The world is becoming increasingly connected, so the need for security and privacy is integral to modern society...
says Raj Samani, vice-president and CTO of McAfee Europe.
With everything becoming connected, from smart meters to cars, security has to be part of the design to ensure protection from considerably advanced cyber threats, he told Computer Weekly.
Connected systems are extremely beneficial, he said, as demonstrated by US energy firms that used advanced infrastructure to pinpoint domestic power outages during hurricane Sandy, but these advantages could be undermined if security and privacy are not given proper consideration.
“Soon every home on an energy grid will be connected, so we need to ensure that they are connected in a way that is secure, because with smart meters continually reporting a wealth of information, the risks to privacy could be gigantic,” said Samani.
Personal details that can be deduced from the data that will be collected cannot be underestimated, he said, with some researches demonstrating that they are able to use smart meter data to determine exactly what appliances are being used, and even what TV shows and films are being watched.
Read more about smart meters:
- Scottish Power launches Suffolk smart metering trial
- Scottish Power smart meter roll-out to mirror national plan
- Big Data: Utilities rise to the smart meter challenge
- Thames Water extends smart meter trial
- How smart is the Smart Metering Implementation Programme?
- Smart meter sales set to accelerate this year
- Security and safety fears hit smart metering programme
- Black Hat 2012: Limited release for tool allowing smart meter hacks
It is only natural that energy suppliers and other providers of infrastructure migrate to the latest, connected technologies, he said, because of the business benefits they provide.
However, Samani said while digital systems extends the number of threat actors, this trend also creates new opportunities for security and privacy if systems are designed with these in mind.
“The London 2012 Olympics are a good example of a greenfield project where security can be built in from the ground up,” he said.
According to the CIO of the Games, there were no problems despite the supporting IT being hit by cyber attacks every day during the event, including one major assault.
With every technology refresh, organisations have the opportunity to review security, which can be as often as every 2-5 years for the enterprise, said Samani.
However, with critical national infrastructure (CNI) that could be only ever 25-30 years, so as in most brownfield situations, compensating controls are vitally important, he said.
While it would be better to embed security into CNI systems, Samani said it was easier to create baselines for these systems and create whitelists to allow only approved processes.
The security industry, he said, has an important role to play in ensuring that CNI suppliers and other organisations can derive the business benefit of new technologies, yet remain secure.
However, in a connected world, organisations need to remember that security often goes beyond the confines of the organisation, said Samani.
“Security of all the organisations that make up the supply chain is one of the biggest issues facing information security professionals today,” he said.
Even if an organisation has only 60-80 suppliers, when sub-contractors are factored in, it becomes clear that there could be up to 800 stakeholders, each a potential risk.
“Organisations now need to start thinking of security more in terms of an interdependent ecosystem, and start seeking to build security into the connecting fabric,” said Samani.