The NSA recently warned in an article of the risks of the connected office. The NSA report said: “Connected devices provide more entry points for adversaries to attack and while we enjoy personalized care from everyday items such as our office furniture, we might be unknowingly giving our adversaries more sensitive information than we intend. “
Steelcase is one of the largest office furniture makers in the world and trend setting in the field of connected, and smart, offices. OfficeRepublic asked Stu Bergman , Information Security Architect at Steelcase, and Barbara Hiemstra, Privacy Engineer at Steelcase, about the NSA article and the way Steelcase secures the data and network of their customers.
Does Steelcase agree with the tenor of the NSA article that IoT solutions in the workplace pose a potential threat to a company using Smart Desks or other Smart office solutions?
Berman : “Yes, we do. Any electronic device poses a potential threat to the network and other devices connected to it. The highest level of risk is putting a device on a sensitive network with no network controls between these cloud connected devices and sensitive on premise systems. There are various approaches to mitigate these risks through network isolation, through network behavior anomaly monitoring, and network access and flow control tools.”
Berman continues: “The article is also very correct in stating that the cloud platform (the “I” in IoT where analytics processing often occurs) and the data collected must be protected properly to preserve confidentiality and integrity. For authorized access, strong identity management is essential. While the collected data might seem innocuous, it could be possible to use analysis to re-identify activity and individuals if the proper privacy designs are not in place.”
Hiemstra : “Yes, I believe Steelcase has been aware that any connected device in the work environment could be a threat. For that reason, they have invested in people, education and tools to review and secure our product offerings. Additionally, we are pursuing Service Organizational Controls (SOC2) compliance for our Smart and Connected product line. SOC2 compliance means an outside assessment of the controls for security, privacy, business continuity, training and change management meet accepted standards. “
Which measures are taken by Steelcase to ensure the safety of their customers?
Berman : “Before entering into the field of IOT, we were mandated at the highest levels to ensure the systems were designed with security and privacy in mind to protect our customers and their people.
All designs run through a security and privacy review as we create new products and services. We use a secure software design life cycle methodology where source code is scanned for vulnerabilities and secure composition. We use third party penetration testing both for release and annual security assurance. We run regular vulnerability scans of running systems and conduct automated system patching for our cloud based applications.
Connect to an isolated network segment
While we strongly recommend that the on premise devices are connected to an isolated network segment, we build our products to withstand a variety of attacks such as turning off all listening ports, configuration of the on premise devices through the cloud portal, pushing ‘over the air’ updates to keep the devices up to date at all times, using signed updates and using factory provisioned customer specific keys that are rotated upon installation.
Our cloud platform is hosted with Microsoft Azure where we monitor all traffic inbound and outbound from our subscription, where we use third party security next generation firewall appliances and Web Application Firewalls to detect ‘IOC’s’ (Indicators Of Compromise) and detect and block attacks. We utilize event probes and log collection for event analysis and monitor with a staffed service that looks at events 7×24.
Steelcase has dedicated security staff for application security, cloud security and privacy and compliance controls. Steelcase leverages the Microsoft AAD service to allow customers to use their existing login mechanisms and policies to authenticate to Steelcase applications.”
Privacy Impact Assessments
Hiemstra: “For protection of customers privacy information, Privacy-focused staff are included in the production release process with a go/no go vote-based on guidelines for collection, storing, processing or sharing of any Personal Data. We conduct Privacy Impact Assessments in many areas, including Smart + Connected. Working closely with Legal, and Product Development, Privacy is consulted at many points to ensure Steelcase maintains our agreements with our customers and any local regulations. We use the product ourselves and make sure our employees are aware and comfortable with the use of any data involved. ”
Does Steelcase communicate with customers about possible threats of IoT solutions in furniture?
Bergman: “Steelcase monitors threats in our systems and addresses them in a timely manner through code updates or customer communications. Where a customer needs to be involved (either through the nature of an attack or through action that needs to be taken by a customer) we work directly with our customers and the dealers they are used to working with. Steelcase has incident response processes to address actual incidents.”
Does Steelcase know of (attempts to) an attack on business-sensitive information through her furniture?
Hiemstra : “I am not aware of any successful attacks to Steelcase’s business-sensitive information through furniture. “
Over 20.000 unsuccessful attacks seen in a month
Bergman : “While we have not seen attacks that were able to penetrate the multiple levels of defense we have in place, we do monitor the attacks taking place. For instance in August 2018 we saw more than 20,000 attempts on our IOT cloud platform from around the world. The largest percentage originated with an IP address source in China, followed by Germany and the US registered addresses. None of these attempts was successful. ”
Many thanks to Steelcase for sharing their way of working and insights on this subject with OfficeRepublic. Smart workplaces bring many benefits, but manufacturers of office furniture must be aware of the possible risks that IoT solutions entail.
You might also want to read: Smart Offices: Be aware of the risks