Bring-your-own-device policies are ever more common at work. But companies allowing this practice are not always aware of the cyber threats. Cyber vulnerability was a major theme at Mobile World Congress. How can companies protect themselves from risks posed by the use of personal mobile devices at work? Here are some answers.
For anyone charged with managing a large industrial, manufacturing or engineering facility, it is the stuff of nightmares. In 2007, Iran’s nuclear program was compromised by the malicious Stuxnet code which reportedly ruined nearly 20% of the research centrifuges. The computer worm probably entered the facility on a USB stick belonging to a supplier or contractor.
Malware like Stuxnet could hit any industrial sector. According to Stamatis Karnouskos, an SAP researcher, it can be tailored to attack modern supervisory systems and programmable logic controllers used on assembly lines and in power plants.
Largely undetected by antivirus software, Stuxnet embodies the dangers of sophisticated malware in industrial settings. It arrived just when the risks of such code was spreading. According to research from the LinkedIn Information Security Group, 40% of organizations allow employees to use their own devices at work.
Risks Ride in on Personal Devices
Firms have less control of security of their own systems, devices and data. Increasingly, employees are working longer hours in both corporate and residential environments, creating new risks as users expose company data to unsecured networks, therefore increasing the chance of a data breach or security threat.
There are also specific dangers associated with connecting unauthorized devices to corporate networks in the industrial sector, says Prakasha Ramachandra, technology practice lead for security at Aricent, a product engineering services firm.
Contrary to enterprise-related data, compromise of manufacturing processes, infrastructure, energy, and mining may lead to loss of life, availability of power, water and natural resources.
Industrial Companies Wary of BYOD
These risks have slowed adoption of BYOD in industrial environments, says Robert Dinsmore, availability product manager at SolutionsPT, an IT service provider. He added that most companies ensure that control of physical systems is walled off from the outside world and other corporate systems—the so-called air gap. But even that can be compromised.
A true air gap is the dream, but not always the reality. There are often vulnerabilities, such as a default security setting left unchanged. There is evidence malicious code can jump through three or four layers of security and affect the programmable logic controllers of industrial machines.
Current barriers between corporate and control systems are not only less than perfect, but manufacturing firms face even greater exposure as they enter the Internet of Things. Here, control systems and sensors in machines are connected to corporate systems—ERP, finance and supply chain management—to better measure performance and predict and prevent failure. Companies share this information up and down the supply chain to make it more efficient.
Despite the advantages of such interconnectivity, coupling it to BYOD could create a witch’s brew of risks difficult to manage, Dinsmore says.
Managing Risk While Offering Choice
Companies have three options to better protect themselves. They can ban BYOD altogether, restricting employees to devices issued and controlled by company IT departments.
Ian Parker, technical and security consultant at Axians, an IT consultancy firm outlined alternatives. Businesses can offer personnel a selection of approved mobile phones and tablets for both work and personal use. This is choose-your-own-device (CYOD). It allows corporate IT to control devices and software using mobile device management tools. Lost and stolen devices can be wiped clean and locked remotely to prevent loss of intellectual property and personal information.
At the back end, the IT department can build a firewall between the protected corporate networks and segregate those mobile devices that come from outside, via either company guests or employees.
Companies can then allow access to the corporate network from devices they control, but also offer employees and guests access to the public internet from their own devices. Parker adds that they also can access corporate information through a protected virtual private network which blocks the downloading of data to the device. In any case, a workable BYOD policy requires companies to respond to this increased threat.