The “S” in IoT stands for “Security” - ie. it’s not present…
One of the ever growing areas that Leisure Operators need to keep on top of is when 3rd party suppliers like Gym Machines, Building Management Systems, streaming audio & video services, lift maintenance, fitness apps and many others all need to have the hardware that they supply into Leisure Centres connected to the internet for assorted reasons.
With such a disparate set of suppliers, all with differing requirements, different contractual arrangements for support, maintenance & security and an ever increasing threat from cyber attack, it can be extremely difficult for a Leisure Operator to:
a. Be aware of / be able to quantify the risk(s) associated with these internet connected devices (known as Internet of Things or “IoT”)
b. Manage and mitigate against these risks
Ivan Spencer-Phillips (Head Engineer at Astaris) had this to say about use of IoT devices in a Leisure environment
“Leisure Operators have to accept that IoT devices of all flavours are going to be in their buildings at an ever increasing rate, so need a plan and strategy for dealing with them.”
Whilst estimates vary as to exactly how many IoT devices will be in place in the coming years, all mainstream figures show a growth of at around 15% per year or 2+ Billion additional IoT devices being connected each year worldwide. [Source] . When combined with extreme impacts of a cyber breach or a systems compromise, this likely means that a “do nothing” approach is unlikely to be sustainable.
Image on right
Number of Internet of Things (IoT) connections worldwide from 2022 to 2023, with forecasts from 2024 to 2034
Astaris have outlined two main strategies to address the increased proliferation of IoT:
1. All IoT devices have their own network and internet connection that probably uses a 4G SIM card
Pro: Risk of breach is contained / limited to that supplier. The supplier is responsible for the whole thing. Con: Multiple 4G SIM cards that the Leisure Operator is paying for (maybe not directly, but it’ll be in the “service” fee somewhere). Additional networking hardware & install needed. Multiple physical networks in the building that must never be cross connected. Costs increase linearly with each additional supplier.
2. One network across both wired and wireless that has security, segmentation and control in place. Pro: Costs for additional suppliers are marginal after initia
implementation, more reliable and controllable. Leisure Operators retain a level of oversight and management over the IoT devices that are in their buildings. Scalable solution.
Con: Initial implementation requires careful planning , reasonably up to date networking hardware and an organised roll out plan.
It is also recommended that Leisure Operators devise their formal strategy for IoT at board level without delay with practical ongoing implementation being dealt with by a combination of internal IT departments and suitably specialised network security professionals.
Useful resources
National Cyber Security Centre - advice and guidance [link]
Astaris - practical recommendations, planning and implementation [link]