Originally Posted by
tastyfish
Asking "How secure is it?" is not really going to get you an answer either way. I've worked in the security industry for 20 years and I can tell you that although the site doesn't host personal information in terms of CC numbers (PANs) it does contain valuable data (your usernames and passwords) and is also of interest to hackers as our tanks are now part of the internet of things.
Disappointingly, when I asked this question previously, I got a " we use https, so are secure" answer, which is what every security professional dreads to hear.
What I would be more interested in hearing is around policy (i.e. adhering to ISO27001) controls (i.e. two factor authentication, restricting access to specific devices) and regular security testing (note: NOT just vulnerability scans).
Now I'm not saying fusion is insecure, I'm just pointing out potential issues/areas of improvement from a people, process and controls point of view.
I work in an industry where I could walk up to your front door, remove your wireless doorbell you are proud of and obtain your wifi encryption key in seconds. Our tanks are part of the internet of things and I'm increasingly concerned about the increase in number of wireless devices which could have serious security flaws in them (just like the wireless door bell).
If a hacker got access to our systems, they could quite easily kill everything in our tanks without even realising what they are connected to.
So take measures yourself.
- Use a difficult to guess password, ensure it is unique to fusion
- Always update any device connected to your network and ensure firewalls and antivirus are enabled
- Use WPA2 and a difficult to guess and unique key
- Disable Wifi on all devices which can be wired
As far as feature requests go, PLEASE NEPTUNE: Give us the option of having two factor authentication and device control on fusion. There is no excuse in 2017 for not having multi factor authentication.
I have in the time it's taken me to write this identified a potential security issue which needs to be addressed. Can Neptune please PM me the details of who to send the details to?
Thanks
Rob