have fully understood where it was headed. Even today we seem to find new ways to use the internet to connect our lives, our data, and our “stuff”.
As controls integrators, vendors, and manufacturers, we have always tried to deliver a product that was not just innovated for innovation’s sake, but useful too. Our customer’s appetite never seems to be satisfied and once they had a taste of what these connected, open platform systems could do, they wanted more. Which is a good thing in a lot of ways because it has driven us to be better than we were.
I know I’m preaching to the choir here because we all know how we got from siloed, proprietary control systems, accessible only from a computer with a thick client on it to web based, open protocol/platform systems that could cross talk to other web based, open protocol/platform systems. What we missed was the fact that we were putting our “stuff” on the internet unprotected and sometimes purposely unprotected. Okay… so we didn’t miss the fact that this stuff was being put on the internet, but what we didn’t take into account was that somewhere down the line these systems could be used against our customers to not only assault/attack the system itself, but as a gateway onto the customer’s network.
Please understand, this is not to lay blame, but to state a fact. We gave our customers a more convenient way to access their system and they saw, and rightfully so, that another convenience level could be achieved. If these systems were exposed, the customer could check their system from home, at night, and on the weekends. Property managers with geographically diversified portfolios could have a single pane of glass (SPOG) view of their properties and so on.
In the race for convenience, something got missed…
It wasn’t intentional and it wasn’t due to lack of known knowledge. What I mean is known knowledge is what you know at the time and if you choose not to use it, shame on you but that’s not what we did. We did what our customers wanted. Of course they didn’t know either that what was being created is exactly what Dan Kaufman said “…What we're doing is we're putting a lotta devices on it that are unsecure.”
So that brings me to the topic that has been a main theme on AutomatedBuildings for the past several months (good topic, by the way, it applies to so many areas of our industry), Transformative Change. And for the purpose of this article, transformative change of cyber security practices.
This change is not easy in a lot of respects because it is not just about changing out hardware, adding software protection, and upgrading devices. The change has to come from within. Within us. Within how we do business and implement systems. Within our employees to understand that protecting intellectual property of our company and the customer’s company is extremely important. Within our customers to understand that things won’t be as convenient as they were and for them to be willing to adopt a few extra steps in the process to fortify their systems.
Transformative change within in all components of the system which include people, processes, and products. Change that means things that seem not to matter are the very thing that an attacker will use against you to gain access. If you don’t believe it, take a look at the largest breaches in the past couple of years and how access was gained by the attacker. It was a clicked email, a common username and password known by many, a system on a public IP outside the firewall with default or no credentials. A phone call and a few answered questions.
This hits close to home (conclusion)…
Most of us have heard of the Target breach in 2013 and that a small mechanical contractor named Fazio Mechanical was initially to blame for the breach. This statement was retracted but the damage had been done. I don’t know to what extent, but damage was done. In an article released 9/21/2015 by Brian Krebs – Krebs on Security, Version findings seem to turn the spotlight back on Fazio.
Quote from article “Verizon’s findings lend credence to the working theory about how hackers initially broke into Target. In February 2014, KrebsOnSecurity was the first to report that investigators had zeroed in on the source of the breach: Fazio Mechanical, a small heating and air conditioning firm in Pennsylvania that worked with Target and had suffered its own breach via malware delivered in an email. In that intrusion, the thieves managed to steal the virtual private network credentials that Fazio’s technicians used to remotely connect to Target’s network.” (link to article)
This reiterates the statements I made earlier about clicked emails and protection of customer intellectual property. In this case it didn’t come through the control system, but it did come from a click of an email by someone at Fazio. I’m not beating up on Fazio. Anyone of us or our employees could do it. It just serves as a reminder that cyber security transformative change is a must in the landscape we helped make.
[Click Banner To Learn More]
[Home Page] [The Automator] [About] [Subscribe ] [Contact Us]