Essential Install December 2016 - Page 20

Essential Install | Security Blind Data Cliff Stammers, founder of Crestron programming company Oxberry takes a view on cyber security. Safe and houses? Systems need protection on the inside as well as on the outside Locking up after yourself is a fact of life, keeping your personal effects secure is an entirely reasonable approach to adopt. So, in this age where so many of us live ‘online’ possessions and personal effects are comprised largely of less intangible things like data and information, so why do a great many of us appear to nonchalantly give up any kind of responsibility to safeguard these things? I want to detail how programmers and integrators can make sure that their clients retain a sensible degree of security over the networks that form the skeleton of their control systems. About two years ago, one of my colleagues showed me a website that played host to hundreds of control systems that had not been secured. There I saw a jaw-dropping queue of processors that were open to the Internet, metaphorically showing off their knickers to all and sundry with not a care in the world! Now, had we been an unscrupulous lot, we’d have been able to shut down any one of these systems stretching from Seattle to Sydney and everywhere in between. It was astonishing how little regard was being shown to making these systems data-safe and it opened our eyes to how important security is to what we do. We resolved to make this a core element in our quest for more robust programming and in solidifying the services we offer our customers. The biggest ally we found in this was when our favoured processors implemented Secure Shell (SSH) as a default. SSH is a safe environment within which files can be safely transferred over any IT-based network. Similar to this is Secure Sockets Layering (SSL) which handles a different type of file transfer, but does it as tightly. Both of these protocols are available to us when we’re programming control systems. From time to time both the SSH and SSL ‘shells’ have to open their doors to the outside world, so devices can access the Internet for functions such as firmware updates or to access outside metadata for plug-ins such as Public Transport updates and weather reports. Well, it’s true that the automation network might not necessarily need to reach the outside world for these types of reasons. But for certain, if your client wants to access their set up remotely, then this is an example of one of the very few times when any one of a number of doors into the SSH building will be unlocked. Unlike the example I gave at the outset of this piece, where I saw hundreds of processors with their SSH doors left not only unlocked, but wide open and never shut. Bad practice indeed and one that should never be accepted. Crestron has restricted access to its networks by building dedicated doors through which a handful of its devices can be accessed and providing these doors are guarded sensibly, the opportunity for rogue incursions is minimal. The certification known as 802.11x is a family of protocols that used to work well for this type of duty, but then too many demands were made of it and it began to falter. More latterly it has found less favour as an Access Control method, as has X.509 certification, although this does live on as a part of the aforementioned SSL protocol. When you consider that there are currently something like 11.4 billion devices online at any one time, it’s easy to see how these access certifications might begin to struggle. Remember: data is valuable. If you’ve never stopped to consider just how valuable, let me point you in the direction of Google. And, to a lesser extent but still just as viable, Facebook, Twitter, Amazon and Netflix. These are companies that have captured the analytics animal and have set about milking it dry. Google was practically founded on the concept of gathering search data and selling it, Amazon, as well. Although they also had a revenue stream with foundations in a more traditional method, that of retail, Amazon was quick to see the benefit of harvesting information pertaining to product purchases and to use that information to promote similar products. Now, depending on your point of view, that’s either clever or sinister, but either way it’s a fact of life that appears to be tolerated in the modern age. It’s data. Your data. Don’t give it away. Who knows how long it will be before control automation companies see the benefit of this type of data and start harvesting it for their own ends. Maybe they have already? I’m not privy to anything by the way. I’m simply speculating. It’s an interesting thought, wouldn’t you say? 18 | December 2016 Oxberry.indd 18 15/12/2016 10:31