UK Construction Online’s Matt Brown speaks with Vince Warrington, founder of Protective Intelligence, about the emergence of smart building technology and the evolving cyber threats facing unsuspecting companies.
Vince is a leading Information Assurance and Cyber Security expert with over 15 years’ experience heading-up large-scale, organisation-wide IT and cyber security programmes for central Government departments, blue chip private companies and well-known voluntary organisations across the globe.
Vince founded Protective Intelligence in 2005 to provide an optimum IT and cyber security service to enable organisations to effectively prevent accidental data leaks, secure their IT networks successfully and deliver robust security awareness training for all staff and stakeholders. His mission is to educate businesses, charities and Government departments to move away from traditional IT security models, to one where everyone within an organisation works towards the common goal of protecting information through joint responsibility and co-ordinated thinking.
When people hear the term ‘cyber security’, they may think of things like Norton or McAfee on their PCs but it’s is much bigger than that isn’t it?
What people may think of when it comes to cyber security, the likes of Norton and McAfee, we call ‘end point protection’. This basically just protects a single computer but actual cyber security is much wider than that.
It involves everything from what people might think of as typical hackers and expands out to what happened with the US election. It is massive – you have nation states fighting each other in cyber space; you’ve got serious organized criminals making millions and millions of dollars from cyber crime. It is a pretty big area.
Some people see hacking in films and it seems to be magic tool for the bad guys to wreak havoc but what realistically can happen if a smart building was to come under attack?
We’ve had one not too long ago in Finland. Hackers managed to gain control of a smart building’s air conditioning system and managed to turn it off remotely.
Some might look at this scenario and think ‘so what?’ – just go back in and turn it on again.
However, what people might not realise is that these systems are collecting a lot of data at the same time. When we look at the future in terms of concepts like smart cities, buildings might be talking to each other to make sure they’re making the best use of energy. If that was to be tampered with, a cyber criminal could have ability to knock the lights off in a person’s building because the one next door has been compromised.
An attacker could decide to crank up the building’s energy usage by turning up all the high energy consuming functions such as the air conditioning. It has implications for everything from people’s houses right through to data centres and power stations.
We are at this stage where smart technology is being put into many areas but what tends to happen is that they think of the use for it rather than the security around it; the security is very much an afterthought.
Quite often, the devices used have very simple administrator credentials; things such as ‘administrator’ and ‘password’ as default log in details that have never been changed since initial set up.
If you have a fully smart building it is entirely plausible that somebody could get into those systems and carry out attacks that could disable lifts when they’re in use or even switch off fire monitoring systems.
Sometimes you would need to get access to the building itself depending on how the devices are setup but quite often, you could as send an email to the appropriate person in the building with an attachment on it that contains a device called a ‘key logger’. This would record every keystroke you make on your computer and send it back to the hacker. They will then know remotely the user names and passwords for getting into the building’s systems.
Could something like the smart meter roll-out be compromised?
The people rolling the programme out will say that they conducted all their tests and I’m sure they have but experience tell me that, inevitably, somebody will find a weakness because there is always one somewhere. You can test for the most common stuff but you just can’t test for everything.
Typically, what a cyber criminal will do is use something called a ‘zero day exploit’. This is a hack or flaw that nobody else has seen before to manipulate that system.
This is really hard to defend against because even the manufacturer of the device hasn’t seen that flaw or that kind of attack before so it’s really difficult to stop.
The concern for people at home is that it is entirely possible for false energy consumption figures to be sent back to the supplier.
Do people think that cyber security is just something that doesn’t apply to them?
I think with the general public, there is a feeling that it is something they don’t really need to worry about. In business, although awareness is getting better, there is still a mind-set of ‘Why would anybody want to hack us?’
One of the things you have to say to people is their data has value to somebody else. We’ve heard of incidents where companies have been hacked by their competitors to find out what they’re bidding for a tender.
The private sector is starting to get it but there is still an element of people burying their heads in the sand and thinking it’s just the IT department asking for money for something with flashing lights on that they view as non-essential.
Could you tell me the kind of distress and disruption ransomware could have upon an SME business?
SMEs are particularly vulnerable to ransomware. It is almost like a virus with a specific design. Once you become infected, it then encrypts all the data that it can find on your computer and servers. Until you pay the ransom, you cannot use that data and it essentially turns your computers into stone.
There are only two ways out of this; the first is to restore all your data from a backup, which is time consuming and even for an SME, could take days to recover all the information. That’s assuming the back ups are current and haven’t been also been corrupted.
The other option is to pay the ransom. Most authorities would recommend that you don’t do that. As a last resort, you might be tempted to do so but there are no guarantees that your data would be released. The hackers already have what they want – your money.
SMEs are especially susceptible because they tend to have less strict back up regimes and controls. If you are in the building industry and you’re constantly sending and receiving information like Word documents and PDFs in your email system, this makes you quite vulnerable because the infected files are usually masquerading as those types of documents.
Do criminals target certain devices more than others?
