The Next Year Will Surprise All of Us in at Least One Way or Another
It’s that time of year again, when experts from across the cybersecurity field postulate about what the next 365 days will bring in terms of risks, trends, and innovations. For my part, I’ll focus on risks, with an emphasis on the threat dynamic.
Let’s start off on a couple positive notes:
1) The U.S. electric grid will not go down. Despite all of the fear, uncertainty, and doubt being spewed around about the security and resiliency of the U.S. electric grid, especially in the face of increasingly aggressive threats, no Americans will lose power for a single minute in 2019 due to a cyber attack. This prediction, if true, is sure to disappoint opportunistic vendors who rely on hyped-up rhetoric to generate demand for their products. Nevertheless, my experience with electric utilities in North America gives me great confidence in the resilience of our grid. This is not to say that electric utilities will not continue to face an onslaught of malicious activity – indeed they no doubt will. Nation-states with strategic geopolitical equities at stake will continue to conduct remote reconnaissance and other preparatory operations aimed at the energy sector writ large. Likewise, less strategic owners and operators of critical infrastructure will remain the most vulnerable to disruptive and even destructive malware. But thankfully, 2019 will not experience the rolling blackouts that so many have predicted in years past.
2) After a few years of grappling with the problem of ICS security from the shop floor to the top floor, there is growing consensus on the subject of governance. In 2019, more organizations than ever before will consolidate responsibility for both IT and OT security and elevate the Board’s visibility. It’ll be difficult to prove or disprove this prediction at year’s end, but if my recent conversations with CISOs and Directors are any indication, then this one is a slam dunk. As the technical gap between IT and OT continues to shrink, so too should the policy, management, and even budget gap. Consolidating governance responsibilities has the potential to streamline security operations, optimize human resource allocation, and scale both monitoring and incident response capabilities across a distributed enterprise. It also lays the foundation for cross-training security professionals in both disciplines, thereby addressing a skills gap that plagues many organizations with large ICS footprints. By elevating OT security to the C-suite, it will finally receive the attention it deserves from other risk management stakeholders.
3) On a less optimistic note, ransomware will shift from data to operations. Ransomware is a threat that dates back nearly a decade, but the frequency and scale of attacks has skyrocketed in recent years. To date, however, hackers have employed these tactics to hold data at risk with the hope of extorting a payment in return for the promise of decryption. For some criminals, it has proven to be a lucrative trade. What concerns me moving forward is the degree to which industrial networks are now accessible to these same actors thanks to the rapid conversion of IT business networks and OT industrial networks. Consider what an advanced manufacturer operating on thin margins and tight timelines might pay to prevent a hacker from disrupting their operations. For this reason, I would expect cyber criminals to shift their tactics to holding operations at risk with the hope of extracting funds from the victim. To avoid this fate, owners and operators of industrial control systems must prioritize network segmentation in the New Year. Doing so will markedly reduce their risk to both targeted and non-targeted attacks.
4) Legislation and regulation will play catch-up. This last prediction is a bit more neutral than the previous three but equally significant. In 2018, policymakers in the U.S. and abroad were more active than ever before with holding hearings, crafting legislation, and promulgating regulations related to cybersecurity. In the wake of numerous security incidents at internet giants like Facebook and Google, not to mention high-profile hearings about the tech sector’s data collection policies and practices, it’s hard to imagine the next Congress not taking up privacy legislation along the lines of GDPR. This will have direct implications for companies, including ICS asset owners, and could impact other risk management priorities. Nevertheless, we shouldn’t expect the policy dialogue to end at data privacy. A recent report from the Government Accountability Office on pipeline security is likely to draw the attention of lawmakers and regulators alike who are increasingly more educated on the topic of ICS and SCADA security.
With two positive, one negative, and one neutral prediction, I’m optimistic about ushering in 2019. One thing is for sure: the next year will surprise all of us in at least one way or another. How we deal with these surprises, both individually and collectively, will, in the end, define the next twelve months.