In an era where everything from our toasters to our city buses is connected to the internet, we often gain convenience. However, this connectivity can introduce hidden and significant security risks. A recent story, highlighted by The Guardian, brings this issue into sharp focus, serving as a powerful reminder for all organisations.
Danish authorities are currently investigating a security loophole in hundreds of Chinese-made electric buses. This investigation was sparked by findings from Norway, which discovered that the vehicle supplier retained remote access to the buses’ control systems.
This access, intended for diagnostics and software updates, could theoretically be exploited to remotely deactivate the vehicles while in transit.
The Problem Isn’t Just Buses
While the idea of a bus being remotely disabled is alarming, the core issue is one that affects businesses of all sizes, not just public transport authorities.
The buses in question are, like many modern devices, part of the Internet of Things (IoT). They are equipped with internet connectivity, sensors, GPS, and microphones. As one Danish transport official noted, “This is not a Chinese bus problem. It is a problem for all types of vehicles and devices with electronics built in”.
This incident is a textbook example of a supply chain risk and an IoT vulnerability. The features that allow a manufacturer to provide updates and run diagnostics are standard, but they also create a potential access point that could be misused, either by the manufacturer or by a malicious actor who compromises their systems.
Is Your Office on Wheels?
Your organisation might not be running a fleet of buses, but it almost certainly uses connected devices. Consider your own environment:
- Smart security cameras
- Networked printers
- Smart building controls (like thermostats and lighting)
- Connected office equipment
- Even smart kettles in the staff kitchen
Each of these devices is a small computer. Like the Danish buses, they connect to the internet. They receive updates from their manufacturers. They have sensors. And most importantly, they have a place on your corporate network.
The critical questions you must ask are:
- What data are these devices collecting?
- Where are they sending that data?
- Who has remote access to them?
The Norwegian authorities discovered the bus vulnerability through testing in an isolated environment. Without such proactive checks, this access would have remained unknown.
Protecting Your Organisation from Hidden Risks
This news serves as a valuable lesson in the importance of a multi-layered security approach. While no single action guarantees complete protection, several measures can contribute to a stronger and more resilient security posture.
- Understand Your Assets: You cannot protect what you do not know you have. Maintaining a clear inventory of all connected devices on your network is a fundamental first step.
- Vet Your Supply Chain: When procuring new technology, consider the manufacturer’s security practices. Understanding where a device comes from and how it is maintained is a critical part of modern risk assessment.
- Implement Network Monitoring: It is possible to monitor the traffic leaving your network. This can help identify unusual or unauthorised communications, such as a device sending data to an unexpected server.
- Conduct Security Assessments: The complexity of IoT and supply chain security means that vulnerabilities are often not obvious. A professional security assessment can help identify and mitigate these hidden risks before they are exploited.
The Danish bus incident is a clear signal that the technologies we adopt for efficiency and innovation must also be scrutinised for security.
Navigating the complexities of IoT and supply chain security is a significant challenge for any organisation. If you have concerns about your network’s security or wish to understand the potential risks associated with your connected devices, contact the expert team at Vertex. We can provide tailored solutions to help you build a more secure and resilient business.