Windows devices are attacked the most simply because of their numbers. It may surprise a lot of people but something like 90% of the entire world’s computers run a version of Windows.
There’s a myth that Apple devices don’t get hacked or don’t have viruses but it’s simply a numbers game. If you’re a cyber criminal, you go for the biggest pool because that’s where you get your most success.
In terms of mobile devices, Android is attacked more than Apple. The primary reason for this being that Android is open architecture so people can see how it works and manipulate it. Apple, on the other hand, keep their operating systems very tightly under control.
We are also seeing smart systems and the Internet of Things (IoT) devices get hit quite a lot these days. Primarily because they are used to create what are known as ‘Botnets’ and then used to undertake a DDoS attack.
You might remember in the news last year when half the Internet dropped off one day – this was because of a DDoS attack.
It’s like the London Underground; in normal hours everything flows fine but in the rush hour, as soon as you get ten times the number of people trying to get through the system, everything jams up. It’s the same principle with these IoT attacks using a bit of code to flood the target with too much data until the target company or website’s servers just basically stop working.
That again is because these smart devices have very poor security and are very easy to manipulate.
Is the threat evolving and if so, how can security keep pace?
If your laptop has Microsoft Windows 10 on it for example, you will often find there are regular security updates.
Things like anti-virus and operating system software get updated quite regularly and most of this happens in the background without the end-user even noticing.
The problem we have with smart buildings is that those systems, as they stand at the moment, are quite difficult to update. Things like smart meters have a basic, stripped down computer inside them without much security bolted on top. The issue is having those devices connected to the Internet and then getting the manufacturers of those to supply update and patches.
Quite often we will see a device come onto the market and then because technology is moving so fast, manufacturers will drop support for it shortly afterwards.
One of the things that the government will have to examine is making sure that the manufacturers of these products are regularly updating the devices with the latest security patches. That really should be the responsibility of the manufacturers rather than the people installing it into buildings.
I don’t think a building company should necessarily need a massive team of cyber security experts looking at every single device they plug in. They should be able to trust that the device is secure and the manufacturers make sure it is secure by default.
Is enough being done to track down cyber criminals?
In the past, if somebody came into a Post Office with a balaclava and a shotgun, you are probably going to be able to narrow down the search quite quickly, whereas nowadays if somebody comes into your virtual finance system and steals money, that person could be sat at computer in Kazakhstan. There’s a real problem in attributing who is undertaking the attacks.
The launch of the new National Cyber Security Centre a few weeks back is part of the government’s efforts to encourage businesses to take cyber security more seriously. Ultimately, there is only so far governments can go in regulating; it’s down to individuals and businesses to make sure they are taking it seriously.
The EU General Data Protection Regulation (EU GDPR or GDPR), which will essentially replace the Data Protection Act from May 2018, is something else businesses must consider.
The difference between the present system and the new regulations that should make businesses sit up and take notice is that currently the Information Commissioners Office can fine companies a maximum of £500,000 for a data breach. The most they have ever fined any company is £400,000 and that was when Talk Talk got hit a few years ago.
The new regulations can hit firms with fines of up to €20M or 4% of global revenue – so that’s a significant increase.
One of the other aspects is that as soon as you become aware of a data breach where personal data has been lost, it must be reported within 72 hours.
There is now a lot of incentive to ensure people start taking cyber security more seriously because you’re going to end up with an Information Commissioner levying some massive fines on people.
Is either public or private sector taking the initiative on this?
I don’t think either are driving it particularly well at the moment. We currently have a situation where the government doesn’t really want to mandate any sort of security standards onto businesses.
Their feeling is that the EU GDPR will do that for them. There is a real reluctance within government to mandate security although they obviously will be giving out guidance advising companies to take the threat seriously but won’t actually force any compliance.
In terms of the private sector, it is getting better. We are now getting boards of big companies realising this is a problem that just can’t be passed off to the IT department to deal with and represents a genuine business risk.
Unfortunately what tends to happen is a company gets burned by one of these things and only then they decide to take it seriously. We need firms to appreciate it is a big risk before they become a victim.
There is an unwillingness within senior management levels to say that this is something we have to take seriously because its not their world; it’s not something they understand – it’s just IT stuff to them.
One of the things we’re trying to do is get around to companies and make them aware that is a business risk. It’s not about an IT or technology risk, it’s about how you react as a company when a ransomware attack occurs and you can’t access all of your data; you can’t pay your staff because everything is frozen.
How do you act as a business if you go and install devices into buildings that turn out to be massively insecure? How do deal with the reputation damage?
Inevitably somebody will put up a big building in Canary Wharf, something bad will happen and it won’t be the manufacturer to blame, it will be the property developer and the construction firms who suffer the reputation damage.
The message is clear, industry, government and public need to be aware of their cyber security requirements and keep up-to-date. Cyber Essentials can put you on the path to a safer digital future.
If you would like to read more articles like this then please click here
The post Massive Attack: Protection of Smart Buildings against cyber threats appeared first on UK Construction Online.