|
October 2015 |
Innovations in Comfort, Efficiency, and Safety Solutions. |
|
The
Internet Isn’t Broken What We Put On It Is |
| Articles |
| Interviews |
| Releases |
| New Products |
| Reviews |
|
|
| Editorial |
| Events |
| Sponsors |
| Site Search |
| Newsletters |
| |
| Archives |
| Past Issues |
| Home |
| Editors |
| eDucation |
|
|
| Training |
| Links |
| Software |
| Subscribe |
|
|
I
can’t take credit for the title for this article. I paraphrased a
statement Dan Kaufman, Director of the Information Innovation Office
for DARPA (Defense Advanced Research Projects Agency), Department of
Defense made in a 60 Minutes interview with Lesley Stahl (link to interview). His exact words were “I
don't think the Internet is broken. I think the things we put on the
Internet are broken. What we're doing is we're putting a lotta devices
on it that are unsecure.”
When the internet was in its infancy, even the best forecaster could
not have fully understood where it was headed. Even today we seem
to find new ways to use the internet to connect our lives, our data,
and our “stuff”.
Our stuff…
As controls integrators, vendors, and manufacturers, we have always
tried to deliver a product that was not just innovated for innovation’s
sake, but useful too. Our customer’s appetite never seems to be
satisfied and once they had a taste of what these connected, open
platform systems could do, they wanted more. Which is a good
thing in a lot of ways because it has driven us to be better than we
were.
I know I’m preaching to the choir here because we all know how we got
from siloed, proprietary control systems, accessible only from a
computer with a thick client on it to web based, open protocol/platform
systems that could cross talk to other web based, open
protocol/platform systems. What we missed was the fact that we
were putting our “stuff” on the internet unprotected and sometimes
purposely unprotected. Okay… so we didn’t miss the fact that this
stuff was being put on the internet, but what we didn’t take into account
was that somewhere down the line these systems could be used against
our customers to not only assault/attack the system itself, but as a
gateway onto the customer’s network.
Please understand, this is not to lay blame, but to state a fact. We
gave our customers a more convenient way to access their system and
they saw, and rightfully so, that another convenience level could be
achieved. If these systems were exposed, the customer could check
their system from home, at night, and on the weekends. Property
managers with geographically diversified portfolios could have a single
pane of glass (SPOG) view of their properties and so on.
In the race for convenience,
something got missed…
It wasn’t intentional and it wasn’t due to lack of known
knowledge. What I mean is known knowledge is what you know at the
time and if you choose not to use it, shame on you but that’s not what
we did. We did what our customers wanted. Of course they
didn’t know either that what was being created is exactly what Dan
Kaufman said “…What we're doing is
we're putting a lotta devices on it that are unsecure.”
So that brings me to the topic that has been a main theme on
AutomatedBuildings for the past several months (good topic, by the way,
it applies to so many areas of our industry), Transformative
Change. And for the purpose of this article, transformative
change of cyber security practices.
This change is not easy in a lot of respects because it is not just
about changing out hardware, adding software protection, and upgrading
devices. The change has to come from within. Within us.
Within how we do business and implement systems. Within our
employees to understand that protecting intellectual property of our
company and the customer’s company is extremely important. Within our
customers to understand that things won’t be as convenient as they were
and for them to be willing to adopt a few extra steps in the process to
fortify their systems.
Transformative change within in all components of the system which
include people, processes, and products. Change that means things that
seem not to matter are the very thing that an attacker will use against
you to gain access. If you don’t believe it, take a look at the
largest breaches in the past couple of years and how access was gained
by the attacker. It was a clicked email, a common username and
password known by many, a system on a public IP outside the firewall
with default or no credentials. A phone call and a few answered
questions.
This hits close to home
(conclusion)…
Most of
us have heard of the Target breach in 2013 and that a small mechanical
contractor named Fazio Mechanical was initially to blame for the
breach. This statement was retracted but the damage had been
done. I don’t know to what extent, but damage was done. In
an article released 9/21/2015 by Brian Krebs – Krebs on Security,
Version findings seem to turn the spotlight back on Fazio.
Quote from article “Verizon’s
findings lend credence to the working theory about how hackers
initially broke into Target. In February 2014, KrebsOnSecurity was the
first to report that investigators had zeroed in on the source of the
breach: Fazio Mechanical, a small heating and air conditioning firm in
Pennsylvania that worked with Target and had suffered its own breach
via malware delivered in an email. In that intrusion, the thieves
managed to steal the virtual private network credentials that Fazio’s
technicians used to remotely connect to Target’s network.” (link to article)
This reiterates the statements I made earlier about clicked emails and
protection of customer intellectual property. In this case it
didn’t come through the control system, but it did come from a click of
an email by someone at Fazio. I’m not beating up on Fazio.
Anyone of us or our employees could do it. It just serves as a
reminder that cyber security transformative change is a must in the
landscape we helped make.
[Click Banner To Learn More]
[Home Page] [The Automator] [About] [Subscribe ] [Contact Us]