Q & A with Derek Manky, Chief, Security Insights with Fortinet
November 29, 2019
Print this page
Earlier this year, Fortinet, a California-based global provider of network security appliances, published results of a global survey of chief information and security officers which revealed that IoT is now the second-most concerning mode of cyberattack.
We spoke with Fortinet’s Derek Manky, who is based in Vancouver, about the IoT cyberthreat vulnerabilities in buildings.
Is Buildings IoT something your company is focused on?
BIoT falls under OT (operations technology) for us, and we do have solutions, and it’s an active area of research for my team. We have a small but specialized ethical hacking team (white hat), and we try to beat hackers at their own game. If we can find a flaw first, then we can offer protection for our customers, and we can also work with vendors to help them address those flaws in their products—and that’s especially critical for not only IoT, but operational technology like building management systems (BMS) as well.
So, you’re working with IoT product developers to correct potential vulnerabilities before they come to market?
Yes, we’re trying to be proactive. All too often security is reactive, so the more proactive you can be, the better. And the reality is that the world of IoT doesn’t have a mature security history. Everything that Microsoft went through 20 years ago to protect computers and systems from viruses and hacking is just starting to happen in the IoT and operational technology space.
The good news is that there have been a lot of lessons learned through that history. But the bad news is that the state of security is not where it should be right now for that sector.
Where is IoT security lacking?
Right now there are no frequent updates done in the field, because it’s not necessary for a lot of these devices. Maybe when there are new enhancements, new features and minor security patches may be added to these products, but generally there are not regularly scheduled updates, and that’s a big problem out there today in the industry from my point of view.
There are a lot of holes when it comes to security on these devices.
Are wireless IoT technologies more open to being hacked?
If you think like an attacker, you need transit, a vehicle to get into the system you’re trying to hack. The transit is the communication protocol. For wireless devices, Bluetooth is more secure because it requires close range proximity. Wi-Fi of course is IP-connected, so depending on how the security architecture and policies are set up, that’s where the biggest problems are.
Either through Wi-Fi or through having a public connection to the Internet; that’s the majority of cases that we see out there.
What are the threats to a building?
People ask, ‘why would anyone want to attack my smart light fixture or thermostat, because there’s no data on it?’ But hackers use these devices in a leapfrog approach.
Because the devices don’t have mature security stacks, if an attacker can access them—again using that transit, usually through public IP, or Wi-Fi—then they can use that vehicle and from there they have an active connection and they can move laterally within a building.
They can actually go after other IT systems within the building. It’s an effective approach, because traditionally that hardware and those controls aren’t always part of the security architecture.
How about devices that connect to the cloud, is that another vulnerability?
Absolutely. Even newer building management systems, although using more modern technology, they quite often don’t have the right updates and patches. And when you have cloud-based reporting, again you have that transit. The game is a little different though.
When you look at the main threat landscape, we split them into two types of attacks: client-based attacks, like getting into a local BMS; and server-based attacks. Generally, when you look at the giants of the cloud service providers (Amazon, Microsoft, etc.) they have more mature security stacks. So those are a more secure environment than the other closer-to-home situations.
What cyberthreats should a building owner be most concerned about?
In the case of a building management system, you could see where infrastructure could be targeted for ransom, effectively hijacking a whole building and shutting down the controls which could lead to revenue loss or other personal harm.
And denial of service could be someone hacking into a device, or multiple devices, and one or more devices effectively just crash, leading to downtime and cost to replace the devices.
And what are the solutions?
From a building owner perspective, the best solution is keeping your systems up to date to protect your assets.
Keep in mind that IT security can protect those building management systems.
Control identification of users and access management—in our world we call it segmentation—lock down different areas of the network and only give access to people who should have access.