💾 Archived View for gmi.noulin.net › mobileNews › 6459.gmi captured on 2023-09-08 at 17:26:25. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-01-29)
-=-=-=-=-=-=-
2017-09-25 06:34:37
By Matthew Wall Technology of Business editor
Imagine a hacker remotely turning off a life support machine in a hospital, or
shutting down a power station. These are the nightmare scenarios we face
because many organisations haven't a clue how many unsecured devices are
connected to their networks, cyber-security experts warn.
It was an ordinary day at a busy hospital - doctors, nurses and surgeons rushed
about attending to the health of their patients.
For Hussein Syed, chief information security officer for the largest health
provider in New Jersey, it was the health of his IT network that was keeping
him busy.
And today, he was in for a surprise.
He knew he presided over a complex web of connected medical devices, computers,
and software applications spread across RWJBarnabas Health's 13 hospitals.
This included about 30,000 computers, 300 apps, a data centre, as well as all
the mobile phones hooking up to the hospitals' wi-fi networks.
Company mergers had only added to the complexity of these sprawling IT systems.
But when he used a specialist IoT cyber-security program to carry out a full
audit, he discovered that there were in fact 70,000 internet-enabled devices
accessing the health firm's network - far more than he'd expected.
"We found a lot of things we were not aware of," Mr Syed tells the BBC,
"systems that weren't registered with IT and which didn't meet our security
standards."
These included security cameras and seemingly innocuous gadgets such as
uninterruptible power supplies (UPSs) - units that provide back-up battery
power in the event of a power cut.
"These unidentified devices could definitely have been access points for
hackers who could have then found high-value assets on our network," says Mr
Syed.
Hack in to a UPS and you could potentially switch off life-critical machines,
he explains. Or hackers could steal patient data, encrypt it, then demand a
ransom for its safe return.
On the black market "health data is worth 50 times more than credit card data",
says Mr Syed.
The audit "helped us protect our network," he adds, preferring not to dwell on
what might have been.
Mike DeCesare, chief executive of ForeScout, the software provider Mr Syed
brought in, says: "Businesses typically underestimate by 30% to 40% how many
devices are linked to their network. It's often a shock when they find out.
"With the proliferation of IoT [internet of things] devices the attack surface
for hackers has increased massively.
"Traditional antivirus software was designed on the assumption that there were
just a few operating systems. Now, because of IoT, there are thousands."
ForeScout's software monitors a company's network and indentifies every device
trying to access it, "not just from its IP [internet protocol] address, but
from 50 other attributes and fingerprints", says Mr DeCesare.
The reason for these other layers of security is that it is "relatively easy"
for hackers to mask the identity of a particular device - known as MAC [media
access control] spoofing.
So ForeScout's software takes a behavioural approach to monitoring.
"We look at the traffic from all those different devices and analyse whether
they are behaving like they should," he says.
"Is that printer behaving like a printer? So why is it trying to access other
devices on the network and break in to the system?
"If we spot aberrant behaviour we can disconnect the device from the network
automatically."
Services from network monitoring firms - ForeScout, Solar Winds, IBM,
SecureWorks, Gigamon and others - are becoming increasingly necessary in a
world where everything - from lamp-posts to lawn sensors - is becoming
internet-enabled.
According to Verizon's latest State of the Market: Internet of Things report
there are now 8.4 billion connected devices - a 31% increase on 2016 - and $2tn
( 1.5tn) will have been spent on the technologies by the end of 2017.
But as Verizon points out, lack of industry-wide standards for IoT devices is
giving businesses major security concerns.
Stories of cyber-attacks mounted on the back of insecure devices such as video
cameras have highlighted the issue.
"IoT security is one of the biggest challenges we're facing right now," says
Darren Thomson, chief technology officer and vice president, technology
services at cyber-security firm Symantec.
The difficulty is that IoT devices are generally simple, cheap and low-powered,
without the capability of running the antivirus programs operated by
traditional computers.
"The challenge with critical infrastructure is that it wasn't built with
security in mind," says Tom Reilly, chief executive of Cloudera, the IoT and
data analytics platform.
"Smart cities are a great playing field for hackers - changing traffic lights,
turning elevators on and off - there are many security exposures.
"We need to get ahead of them."
This necessitates a different approach to security, a growing number of experts
believe.
In April, telecoms giant Verizon launched what it calls its IoT "security
credentialing" service, whereby only trusted, verified devices are allowed to
access a company's network.
Meanwhile, Cloudera has formed a strategic partnership with chip maker Intel.
"Intel makes the chips that are being used in many IoT sensors," explains Mr
Reilly, "and all that data being created needs to land in a database like ours
residing in a data centre.
"We authenticate all the devices - we're creating an end-to-end platform for
the IoT world."
Rival GE Digital, a subsidiary of the global engineering giant GE, has also
developed its own IoT and data analytics platform called Predix which it is
outsourcing to big clients such as British Airways and oil giant Exxon.
IoT sensors are fitted to big machines, from gas turbines to aero engines, and
these transmit "petabytes of data in real time that helps us work out how to
optimise their maintenance", says Bill Ruh, GE Digital chief executive.
"We get all that data back via virtual private networks mostly in a highly
secure encrypted fashion."
But if you don't have the resources to commit to an entire IoT ecosystem
operated by a major tech company, behavioural network monitoring may be your
next best bet.
Just bear in mind that your organisation's defences are only as strong as the
weakest part.
Beware the invisible network.