TenneT; EDSO; security; critical infrastructure

As the Internet of Things becomes more ubiquitous in the utility sector, security is more of a concern than ever before. However, Arizona-based entrepreneur, Jason Hope, has some ideas around security and convenience that may be easily incorporated into the utility sector too.

Remote access and monitoring, two-way communication and remote control are some of the obvious benefits of the Internet of Things (IoT).  According to a recent study though, all of this convenience comes with a very real security risk.  Did you know that  90% of devices collect and store personal information, or that 70% make use of unencrypted network services and that 80% of devices did not require strong enough passwords to protect against hacking?

Recent hacks against medical facilities and household devices have highlighted these risks, but with a few habit changes, convenience and security can work hand-in-hand.

With the rush to get products to market ahead of competitors, security has previously taken something of a backseat. However, in IoT security cannot be a bolt on 'after the fact' solution. It needs to be planned ahead to avoid problems later on.

When choosing IoT devices, consider the following recommendations:

Is it necessary to collect that information? Only the information that is strictly necessary should be collected, and that information should be collected from a single secure source whenever possible.

Does the device convert raw data to contextual data? Wherever possible, raw data should be converted into secondary context data, and the raw data itself should be immediately deleted.

Does it utilise decentralised data processing technology? A wider distribution helps to avoid the risks involved in large-scale centralized gathering, processing, storing and exfiltration.

Do you have a strong password culture?  Users should be required to provide high-quality, secure passwords. Additionally, password submission limitations should be enforced, preventing a hacker from using algorithms to repeatedly guess passwords.

Being aware of the importance of security is important for all users of devices within your utility. The fundamental issues of security lay with the users - not developers.

According to A user may understand the need to protect banking account information and passwords, but he may not exercise the same care on every device he might access his bank account from. He may have his passwords saved to his phone, which he has secured with a simple and easy-to-guess passcode. This would make him just one lost or stolen phone away from giving up crucial information."

With more interconnections comes more possibilities for security breaches.

Improving security culture

Following some of the basic steps outlined below can help limit vulnerabilities.

Unique passwords

Never, ever keep the default factory password unchanged. Many of these are available on the internet (I found mine online just last night...). Also don't use obvious choices like birth dates, anniversaries or other obvious choices. Do not use common English names or phrases.

Here is a list of the most commonly used passwords which reveals something about the seriousness with which password creation is taken. The list was derived from data breaches, showing what types of common passwords were frequently guessed by hackers. 'Password' is still a common and very easy password to guess.

Making passwords difficult to guess is the first and most important foundation of internet security.

Be alert to attempts to steal information
Many security breaches occur as a result of phishing scams and similar attempts. Be suspicious of social media quizzes which may be attempting to harvest data, fake login pages or communications from your bank. Social engineering is a science which phishing experts excel at, and a healthy dose of skepticism is always your best defense.

Bermudez says "It’s also a good idea to instill the habit of only supplying information to sites you’ve typed the addresses of rather than those you arrived at through clicking a link."

Always, always update your software
Manufacturers regularly provide updates as vulnerabilities become known in their software. Make sure you update your software as new patches are provided.

Viruses, Trojans and other malware largely exist to steal your information. Ensure you have antivirus software running on your computers. Although not every smart device has antivirus capabilities, all of them will communicate back with a device that does. Your personal computer should have up-to-date antivirus software running at all times. Your smart phones and tablets should also have antivirus protection, whether you rely on the factory-installed standard features or download additional apps for that process. Either way, taking proactive steps to preventing and removing malware can keep data from being mined from the affected device and everything attached to it.