Knowing a bit about technology, passwords and security, I assumed my electronic devices are pretty safe from hacking. After attending the Conference Board of Canada’s conference on cyber security last week, I’m no longer sure.
There were a number of interesting insights shared, such as the data in your car is worth three times the value of the car. For most cars, not only is securing the data an add-on or afterthought but the various softwares in a car can use up to 6 different operating systems. Most cars’ software can be relatively easy to hack, with the exception of the Tesla that was designed with security in mind rather than an afterthought. The US has The Security and Privacy In Your Car spy(abbreviated to the SPY Car Act 2015) that requires all vehicles made in 2017 and on to be “equipped with reasonable measures to protect against hacking attacks”. It also regulates the car’s internal networks so that the software managing critical functions such as steering and breaking cannot be hacked. There are no such requirements in Canada.
There were other discussions beyond car security, such as how to secure smart cities; how to deal with security in the age of the Internet of Things (IoT); as well as privacy and access concerns.
The major theme was that security features must be an integral part of the software and hardware design as opposed to being an add-on after the design as seems to be the case currently. Security has to be part of the organisation’s culture to be effective and reinforced from top down.
CIOs have the ultimate responsibility that IT service providers who they engage have the same security oversight as the organization itself, including security reviews by a third party at least once a year with the results of that review shared with customers. CIOs should also ensure that senior management and the Board understand the risks linked to cyber security as it relates to their organisation and as the senior IT professional, report regularly to the Board and executives on those risks and how they are being managed.
Servers used to be the target of hackers as when they get in, they would have access to all sorts of information. Then smart phones and mobile devices were the targets of hackers. Now the connected devices referred to as the Internet of Things have become the target, as IOS and Android are doing a better job securing their mobile devices.
The Internet of Things (IoT) is connecting more devices every day. According to Gartner there were 6.4 billion connected things in 2016 and on the average, 10 million new “things” are added every day. Securing IoT devices involves not only securing the devices themselves but also the networks and applications that link those devices. When acquiring an IoT connected device, check that there is an upgrade path so that updates and security patches can be applied. Items like nursery monitors connected to a smart phone may be hacked but if the nursery monitor’s software can’t be updated, the security fix won’t be applicable.
One of the speakers described how his company give their internal “hacking” team a challenge each year. Last year it was to get in to their network through their tea kettle. They had a small cube in the kettle that sent an alert to the smart phone when the kettle is boiling. The hackers noted that the device automatically connected to the strongest wi-fi and used that link to hack the network.
While this was an amusing story, many others were not. Hacking medical devices using custom code, (eg a medical infusion pump), connected through the USB port, could administer a fatal dosage to the patient. Pacemakers can be hacked as it was assumed that only the cardiologist would have access to the information and device and as such no security was built in.
With the expected increase of IoT devices, security is an increasingly important consideration in acquiring new and keeping existing devices. As Clay Shirky, a professor at NYU noted, “It used to be expensive to make things public and cheap to make them private. Now it’s expensive to make things private and cheap to make them public.”