[BreachExchange] Smart cities: 5 security areas CIO should watch
Audrey McNeil
audrey at riskbasedsecurity.com
Mon Oct 17 18:36:06 EDT 2016
http://www.philstar.com/business-usual/2016/10/17/1634205/smart-cities-5-
security-areas-cio-should-watch
Car navigation systems that can predict where and when traffic jams might
occur, by siphoning data from sensors in roads and other vehicles.
Cameras that can spot litter in public places and call in the cleaning
crew. Self-adjusting street lamps.
These are just a few of the scenarios that could become commonplace as
smart cities take hold over the next few years.
Driven by rising urbanization and fueled by technologies such as the
Internet of Things (IoT) and data analytics, smart cities are on the cusp
of explosive growth. Glasgow, Barcelona, Nice, New York City, London and
Singapore have already embarked on the trek.
The smart city technology market could be worth $27.5 billion annually by
2023, according to Navigant Research.
Smart city initiatives are driven by public sector initiatives. However,
they will have a big impact on businesses.
Chief information officers (CIO)will have to learn how to tap on the new
connected city infrastructure for their business. Smart city technologies
like IoT and data analytics are expected to drive innovative business ideas
in the future.
But the new wave of smart city services and technologies are also expected
to create new security vulnerabilities. Here are five areas CIOs should
watch out for.
• A further fragmentation of IT
The last few years saw a rapid proliferation of cloud services and mobile
device adoption in the workplace.
The trend has transformed business productivity. But it has also wrecked
the tight-fisted control that CIOs used to be able to exert on their IT
systems.
CIOs now have to grapple with the idea of employees using unsanctioned
cloud services via unsecured phones to hook up to corporate servers and
accessing sensitive business data. The expected explosion of IoT devices −
researchers estimate that by 2020, the number of active wireless connected
devices will exceed 40 billion worldwide − will result in a further
fragmentation of IT in businesses.
Instead of fighting the losing battle of trying to lock down devices and
services, CIOs should look at protecting the data. Look for IoT devices
that offer device-to-device encryption. Consider implementing − as well as
bolstering − comprehensive encryption schemes to protect data in networks,
cloud services and endpoint devices.
• Device vulnerabilities
In the past year, security researchers have exposed holes in Wi-Fi-enabled
Barbie dolls, Jeep Cherokee cars, fitness trackers and other new-fangled
connected devices. Fortinet's FortiGuard Labs already see IoT based attacks
on the radar and happening in real time around the world.
This shows the risks that are coming as toys, wearables, cars and power
grids get attached to sensors that are linked to a common network and the
Web.
IoT will bring forth a larger surface attack. Hackers will eye IoT devices
as a launching pad for ‘land-and-expand’ attacks. One scenario: hackers
take advantage of vulnerabilities in connected consumer devices to get a
foothold within the corporate networks and hardware to which they connect.
So how do CIOs protect against the risks of connected devices and their own
IoT implementations?
Short of physically separating such devices from all other network systems,
they can consider deploying network-based protection schemes.
Internal segmentation firewalls, or ISFWs, for instance, can mitigate the
proliferation of threats inside the business network. They also need to
employ an IoT network security solution which is capable of mitigating
exploits against this growing and vulnerable attack surface. IoT vendors
need to harden their products and develop proper product security teams.
• IoT gateways can be exploited
In a typical IoT deployment, the majority of connected devices will be
always connected and always on. Unlike mobile phones and laptops, such
devices are likely to go through only a one-time authentication process
across multiple sessions.
This will make them attractive to hackers looking to infiltrate into
company networks, as it allows easy control and sniffing of traffic.
Shoring up the security of the gateways that connect IoT devices is
therefore a must.
CIOs should map out where these gateways are and where they are linked to −
they can reside internally or externally, and even be connected to IoT
device manufacturers. There must also be a sound plan for updating security
patches on these gateways, as well as the IoT devices.
• Big data, more risks
If there is a constant in smart city deployments, it is that more data will
be generated, processed and stored.
Connected devices will generate huge data repositories. Businesses that
adopt big data systems will see an even larger data deluge. Unfortunately,
such data will also become attractive targets for corporate hackers.
To protect huge amounts of data with large inflows and outflows, the
bandwidth capabilities of security appliances will come to the fore. And
when dealing with data analytics, it often isn’t just a single data set,
but multiple repositories of data that may be combined and analyzed
together by different groups of people.
For instance, a pharmaceutical company’s research efforts may be open to
employees, contractors and interns. This means individual access and
auditing rights.
• A new can of worms
New worms designed to attach to IoT devices will emerge − and they could
wreck more havoc given the extended reach of the new converged networks.
Conficker is an example of a worm that spread on PC’s in 2008 and is still
persistent and prevalent in 2016.
Likewise, worms and viruses that can propagate from device to device can be
expected to emerge – particularly with mobile and the Android operating
system.
Embedded worms will spread by leveraging and exploiting vulnerabilities in
the growing IoT and mobile attack surface. The largest botnet FortiGuard
labs has witnessed is in the range of 15 million PCs.
Thanks to the internet of things, this can easily reach in excess of 50
million if the spread of IoT worms is not properly mitigated. Patch
management, and network based security inspection – particularly intrusion
prevention systems or IPS – that can block IoT worms is a must.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161017/de416e97/attachment.html>
More information about the BreachExchange
mailing list