Reducing the Attack Surface
Cybersecurity is set to become one of the most prominent issues for businesses and organisations looking to implement smart solutions in 2020. End users are demanding secure systems, and evidence shows they will often delay investment in such solutions unless it can be demonstrated that appropriate steps have been taken to secure the network and associated data. It is also vital that those designing and implementing smart systems are aware of – and able to implement – the latest cybersecurity principles and practices.
Cybersecurity is an evolving and complex threat that those delivering any type of connected solution must take seriously. Where smart systems are deployed to protect a site and its personnel, ensure a business operates to its maximum potential, deliver efficiencies in terms of business and site management and add value to a customer’s investment, it is critical that the system in question does not inadvertently bring the business to its knees.
It is a fact that lax levels of security have, in the past, made some smart systems – including security and safety systems – relatively attractive to those implementing on-line attacks. It also must be accepted that hacking a system via a security devices is seen as ironic and a bit of a scalp for cyber criminals. With the increased use of IoT, intelligent buildings and smart cities, the threat becomes more significant.
For integrators of smart systems, device manufacturers, service providers and software vendors, the time for talking about risk management is over. Strict adherence to cybersecurity best practices and principles is the minimum level of protection expected by customers.
It is fair to say that most credible device manufacturers have taken steps to develop intrinsically secure products. The vast majority of professional devices, software packages and systems include the tools required to make them secure. All it takes to increase the robustness of a system is an understanding of the functions and how they are configured, along with a dedication to deliver the best solutions possible for the customer.
Ironically, there are a number of simple steps which can significantly reduce the attack surface of an edge device, in turn increasing the overall security of any smart solution.
Reducing the attack surface of a system or device should always be a standard practice when implementing a cybersecurity policy. The attack surface is made up of the many different points where an attacker can attempt data entry or extraction. The attacker only needs to succeed in violating one point in order to create a threat, so the fewer potential entry points that exist, the better protected the system will be.
The goal when reducing the attack surface of a device or system is threefold. The important steps are to reduce the amount of code running on the device, to limit the number of potential data entry or extraction points, and to close down any services which might be running but are not essential to the operation of the system.
An additional benefit to the reduction of a system’s attack surface is that by switching off non-required functions and reducing the code being executed, the system’s processing resources will be freed up, which could result in enhanced performance if a solution is close to its limits.
As the access routes to a device and availability of services are increased, so is the potential exposure to cyber attacks. Functionalities such as remote access and third party integration can also create vulnerabilities. While these will be essential in many applications, it is worth double-checking. If they are not required, best practice is to disable them.
If devices, services and applications do not need to interact, integrators should always limit connectivity between them. This could mean preventing any connections, or limiting them to essential tasks only. It is also worth considering the introduction of notifications when connectivity occurs, allowing the user to ensure such activities are authorised and genuine.
Additionally, segmenting elements of a smart system controlling security, building management and other site-specific tasks from the corporate network is a good measure, thereby reducing risks of smart resources and business resources adversely affecting each other.
It is important to understanding and deploy industry standard security protocols when suitable, including multi-level user authentication and authorisation, password protection, SSL/TLS encryption, 802.1X, IP filtering and certificate management.
Thankfully an increasing number of device manufacturers include features and functions which are specifically aimed at enhancing cybersecurity as standard. Such functionality should always be deployed.
It is also critical to ensure firmware for system components is regularly updated. Whilst some take the attitude that if a device works as expected it is not worth updating the firmware, it must be remembered upgrades include security patches and bug fixes that eliminate evolving vulnerabilities.
An important part of attack surface reduction is the hardening of endpoints. An endpoint is an edge device. Such devices might be cameras, codecs, sensors and detectors, door readers, power management points, infrastructure elements or any other IP-connected device that is positioned in an insecure area.
The servers and software, storage units, power management systems and other essential peripherals will typically be installed inside a secure area, but this does not mean they are not vulnerable to cyberattack. Even in a system isolated from the WAN, edge devices – the endpoints — could potentially offer a connection from the outside world into the core of the system.
When considering external interference with a network, many consider connectivity to a WAN such as the internet as the weak point. As a result, often their sole focus is on protecting against access via this route, ignoring the risk of a potential intrusion via an unprotected endpoint.
It is important to consider the security of all endpoints, because in a worst case scenario a criminal could disable the entire system by accessing it via such a connection. An often quoted example was the significant attack against retailer Target in the US. The attack cost the business close to $20 million, not including loss of business. The attack was instigated via the HVAC system.
The core steps required to harden endpoints include some basic tasks. Ensuring that devices are updated with any firmware upgrades is essential. Password management is important, as is ensuring that user permissions are applied in a way that helps the customer restrict control of the system to authorised personnel only.
Deploying appropriate encryption is also pivotal. All credible smart devices will support this, and it is important that integrators understand how to use it correctly. If in doubt, ask the manufacturer; leading companies who are serious about cybersecurity will provide a wide range of documentation and educational resources.
Many edge devices have features designed to simplify installation and set-up. Some will be used by the integrator, and others are designed for use by the end user. Once these features have been used for configuration, best practice is to disable them.
It is also prudent to ensure that the end user is made aware of any risks associated with services running which they might want to remain active.
The use of IP filtering should also be implemented. Most smart system endpoints can be configured to allow access solely by trusted servers within the system. IP filtering can help ensure that other devices, including remote servers, cannot gain access to them.
Cybersecurity is a complex subject and one which is constantly evolving. It is vital to continually assess threats and take appropriate action. However, the majority of attacks are opportunistic, and usually succeed solely because the basic protections have not been put in place.
There is no simple solution to cyber crime, and working with a customer’s IT team will be an important step. However, few end users are likely to consider the implementation of a smart solution if simple strategies such as reducing the attack surface have not been put in place.