Ask questions of your suppliers, and check any products that can connect to the internet to stay safe, delegates were told at the CIPS Annual Conference 2018.
The building management system being installed in Terminal 5 at Heathrow was vulnerable to hacks, said Ken Munro, a professional ethical hacker for Pen Test Partners. At the time it was being installed, 12 years ago, Munro hacked the same kind of system using a controller he bought from Amazon, gaining sufficient control to be able to unlock all doors, set off fire alarms, and create havoc in the business.
The security of that system has improved, but only last year, Munro found some with unprotected controls on the internet. It is about lax installers, not vendors, he said. “And there are similar kinds of tech in production lines. A hacker could get in and tamper with the processes that you need for your business,” he warned.
With a growing number of smart and internet-connected products potentially creating vulnerabilities, there is a risk that some of these products fall outside the IT department’s remit, and so they are not being checked, he said. Procurement can help protect the business.
“Do you know if your printer, or your coffee machine is connected to the internet so that the supplier can monitor it for maintenance or to replenish stock? Have you checked that your TV in the boardroom has the settings correct so that it is not listening to conversations and making them vulnerable to hacks - have you turned off voice control?” he asked delegates.
While some products lack security settings, some have settings that are just not being used, he said. Bluetooth 2 is an example, Munro told SM. “It has more security settings than the first one, but they are not always enabled.”
Munro demonstrated the ease with which he was able to hack a wireless kettle and break into a wifi network, gaining access to any information being shared across it.
Ask questions of your suppliers, check who is looking after the security of systems that might fall out of the remit of IT, and make it contractual that what they provide to you is secure, advised Munro. “If you don’t check or ask, they can give you rubbish.”
☛ Want to stay up to date with the news? Sign up to our daily bulletin.