Managing the security perils of pumps and meters

Preventing and reducing the damage from breaches requires companies to follow best practices and to have an effective response plan in place.

Pumps, meters and similar devices have made it easier for consumers to pay for gas and other products and services, but they are also filled with potential risks. Last year, a fraud scheme which involved service stations in the Minneapolis-St. Paul area compromised 900 consumer accounts.

Geoff Brown

Geoff Brown, CEO of Machine-to-Machine Intelligence Corporation, says connections enable real-time monitoring, better electricity management and data analysis, but also pose privacy risks.

The Twin Cities case, in which a California couple were accused of placing data swiping gadgets in gas pumps, highlighted the vulnerability of these devices. The data skimmers possessed Bluetooth capabilities that enabled the cyberthieves to steal information remotely.

“The device pretty much uses the same components as what is in a gas pump,” said Plymouth Police Department detective Dareen McGann in an article with Fox 9 Twin Cities. He added that there is no way “of detecting these devices unless you physically open up the pumps and look.”

Criminals may have one additional advantage. McGann said that only two manufacturers produce gas pumps and that one universal key unlocks both of them.

The physical openness of pumps and meters has made them difficult to protect. But companies can take steps to prevent data theft.

Looking past ‘standards’

To be sure, no matter how strong a system may be, hackers will always find a way to expose vulnerabilities. Standards are perpetually obsolete.

Duane Kuroda, senior threat researcher at threat management firm Netcitadel, explains that the owners of pumps and meters can reduce their risk by following best practices similar to other areas of cybersecurity. Kuroda says that it’s important to monitor the data that is being generated by these devices.

“No new approaches seem necessary if you apply ‘good hygiene’ with existing systems and do not provide direct access to Internet connected systems,” Kuroda says, but adds, “Attackers are innovative. Breaches will happen.”

Part of the challenge is that systems are becoming increasingly connected, exposing the most secure systems to internal threats.

“Connections enable real-time monitoring, better electricity management and data analysis,” says Geoff Brown, CEO at Machine-to-Machine Intelligence (M2Mi) Corporation, which integrates cybersecurity, infrastructure automation and global carrier bandwidth services. “But they also pose security and privacy risks.”

Limiting network access

Pumps and meters offer easy points of entry for thieves to gain access to additional data systems and networks. It’s important for organizations to educate their employees about their vulnerabilities and to establish checkpoints in deterring access to information.

“There are three main tactics applied to preventing unauthorized access,” says Kuroda. “These include encryption, identity access management and network access control.

Encryption obscures commands generated, queries typed and keys used. Identity access ensures that information is available on a need-to-know basis. Network access control makes sure that users do not accidentally stray off path and make unauthorized changes.

“One of the biggest issues is and always has been the human factor,” says Kuroda. “Systems can be breached if a user clicks on a link that he or she shouldn’t.”

Developing a response plan

In the event of a breach, businesses can reduce the damage by having a swift response program in place.

“Automated incident response systems are now hitting the market,” Kuroda says. These can automatically lock down a detected threat and are an important line of defense.”

These systems should be programmed to identify red flags.

A new approach may be necessary for breach detection and response, where unusual behaviors of privileged accounts are used to detect a likely breach, and automated incident response systems kick in to lock down, re-segment and contain the breach,” says Kuroda.

Brown encourages business owners to look past the pump and focus on data centers to reinforce protective measures.

“Solutions that establish security in the data center through corresponding networks and then the end-point devices are inherently more secure,” Brown says. “As most solutions start with the end-point device connects through the networks and then hit the data center, the security model is usually weak as the hardest part of corporate data center security compliance is neglected.”

Ritika Puri
Ritika Puri is a San Francisco-based blogger who covers the intersection of data, sociology, and technology. She transforms marketing strategies into revenue-generating growth engines.
Ritika Puri
Ritika Puri
Ritika Puri
Tags: IT Security,Technology