At the NEDAS Spring Virtual Symposium, five industry experts convened to discuss the challenges convergence faces from bad actors on the Internet and how cybersecurity is critical at the network edge. Panelists included Richard Hayton, Chief Strategy and Innovation Officer of Trustonic; John Contestabile, Director of Public Safety Solutions at Skyline Technology Solutions; Fred Gordy, Director of Cyber Security & Managing Consultant at Intelligent Buildings, LLC; Joel Rakow CISO and Partner at Fortium Partners; and Ray Hild, Principal and Founder of Triangle Advisory.
Cybercrime is predicted to reach $6 trillion in damages annually in 2021. According to research by the University of Maryland, hackers attack every 39 seconds (or 2200 times per day), with more than 50% of attacks proving successful. Of the successful attacks, more than 50% of those gained entry through building systems. The number one point of entry has been determined to be Voice over IP (VoIP) and phone systems, followed by the DVR component of video surveillance systems, and business systems like scanners and copiers. What becomes important in cybersecurity is securing Internet of Things (IoT) devices to prevent attacks from occurring within the Ethernet band.
To maintain security, isolating devices becomes important and can be done at the software level, cryptographically, or with the physical wire. If devices are isolated, they cannot have full privileges as soon as they join a shared network. If devices and networks cannot be isolated, the main focus should be on monitoring connection points between networks and systems through the right firewalls, protocols, and controls in place. Things can be thought of as having three layers: the data, integration, and presentation layers. In the data layer, systems having varying levels of security protocols, the presentation layer is the interface with the user, and the integration layer manages the flow of information between the two. The integration layer is where infrastructure and protocols can be built to isolate and manage the exchange of data.
Most companies don’t have a clear grasp on how many devices they have connected to their network, posing security vulnerabilities. For example, a manufacturer in Australia was firm in his belief that there were only four devices connected to the company’s network. In reality, there were 32. Over the years, devices can get plugged in, and maybe even forgotten, which leaves a potential route for hackers. One of these devices is one called Raspberry Pi, an inexpensive device that people can use to learn how to code. However, the Jet Propulsion Laboratory also unknowingly had one of these devices connected to their network, which someone used to steal over half a gigabyte in engineering drawings from entities like SpaceX, NASA, and the military. Such a small device was able to do a large amount of damage even in a network that was thought to be controlled. This highlights the importance of understanding what devices are connected to a network.
The challenge that is created is that some network aspects, like video surveillance and other operational technologies, are not controlled by the CIO. It is important that once someone is inside the network, they are not able to move freely around. Many of the attacks within the last year have come from users using a device that controls the entire building to check their email or social media, letting in a hacker and ransomware. Either companies have to pay the ransom or they need a backup in place, which many fail to do. However, on top of the technology, people need to be properly trained so that they can protect the network as well. Whether it is ensuring that staff is trained for competency or having the right IT staff to support cybersecurity initiatives.
Protecting networks does not have one single facet, instead, it is a combination of strategies to ensure that network access is being protected. Especially as more companies implement digital transformation strategies, it is clear that no one is exempt from cybersecurity. While emerging technologies like Zero Trust architecture are an effective tool, it is not the “end all be all” to cybersecurity.
Check out the video on YouTube to watch the entire panel discussion that took place at the NEDAS Spring Virtual Symposium.