Research

  1. Trusted Managed Security Provider | Solutionary
  2. Research
  3. Security Intelligence
  4. Everyday Equipment with Cellular Capabilities - Convenient or Concerning?

Everyday Equipment with Cellular Capabilities - Convenient or Concerning?

Recent incidents have brought to light a fairly significant security vulnerability that has gone all but unnoticed for years. Equipment designers have taken to embedding cellular communications capabilities into medical equipment, process control equipment, HVAC systems and many other types of equipment and systems across a number of industries.

This economical direct access method is used for support, troubleshooting and updating the system software. While embedding this cellular connection has a number of benefits for the equipment/system supplier, it is a headache for security professionals.

This has caused many to raise concerns. Early in 2010, Indian officials were prompted to ban Chinese cellular equipment over concerns that spyware or malicious software was embedded in the devices. Officials were concerned that the embedded malware could give Chinese intelligence agencies access to control and other systems as well as the ability to extract ongoing intelligence.

Other security professionals have much more general concerns.

The cell based connectivity for maintenance and support often create an unwanted, unknown, and most of all, unsecured connection to the Internet.

The worldwide embedded cellular communications market segment is experiencing
the best times and double-digit market growth that is expected to continue for
several years to come. This rapidly evolving digital cell phone industry brings together parts of consumer electronics, communication, information technology, media and industrial control equipment.

Evolving industry standards promote faster and broader adoption of interface standards that will drive embedded applications. Embedded cellular access for vendor support has benefits, but must be done in a secure fashion. Left unsecured, these devices could result in a data breach or malicious misconfiguration of the equipment or system and could have catastrophic results.

Recommended Actions:

  1. Work with your purchasing and contracting departments to mandate that all equipment vendors fully disclose any embedded cellular communication capabilities. Remember this could bridge through the equipment or system to other open or closed private networks.
  2. If you can, do not allow equipment or systems to operate with embedded cellular
    communications technology until it is secure.
  3. Work with the equipment or system vendor to establish a mechanism to monitor
    all the equipment with the embedded cellular communication back to the equipment vendor or contracted support organization.

 

January, 2011

Newsletter Sign-up Contact Sales Request Demo

Image
  • The vast majority of these connections do not have firewalls, anti-virus or other security software to protect the systems they support.
     
  • Many of the security departments of the organizations that own, rent or lease these systems are unaware of the remote cellular modem access.
     
  • Attacks on cellular devices are dramatically increasing in general. This trend is expected to increase the risk of integral cellular connections.

www.solutionary.com - 866-333-2133