Essential Install | Security
Blind Data
Cliff Stammers, founder of Crestron programming
company Oxberry takes a view on cyber security.
Safe and houses?
Systems need
protection on the
inside as well as on
the outside
Locking up after yourself is a fact of life, keeping
your personal effects secure is an entirely
reasonable approach to adopt. So, in this age where
so many of us live ‘online’ possessions and personal
effects are comprised largely of less intangible
things like data and information, so why do a great
many of us appear to nonchalantly give up any kind
of responsibility to safeguard these things? I want to
detail how programmers and integrators can make
sure that their clients retain a sensible degree of
security over the networks that form the skeleton of
their control systems.
About two years ago, one of my colleagues
showed me a website that played host to hundreds
of control systems that had not been secured. There
I saw a jaw-dropping queue of processors that
were open to the Internet, metaphorically showing
off their knickers to all and sundry with not a care
in the world! Now, had we been an unscrupulous
lot, we’d have been able to shut down any one of
these systems stretching from Seattle to Sydney and
everywhere in between. It was astonishing how little
regard was being shown to making these systems
data-safe and it opened our eyes to how important
security is to what we do.
We resolved to make this a core element in
our quest for more robust programming and in
solidifying the services we offer our customers. The
biggest ally we found in this was when our favoured
processors implemented Secure Shell (SSH) as a
default. SSH is a safe environment within which files
can be safely transferred over any IT-based network.
Similar to this is Secure Sockets Layering (SSL) which
handles a different type of file transfer, but does it
as tightly. Both of these protocols are available to us
when we’re programming control systems.
From time to time both the SSH and SSL ‘shells’ have
to open their doors to the outside world, so devices can
access the Internet for functions such as firmware updates
or to access outside metadata for plug-ins such as Public
Transport updates and weather reports.
Well, it’s true that the automation network might not
necessarily need to reach the outside world for these
types of reasons. But for certain, if your client wants to
access their set up remotely, then this is an example of
one of the very few times when any one of a number of
doors into the SSH building will be unlocked. Unlike the
example I gave at the outset of this piece, where I saw
hundreds of processors with their SSH doors left not only
unlocked, but wide open and never shut. Bad practice
indeed and one that should never be accepted.
Crestron has restricted access to its networks by
building dedicated doors through which a handful of its
devices can be accessed and providing these doors are
guarded sensibly, the opportunity for rogue incursions is
minimal. The certification known as 802.11x is a family of
protocols that used to work well for this type of duty, but
then too many demands were made of it and it began to
falter. More latterly it has found less favour as an Access
Control method, as has X.509 certification, although this
does live on as a part of the aforementioned SSL protocol.
When you consider that there are currently something like
11.4 billion devices online at any one time, it’s easy to see
how these access certifications might begin to struggle.
Remember: data is valuable. If you’ve never stopped
to consider just how valuable, let me point you in the
direction of Google. And, to a lesser extent but still just
as viable, Facebook, Twitter, Amazon and Netflix. These
are companies that have captured the analytics animal
and have set about milking it dry. Google was practically
founded on the concept of gathering search data and
selling it, Amazon, as well. Although they also had a
revenue stream with foundations in a more traditional
method, that of retail, Amazon was quick to see the
benefit of harvesting information pertaining to product
purchases and to use that information to promote similar
products. Now, depending on your point of view, that’s
either clever or sinister, but either way it’s a fact of life that
appears to be tolerated in the modern age. It’s data. Your
data. Don’t give it away.
Who knows how long it will be before control
automation companies see the benefit of this type of data
and start harvesting it for their own ends. Maybe they have
already? I’m not privy to anything by the way. I’m simply
speculating. It’s an interesting thought, wouldn’t you say?
18 | December 2016
Oxberry.indd 18
15/12/2016 10:31