Hard target

We’re about a week away from ISC East, but I’m not going to be there for this one, so let’s have a cybersecurity topic this week on Monitoring Matters instead.

In fact, if you want to do a bit of studying before your homework this week, please take the time to read Bud Broomhead’s excellent guest editorial on security infrastructure. One of the topics it covers is the recent ransomware attacks that affected Las Vegas casino groups MGM Resorts and Caesars Entertainment.

I won’t beat you over the head again about the dangers of ransomware attacks, but a big international destination like the casinos in Las Vegas getting hacked leaves hundreds of millions of their clientele across the globe exposed. That potentially puts those resort groups on the hook for some very expensive class action lawsuits, to say nothing of operational costs incurred from these intrusions, and any actual ransoms that may be paid.

In a world evolving to meet such a serious threat it makes sense that the powers-that-be might be jumping to implement safeguards against cybercrimes. That’s precisely what the European Union’s (EU) aim was with the implementation of the Cyber Resilience Act last year. That law requires manufacturers to assess cybersecurity risks for their products and holds them liable for fixing any problems with them for a period of up to five years.

Brilliant, is what you’re probably thinking, unless you’re a corporation in the EU I suppose. Several of them including Siemens, Ericsson, and Bosch to name a few, issued a letter decrying the law as onerous and that it would be responsible for supply chain disruptions the like of which was seen during COVID. I’d be a lot more sympathetic to those claims if it didn’t have the whiff of sour grapes, and profit margins to them. I’d also say that arguments come off more convincing when they aren’t leveled like a threat against a governing body.

Maybe you’re thinking that I’m being too heavy handed in my condemnation of their actions. After all, who needs their desk lamp to receive a 5+ year service warranty? Well smart products have infiltrated every single industry imaginable. In the security industry we don’t just have cameras, we’ve got smart locks, drones & robots, turnstiles, card readers, and any numbers of authentication and verification devices. What about ancillary objects that tie into those ecosystems? Smart thermostats are a potential target of hackers as well.

You know, another American casino was infiltrated about six years ago, and do you know how those hackers got in? They stole 10 gigabytes of data through a fish tank. Maybe it’s in all our best interests to secure our IoT devices?

Fish food for thought.