In this guest blog post, Christian Koch, Senior Manager GRC & IoT/OT at NTT Security, warns of the dangers faced by corporate networks by "non-classical" IT systems, especially from the Internet of Things (IoT)

Most employees are not that naive anymore. They know not to open the attachment of an email from an unknown sender or use a found USB stick. But there are risks that even security experts are unaware of – especially through IoT and the integration of systems not traditionally part of IT.

It means new potential targets are emerging in the corporate networks, of which there are usually two. On the one hand, the respective systems themselves can be disturbed, damaged or paralyzed by attackers, which, depending on the type, can have unpleasant to devastating consequences. On the other hand, the attackers can use the systems in question as a springboard to penetrate the corporate networks. 

Companies should pay particular attention to the following scenarios:

  1. Lifts are a prime example of the IoT's range of applications – the potential remediation of faults or remote maintenance considerably increases the efficiency of the facilities. The least clear is the fact that maintenance companies, which may not have their own security concept, have mostly uncontrolled access to IT.
  2. Modern air conditioning systems are often accessible via the internet for maintenance purposes. This provides dangerous access to the corporate network. Manipulation of an air conditioning system - for example in the data center – can cause devastating damage due to overheating or even system failure.
  3. Fire detection systems are also usually not taken into consideration in security concepts. Manipulation can significantly disrupt operations, for example due to false alarms. They can also cause considerable damage, for example, by activating a sprinkler system.
  4. Access control systems are often integrated into the IT infrastructure, but this creates a gateway through which attackers can not only gain unauthorized access, but also gain access to corporate networks.
  5. More or less all companies depend on an undisturbed power supply. Even more important here are the effects of successful attacks. Independent power supplies or power management systems are, in most cases, not perceived as a possible point of attack.
  6. Entertainment systems are used in many companies such as television sets in the conference room. Popular smart TVs have a connection to the web that can be easily accessed. The cameras of smart TVs can, for example, be activated remotely, but very few companies have the backup of their TVs on the screen. 
  7. Even in canteens, the devices are now often networked, such as smart coffee machines, some of which have displays for awareness campaigns or general company news. For troubleshooting or reordering coffee, several manufacturers have remote access to the machines. However, these accesses are usually not controlled and, since the availability of the coffee machine is taken care of, but not with corresponding software updates and security configurations, this creates a simple gateway into the corporate network.

The IT security philosophy traditionally focuses on IT systems and networks. However, this no longer corresponds to the current threat situation. In the age of IoT, potentially everything that is powered by electricity, an internet-addressable system component, is automatically a potential target for attack. Companies must therefore expand their field of vision urgently and also mitigate these risks.