Cyber-attacks targeting unsecured connected devices on the rise, experts warn
Middle East organisations need to be wary of the dangers posed by increasingly sophisticated cyber-attacks that target unsecured internet-accessible devices and building control systems (BCS), warned global independent safety science firm UL.
According to the firm, an increasing number of companies are connecting to the Internet of Things (IoT) to run an ever-increasing network of life safety and security products. By doing so, they are leaving themselves open to attack by hackers who can access secure and sensitive systems via a web-connected BCS such as security alarm control panels, access control systems, intrusion detection units, smoke and fire alarm control units, and mass notification systems.
Louis Chavez, principal engineer for life safety and security products within UL’s Building and Life Safety Technologies division, said, “Introducing proper security measures can help to reduce any vulnerabilities in a company’s cybersecurity network and prevent hackers from using a BCS to remotely disarm security systems, take control of CCTV cameras or access essential fire and smoke alarm systems.
“IoT devices can expose a BCS to attacks that would otherwise require local on-site access. These can emanate from anywhere and can potentially lead to broader systems being compromised,” he added.
Implementing proper security measures and controls can help mitigate the cybersecurity vulnerabilities of web-connected BCS products. These include viewing a building’s system holistically, and not as a series of separate products.
“It is important to analyse and test how products securely communicate with each other once they are connected to the larger system. All devices connected to the internet should be considered being at risk as even the most secure life safety and security products can be hacked if they are sharing an internet connection with less secure devices,” said Chavez.
Another simple way to protect from cyber-attack is to change default passwords, such as ‘1234’ or ‘admin,’ set by the manufacturer before a new product is connected.
Remote connectivity is also an area of vulnerability. The rise in smartphones means many building systems can be controlled remotely. However, if a remote connection is not secure then such a network is highly susceptible to attack.
The UL 2900 series of cybersecurity standards have been developed to address cybersecurity for life safety and security products, providing a foundational set of criteria that manufacturers of network-connectable products can use to establish a baseline of protection against known vulnerabilities, weaknesses and malware.
Hamid Syed, vice president and general manager in the Middle East for UL, said, “The increasing use of and dependence on devices that are connected to the internet exposes users to sophisticated attacks. Whereas in the recent past these would require on-site access, nowadays they can be launched from anywhere. This is a worrying proposition for companies who depend on building control systems and other life safety and security products.
“However, this need not be the price we pay for the ‘always on’ environment we now take for granted in the 21st century. Effective measures, some of which are relatively simple, can protect buildings and companies from attack by cybercriminals and hackers,” said Syed.