Skip to main content

Are CISOs ready for the Internet of things boom?

This article was originally published on Technology.Info.
As part of our continuing strategy for growth, ITProPortal has joined forces with Technology.Info to help us bring you the very best coverage we possibly can.

The Internet of things is being created through continuing technical advances. Computers are getting smaller, more powerful in terms of functionality, yet drawing less electrical power. These features coupled with the ubiquity of WiFi, 3G, 4G and mesh networks means that small computing devices can be embedded within the most mundane devices that previously had operated autonomously and connect them to the Internet. These devices can then report on local conditions to a central server that can understand the wider environment, and then receive instructions on how to modify their operation to achieve maximum efficiency.

The implication is that these devices can deliver just the right amount of service when required and switch off, or deliver reduced service, when they are not required. This can result not only in improved level of service, but in decreasing waste through improvements in efficiency, which in turn reduce carbon emissions and decreases operating costs. These devices are going to drive better management of energy in the built environment.

Networks of sensors and actuators working together with a central management server will act to form a ‘smart building’ that reacts to the external environment and the activities taking place within the building. Unlike many technological innovations, smart buildings are unlikely to have that ‘wow’ factor driving uptake. It is far more likely that the integration of smart building technology into office will be incremental and driven by proven energy efficiencies and a clear return on investment to landlords.

Information processing takes place primarily within buildings. For many years security professionals have deployed and audited procedures and equipment to assure the integrity of buildings so that only authorised individuals have access. However the deployment of networked devices controlling heating, cooling, ventilation, water supply etc. within a building exposes a new range of potential vulnerabilities that need management and mitigation.


Permanent damage can be caused to information systems if the data centre air conditioning is disabled. Equally, water dripping from an overflowing cistern that is constantly being replenished even though it is full due to a faulty sensor or actuator can wreck electronic equipment. Additionally, an office without water and functional washrooms is one where the workforce cannot operate without breaks.

We’ve recently seen attackers launch denial of service attacks against financial services organisations in an apparent attempt to occupy and distract security teams while more sophisticated attacks to compromise systems is undertaken. We can envisage the scenario where poorly protected environmental control systems that have not been subject to any security oversight are compromised by an attacker who switches the air conditioning to full heat and waits for the security operations team to take a break to cool down before launching an attack on sensitive systems.

Attackers may be able to send fake sensor readings to a server, send unauthorised commands to an actuator, or simply take control of the command system. We can be certain that vulnerabilities will be discovered in the software contained on these devices that will need patching. But who will be responsible for patching these systems, and how quickly will this be performed? These risks will require policies, procedures and mitigations to manage the risk to an acceptable level.

Security professionals are constantly seeking to reduce the scope of security audits. However, as the Internet of things permeates the built environment, we need to start considering the wider environment as part of the scope of the security analyses to ensure that the security goals of the smart building devices are compatible with the security goals of the organisation that occupies the building.

Not every smart building will necessarily require state of the art defenses to protect its networked devices, but information security professionals need to be aware of the possibility that there may be vulnerable devices controlling the building environment and services. Security pros need to know the right questions to ask landlords to ensure that the security of the building control systems meets the needs of the information processing taking place within the building. As an industry we need to start thinking about the security implications of the Internet of things, because one thing is for sure, sooner or later these systems will come under attack.

Martin Lee is the technical lead of threat intelligence atCisco