Lighting and air conditioning systems in the enterprise could be targets of cyber attacks, as an increasing number of things are connected to the Internet, according to Gartner analyst Christian Byrnes.
In remarks at the Gartner Security & Risk Management Summit in Sydney, Byrnes said IT security professionals must secure operational technologies in the enterprise that typically have not been under their purview.
“Physical security and information security are converging so rapidly that it’s becoming impossible to separate them,” the analyst said.
The people that will conduct the attacks are the same as the ones IT security professional have dealt with for years, including industrial spies, foreign nations and hacktivists, Byrnes said. “They just have this whole other world of vulnerabilities to pursue now, and they’re learning about it rapidly.”
The trend known as the 'Internet of Things' means there is an increasing number of connected devices. While more Internet-connected devices can provide efficiencies to businesses, they are all targets for cyber attacks, according to Byrnes.
“The Internet that we are currently experiencing is not the Internet that we were familiar with five years ago and 10 years ago,” he said. “Things are changing extremely rapidly.”
Today, more than half of total connections to the Internet are not people, said Byrnes. At the enterprise, it’s likely that IT does not know and therefore does not control every connected device, he said. For example, lighting, air conditioning and other operational technologies, he said.
“Chances are you don’t [know], because the people that connected it don’t want to be part of IT.”
In certain businesses, an attack on unsecured operational technology could have dire consequences, Byrnes said. In a facility where lighting is critical to worker safety, for example, a security breach could lead to many deaths.
Addressing this challenge has been difficult due to “outright denial” in many businesses that there are vulnerabilities with such systems.
Another barrier has been outdated government regulations that make it more difficult to make security changes, he said. In the healthcare industry, for example, regulations have made it more difficult for IT to even implement security patches, he said.
“If we could just say the information security team has responsibility for all technology-based security, we could probably get past this, but we haven’t been able to do this in any single industry.”
Follow Adam Bender on Twitter: @WatchAdam