A Distributed Denial of Service (DDoS) attack on Dyn took down Spotify, Twitter and other major websites on October 21, 2016. Forensic work in the wake of the attacks places some of the blame on hardware — security cameras — that were taken over by the Mirai botnet.
What does that mean for you? We sat down for a Q and A with Anthony Tatman, director of IT for ECT Services.
1. Most organizations will not feel the direct impact if their devices are taken over and used in a DDoS attack. Why should organizations/facility managers be concerned about attacks and device/system vulnerabilities? Are there other risks?
There are typically no direct repercussions for the end user yet but with the economic impacts these types of attacks can have on important industrial, financial and commerce sites there will be ever greater efforts to find ways of mitigating these attacks and finding ways to promote greater device security. There are lawsuits lining up for the makers of these insecure devices and the FTC is investigating the security practices of these industries. It is not hard to imagine new regulatory guidance for these types of devices which means more cost for us as consumers and potentially legal responsibility if an owner makes no attempt to secure them.
Aside from legal liability, one primary reason for concern for business leaders is that these devices are pathways into a network. If I can get to your web cam or your DVR inside your network what else can I get access into?
If you do not take proper steps in securing these devices, an individual could gain various levels of control over parts of the building management systems. It would be simple to view security and temperature control devices and information.
If you want to see examples, a group runs and showcases a small sample of non-password protected internet cameras it discovers at the following site https://www.insecam.org/en/bycountry/US/.
2. IP cameras were implicated in this attack. What other kinds of devices might be vulnerable?
Other devices used in this particular attack were DVRs and internet routers. If a product has a function that I can connect to remotely, or updates to a remote service it is potentially vulnerable. Think of the baby monitors, home security systems like Nest, the Samsung refrigerator with internal camera, faucets that I can shut off remotely from the beach and your vehicle. There are a range of estimates that by 2020 there will be 30-100 billion internet connected devices.
3. How can facility managers know devices and systems are secure? What questions are important to ask?
Easiest solution is to not connect things directly to the internet. If a device needs internet access, understand how it needs to be accessed and take steps to protect remote access channels. One example would be to require use of VPN type services. Remove or disable default accounts if possible and always change default account passwords using strong password standards. Use two factor authentication if a product or service allows.
4. How does ECT Services ensure the devices/systems it installs are secure?
This is a big question and is very dependent on the particular customer and their system requirements. Typically our systems are not directly accessible from the Internet, and many are not remotely accessible at all. In instances where remote access is required we work very closely with our customers, IT personnel and resources to design our systems to fit within a secured network framework and we work to reduce the number of ways unauthorized access could be gained. We do encourage and support our customers to structure system access in a secure manner with as minimal access as required to fulfill the systems role. Our end point devices fall into the same vulnerabilities as any other internet capable devices and many of our products do have default accounts and passwords that are changed upon system implementation.