From Cyber to Physical

This news story got a lot of attention over the holiday season.  To briefly recap, malware spread across regional power plants in the Ukraine which caused widespread outages across portions of the Ukraine.  Who did it and why is a topic for other organizations, what we would like to focus on is the capability this displays and the threats to you, your home, and your business.  This is especially relevant as we connect more and more devices and more and more components/appliances to our networks.  And ultimately, this is one of the fears as we grow into the Internet of Things (IoT).

With the holidays having just passed, many may have gotten new or updated hi-tech toys.  The Nest Thermostat or any other wi-fi based thermostats; the iLumi or Hue light-bulbs; wireless theater surround sound; or new smart TVs and appliances.  For some adults, these gadgets take us back to our youth and cause us to get all giddy inside anticipating how we are going to have everything connected from one device.  What could be cooler than that?  All those problems solved from the convenience of your handheld or tablet.

Unfortunately, if we aren’t careful, this also invites new threats into our home or workplace.  And seeing how this one power outage can apply to our home or business doesn’t take much imagination.  What if an attacker entered your network because you didn’t change the default password, or because you didn’t take the time to set up proper controls and took control of your thermostat?  Conceivably they could turn the heat/cool on to unsustainable temperatures causing your heating pump or AC unit to break down or potential starting a fire when no one is around to do anything about it.  Well your answer might be that you have an alarm or smoke detection system that automatically alerts the fire department.  If we can conceive that a person can penetrate your network and mess around with your thermostat, then we should also assume that they can impact your security system and your smoke alarm detection, at least to the point where a fire started would have done enough damage to your business or home by the time the fire department arrived.

These are the type of scenarios that we talk about when we do threat detection and identification.  The easiest thing to do in a situation like this is to rationalize it away and to talk yourself into thinking it won’t happen to you.  See, done.  It won’t happen to you.  Your home and your business are not that important for attackers and you don’t have anything of value.

However, this really doesn’t help.  Wishing away the problem really isn’t the solution.  Aside from the case studies that show competitors really do care what you are doing and who your clients are, and that drive by attacks are more common than you think, there are numerous reasons why we need to do better.  A better course of action would be to determine what your threats are and to determine your vulnerabilities.

It’s important to start with understanding your view of your self.

Start with things that you can control.  These should all be basic areas of security that you can impact right away.  And you can do it all in a short amount of time.

  1. What does your network look like?  For homeowners, do you just have the cable company plug in the router and leave it be or do you take an active approach to managing your network?
  2. How many devices do you have accessing your networks?  And how are those devices protected?  A family of four may have upwards of 10-12 devices when you factor in desktops, laptops, phones, tablets, smart TV devices (including AppleTV, Roku, etc), thermostats (not just NEST but the Honeywell System), and the list can go on and on as you bring more smart appliances and applications into your home.
  3. Do you allow everyone to have your WiFi password? Maybe you should consider this piece.  Have you thought about a guest wireless account.
  4. Have you changed the default password?  Sounds silly right?  You wouldn’t believe how many people don’t and how many times it has led to a security incident.  Then again, maybe you would.
  5. Do you know what your critical information is? Do you need a refresher on Critical Information?
  6. How do you store your critical paperwork that is on your network?  The same network that you allow everyone who visits your house to use.  Do you have permissions set?

The new gadgets are great and a truly connected house or business can be a huge benefit.  But it also presents security challenges.  And that’s ok.  Start with each device and go from there.  If it’s being integrated into your network know the risks and plan accordingly.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s