Light Dark
October 20, 2015 By Charles Kolodgy 3 min read
Artificial Intelligence
CISO
Endpoint
Network

The ever-expanding Internet of Things (IoT) continues to grow unabated. Simple everyday items are becoming connected to the Internet. Potted plants are now able to tell you if they are too cold or thirsty and can automatically adjust the room temperature or water themselves. I can only imagine what the original Luddites would think.

The ability to remotely monitor, control and change your work environment is also an evolving and improving capability. The first vestiges of a smart office appeared when printers and copiers became part of the network, but with the convergence of Internet, cellular networks, Wi-Fi and Bluetooth technologies, nearly anything can be at your fingertips. The workplace is now smart.

All This Neat Stuff

Items encompassed by the IoT are, by definition, limitless. Computers, printers and mobile devices have been connected for some time. However, many items not normally part of a network are now Internet-enabled in an office setting. These include security cameras, door locks, motion sensors, window blinds, power outlets, vending machines, scales, trash cans, robotic vacuums, light bulbs, heating and air conditioning systems, thermostats and the aforementioned plant pots.

The rationale behind the smart office, smart store or smart factory is to improve productivity, control costs, facilitate inventory management, allow remote monitoring and diagnosis of equipment and even reduce the need to perform mundane functions (like watering the plants). The components within a smart office are capable of exchanging information automatically, communicating with nodes on different networks and interacting with cognitive computing systems. This allows you to control the environment.

Unintended Consequences

As the saying goes, “It’s all fun and games until someone loses an eye.” The smart office has value, but it also has unintended consequences. The multitude of networked components allows attackers to have an expanded attack landscape. And many of the devices are not designed to resist attacks. Why would I need to protect my potted plant? The reality is that, when networked, the IoT components can offer attackers a window to access the enterprise’s network. A smart office can be an attacker’s buffet.

The initial entry point for at least one high-profile data breach was via an HVAC system. In 2012, the FBI issued a report explaining how a company was breached via the Internet-connected HVAC controls. Researchers have also demonstrated that they can access systems in one facility from a network-connected IoT device in another facility. That ability to access systems is a legitimate function. If you are using a device to monitor inventory, for example, devices are designed to communicate with the inventory control management system. Cybercriminals can take advantage of legitimate access to create illicit connections.

Smart on Security, Too

Securing IoT devices has been a hot topic as of late, but most of the news has been tied to the hacking of connected automobiles. This is interesting and valuable research, especially for the safety of the passengers, but an automobile is only one thing. The real concern arises when many things are networked together, and those things can trace a route to an enterprise’s valuable data, disrupt its supply chain and impact productivity in a big way.

It is imperative that IoT devices be smart on security, but also for the whole infrastructure be robust. There are certain ingredients for IoT security: Many are simple and standard security practices that need to be enforced in a smart office, and others require additional diligence by IoT device manufacturers.

Manufacturers have to realize that their interesting IoT device has to be sturdy not just to ensure functionality, but also to provide security. Operating systems must be trustworthy, and the software must be designed using best practices, which include application code scanning. Flaws will eventually be discovered, so there must be mechanisms designed to update flawed or vulnerable software.

How to Foster Smart Office Security

To enable smart security, the organization has a responsibility to ensure devices are authenticated, to operate under the principle of least privilege and to implement network segmentation. IoT network security protection components should also include intrusion detection, network access control and behavioral anomaly detection. New entities will come onto the network, and unless you are constantly vigilant, you will not be aware.

Both the device manufacturer and the enterprise have responsibility for the final key element: data security. All data should be encrypted because you can never be sure that sensitive data isn’t being generated. Encryption needs to be built into the device or into the applications that interface with it, but it is up to the user to enable such a feature.

When implemented, these controls will make it difficult for a cybercriminal to use that smart plant to access your customer database.

Listen to the podcast series: Five Indisputable Facts about IoT Security

 |  |  |  | 
Charles Kolodgy
Senior Security Strategist, IBM

More from Artificial Intelligence
April 10, 2024

What should an AI ethics governance framework look like?

4 min read - While the race to achieve generative AI intensifies, the ethical debate surrounding the technology also continues to heat up. And the stakes keep getting higher.As per Gartner, “Organizations are responsible for ensuring that AI projects they develop, deploy or use do not have negative ethical consequences.” Meanwhile, 79% of executives say AI ethics is important to their enterprise-wide AI approach, but less than 25% have operationalized ethics governance principles.AI is also high on the list of United States government concerns.…

April 3, 2024

GenAI: The next frontier in AI security threats

3 min read - Threat actors aren’t attacking generative AI (GenAI) at scale yet, but these AI security threats are coming. That prediction comes from the 2024 X-Force Threat Intelligence Index. Here’s a review of the threat intelligence types underpinning that report.Cyber criminals are shifting focusIncreased chatter in illicit markets and dark web forums is a sign of interest. X-Force hasn’t seen any AI-engineered campaigns yet. However, cyber criminals are actively exploring the topic. In 2023, X-Force found the terms “AI” and “GPT” mentioned…

March 19, 2024

How AI can be hacked with prompt injection: NIST report

3 min read - The National Institute of Standards and Technology (NIST) closely observes the AI lifecycle, and for good reason. As AI proliferates, so does the discovery and exploitation of AI cybersecurity vulnerabilities. Prompt injection is one such vulnerability that specifically attacks generative AI. In Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations, NIST defines various adversarial machine learning (AML) tactics and cyberattacks, like prompt injection, and advises users on how to mitigate and manage them. AML tactics extract information…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature