The Internet of Things and quantified-self movements have led to an explosion of interesting gadgets for consumers and households, and we've detailed the types of IoT vulnerabilities and attacks in smart homes in our latest research paper. But the IoT is also laying the foundations of a new way of working. It’s about using information technology to reshape how, and where, we work.
One of the smartest office buildings in the world is packed with some 28,000 connected sensors detecting and adjusting motion, light, temperature, humidity and other conditions to respond to occupants’ needs and create the perfect working environment. Occupants can control everything through smartphones. But are we trading security for convenience… again?
Where are we now
Today’s commercial buildings — especially medium to large ones — are already typically equipped with control systems and hundreds, if not thousands, of sensors, even if they are not fully integrated. That’s partially because a multitude of systems have been implemented by different vendors, at different times. Moreover, many facilities have proprietary building management systems that rely on a different communication protocols to exchange information. Integrating disparate systems, getting them to communicate using a standard protocol and providing interoperability across devices is the biggest roadblock preventing the IoT from reaching its true potential for the enterprise market.
Emerging security issues
The office of the not-so-distant future may include a variety of devices:
- Advanced lighting sensors
- Networked security cameras that send video to mobile devices
- Smart locks and doorbells
- Climate controllers such as wireless thermostats
- Motion sensors and presence-sensing software to automate conference room reservations
- Sprinkler controllers
- Parking space sensors
Each type of device is vulnerable to different kinds of attacks, and security in the devices themselves varies.
Planting thousands of sensors endangers integrity as operators may become overwhelmed with alarms, alerts and indications. What’s more, overreliance on wireless technologies increases hacking and denial-of-service opportunities. There is an increasing tendency to rely on wireless sensor networks, which are exploitable. This adds to the risk of physical attacks on the sensors and their containers.
And most of these sensors and supporting network devices are made from outsourced components. If a hacker or cybercriminal gained access to these chipsets and the associated firmware -- especially during manufacturing or shipping -- a section of malicious code could be covertly inserted in the device and activated in such a way that either shuts it off or impairs its functionality.
Unfortunately, many of the sensor devices currently on the market lack the battery or computing capacity to implement sophisticated encryption techniques. Weak data encryption increases the risk of cyberattacks or breaches of IoT devices.
All these weaknesses are exploited to target the telecommunications network, the key element in the system.
For example, after gaining access to the network, cybercriminals can monitor an office’s operation using the video surveillance system. They can even see information on employees’ monitors. Taking advantage of the access control system’s vulnerabilities, criminals can get into the building disguised as employees without attracting attention. Taking control of other life-support systems can seriously undermine the office’s ecosystem, to the point of making work impossible. This can result in downtime, missed deadlines, damage to property and financial losses.
Big data and privacy
Collecting and analyzing big data empowers understanding of facilities and employees like never before. Highly regulated and tightly controlled buildings are collecting gigabytes of data on how its employees interact - from energy use to emails, location, time spent outside and who they talk to. This creates a continuous picture of office life. But isn’t this an invasion of workers’ privacy?
In the future, all buildings will be connected, both internally and to other buildings as well as the smart grid. The EU strongly encourages its 27 member states to replace utility meters with smart meters by 2022.
Smart meters establish a two-way data connection between the customer and the power company by sending information over a communications network that may include power-line, radio or cellular-network connections. Once smart meters are installed, power companies can determine the location of outages more easily, and no longer need to send staff to read meters or to turn the power on or off at a particular property. Smart meters also help curtail theft of electricity.
But the smart meter is only the first step. Eventually smart meters will communicate with smart thermostats, appliances and other devices. Customers will be able to access that information via read-outs in their homes or web-based portals, through which they can set temperature preferences for their thermostats, for example, or opt in or out of programs that let them use cleaner energy sources, such as solar or wind power.
Privacy risks arise from capturing data that may also include proprietary business information related to a business’s energy consumption. This data can become a target for unauthorized exploitation by marketers and other third parties. The media are rife with reports of systems and data breaches at high-profile companies as a result of weaknesses in the systems of third parties.
New security mindset
Given the diversity of devices, a comprehensive approach to IoT security should start with these five requirements:
- Managing cybersecurity and physical security solutions together.
- Enforcing different security policies based on the environment.
- Conducting customized risk assessments to identify the risks and how best to contain them.
- Implementing a specialized, multi-layered IT security solution to protect all nodes on the corporate network, including against Internet threats and data encryption on endpoints.
- Employee training in IT security and office system operation rules to reduce the chances of attackers gaining access to your data through social-engineering techniques.