Published Date 2/28/19 7:30 AM
In recent years, computer security has shifted from being an issue for professionals only to a news topic in the mainstream media around the world.
From the alleged interference by Russian hackers in the US presidential elections, to the Facebook–Cambridge Analytica data scandal, computer security problems are more and more becoming front page news.
Technologies such as the Internet of things, being an extension of computers and networks to the “physical world”, bring the topic of security even closer to our everyday lives, both personally and as part of our work.
The impact of this evolution in terms of security obviously also includes the HVAC/R sector, where smart industrial systems, in order to provide customers with innovative services, are increasingly connected, with data available via cloud technologies.
Considering the trends shown in the following graphs, understanding the key issues of computer security becomes a priority, so as to correctly manage and mitigate the related risks.
(Source: Symantec monthly threat report Feb. 2019 - https://www.symantec.com/security-center/publications/monthlythreatreport)
So in practical terms, what is computer security and what does it involve?
In general, it involves the protection of systems, networks and applications against digital attacks, with the aim of guaranteeing three key aspects:
- Confidentiality: another way of saying privacy, i.e. ensuring that sensitive information cannot be accessed by the wrong people.
- Integrity: this means that data, unless in the event of authorised modifications, must remain unaltered both when stored in a computer system and when being transferred.
- Availability: the information must be usable when necessary.
The fundamental tasks needed to guarantee these three aspects are not limited to preventing Denial of Service attacks, but rather also include the implementation of backup/restore strategies, so as to ensure high reliability, business continuity and disaster recovery.
The main types of attack include:
- Denial of Service: this type of attack affects the availability of a system or service by overloading its resources to such an extent as to prevent it from responding to user requests.
- Man-in-the-Middle: a hacker eavesdrops on communications between users and the service they are connected to, intercepting the information transmitted.
- Phishing: using a mix of technology and social engineering, the user is tricked into revealing confidential information, such as login credentials or credit card numbers.
- Malware: this is software that, when installed on devices by exploiting their vulnerabilities, is used to steal confidential information.
- Password attack: here the aim is to discover the user’s credentials by trying all of the password combinations (brute-force) or based on pre-compiled lists of access keys (dictionary attack).
(Source: Imperva - Example of Cross-site-scripting)
How then can we respond to and mitigate the risks related to the aforementioned threats?
First of all, it should be stressed that security is not just technology, rather it is a continuous and constantly evolving process in which, like all processes, humans are a key factor.
People play various important roles in the security process, for example:
- In the design and management of systems: a wide range of highly advanced skills are required to design a secure product.
- When defining company processes: it is essential to spread security awareness at all levels. In fact, the approach to security needs to be supported by a high-level strategy, as well as by security technology architecture.
- During everyday use of computer systems: for example, even the most secure systems, if protected by passwords that are weak, never changed or left unattended, can be exposed to any kind of intrusion.
It is clear that security can be seen as a chain, which is only as strong as its weakest link.
So let’s examine what the main best practices are to ensure that there are no weaknesses and to help maintain the security of information technology assets:
- Asset mapping and risk assessment: the company’s information technology assets are categorised based on the value for the business and the risks associated with the technologies used. This gives a map that is used to build the security strategy, understanding where and how to invest the most resources, managing the trade-off between security/usability/cost.
- Security by design: the mapping process described above allows a security awareness policy to be included right from the design of products and services. In this step, design criteria are implemented that help mitigate security risks. Being proactive in this step is essential to avoid problems throughout the life of the product, and for this reason it is advisable to contact certified, specialist cybersecurity partners who can support technical decisions and bring added value through their experience, as well as offering an additional point of view compared to the designers of the product.
- Periodical security assessments: as mentioned previously, security is a continuous process. When a new product or service is released, during important updates and in any case at least once a year, it is essential to carry out a security vulnerability assessment and penetration testing. These procedures replicate what hackers would do in trying to violate the system, so as to test countermeasures and verify that there are no vulnerabilities. This can be done by company personnel, however it is much more valuable when specialist outside companies provide ethical hackers who, with very high skills and a different viewpoint from those who designed the systems, try to violate them and then provide the designers a report containing all the vulnerabilities identified so that they can correct them.
- Response process and management of security incidents: it is important to have specific and periodically tested procedures that can identify, manage and promptly correct any security issues. One important input to this process is a product or service monitoring system that, operating 24 hours a day, can precisely identify where action should be taken in the event of problems.
- Security training and awareness at all levels: it is essential for all personnel to receive adequate training on exposure to computer security risks. From correct management of credentials and information, to continuous technical updates on possible threats.
By following these practices and keeping the correct technical and business processes continuously active and up-to-date, it is possible to drastically reduce exposure to risks and thus fully exploit the opportunities that the cloud and IoT can bring to HVAC/R.
From the Internet of Things to Intelligence of Things
IoT: data processing in a world of connected machines