In our last article on the Modern Equipment Manufacturer, we sat down with Richard Theron, a Product Manager at cloud gateway solution provider, Sierra Monitor, to talk about how today’s next generation of cloud-enabled devices can allow remote access and remote monitoring – making them better for a more remote workforce.
Unfortunately, as with any device that is connected to the Internet, there are inherent cybersecurity risks that arise when commercial and industrial devices are cloud-enabled. Within a few minutes of an IoT device being connected to the Internet for the first time, it’s already been attacked – and there are many good reasons why someone would want to attack a commercial or industrial device.
In part two of our conversation with Richard, we talked about the cyber threat landscape facing commercial and industrial devices, examples of ways these devices can be exploited to hurt an organization and simple ways that manufacturers can make their devices more secure to help protect their customers.
Here is what he had to say:
Modern Equipment Manufacturer (MEM): In our previous discussion, we talked about enabling remote access to devices by connecting them to the cloud. What impact does that have on the cybersecurity of those devices? Does that open the door to cyber threats?
Richard Theron: Very much so. As soon as you connect anything to the Internet, you are vulnerable to cyber threats. And I’m not trying to be alarmist, that’s simply the truth.
And security isn’t just about outside threats via the Internet, it’s also the local network as well. There is increasing interest and focus on securing devices connected via BACNet, as well as devices connected to the Internet. That’s because an increasing number of attacks are originating from inside the organization – inside the fire wall.
These attacks are becoming increasingly prevalent, and they come from a wide range of malicious actors. I know a company that had an Internet-connected security camera in their facility and someone hacked it. It wasn’t for malicious purposes – they were just bored. But that’s not always the case – these people can be destructive.
MEM: How susceptible are these devices to cyberattack? Why are these devices susceptible in the first place?
Richard Theron: Many of these Internet-connected commercial and industrial devices are surprisingly susceptible. And there are a few very good reasons for that.
First, there’s the fact that many of these companies aren’t IT companies and they’re certainly not cybersecurity companies. Most of them are incredibly good equipment manufacturers that are exceptional at making devices that work and do what they’re designed to do effectively and efficiently. But they’re not prepared or equipped to handle the cybersecurity requirements that arise when these devices are cloud enabled.
Then, there’s the issues that arise from speed to market. Manufacturers want to beat out their competitors and get their next generation Internet-connected, cloud-enabled devices on the market first. As we talked about previously, they see it as a competitive advantage. But – in the process of being first and moving quick – they fail to consider the cybersecurity implications of cloud-enablement.
Finally, there are equipment manufacturers that invest in security in one area, and then fail to invest in others. Maybe they do a good job of securing their devices, but they fail to do the necessary penetration testing on their device cloud or device applications. This is more common than you would expect.
MEM: Why would anyone want to attack these devices? How would it benefit them? What would they get out of it?
Richard Theron: There are more reasons than we probably have time here to discuss. First, there’s the straight financial reason. Ransomware attacks are increasingly in prevalence. They’re targeting government agencies, education institutions and private companies – encrypting their data and holding their system hostage in exchange for a financial ransom. And they’re increasing in frequency because they’re profitable.
That’s something that could also be done with commercial and industrial equipment and devices. Malicious actors could take control of a building or campus’ BMS system, shut down necessary and essential systems and then hold them for ransom until they’re compensated.
Then there are insider attacks – attacks against the organization by someone within the company. This could be a disgruntled employee looking to hurt the company by costing them precious time and money – destroying productivity to impact their bottom-line.
Then there are the data thieves and people looking to steal sensitive information. The devices within a company or organization may not be the target, they may just be the entryway into the larger network. Once inside, hackers could begin to move laterally – moving from application to application and system to system looking for proprietary business intelligence, financial data or payment data.
That’s just a few examples, but I’m sure there are many more.
MEM: What should manufacturers do to protect their devices and make their equipment safer for their customers?
Richard Theron: The single most important thing that they can do is select the products and gateways that are built with inherent security standards and protocols built in.
As we discussed previously, many of these equipment manufacturers are cloud-enabling their devices through the integration of cloud gateways, which give them the connectivity to the Internet that they’re looking to enable in their devices. If the gateways that they’re choosing don’t meet those security standards, their equipment also won’t meet those security standards.
There are a number of gateway providers that are taking the time – doing the penetration testing on their gateways and their device clouds – to ensure that they’re secure and that they can secure the devices that they’re installed in. By choosing to work with those companies, equipment manufacturers can ensure that they’re making and selling a product to their customers that is safe.
To learn more about the cybersecurity challenges that a new generation of connected devices creates for equipment manufacturers and equipment owners, click HERE to download a complimentary copy of, “Cybersecurity and the IIoT – how equipment manufacturers can protect device data in an increasingly insecure cyber landscape.”