2020 OT security predictions from Claroty
December 2019 by Dave Weinstein, CSO, Claroty
From a threat perspective, I expect to see a continuum from 2019 into 2020, as it is getting easier for hackers to attack these systems because they’re more exposed to the public internet. Not just nation state hackers, but criminal hackers who are financially motivated.
Looking back at 2018, there were more high-profile attacks that year than 2019. We saw no more than 12 high profile attacks in 2019. The number of attacks is declining compared to the Stuxnet worm in 2010, and the 2015 cyber attack on the Ukraine power grid. Security is improving and hackers have better things to do than target power grids.
Nation states are being more selective and becoming better at covering their tracks. What we see reported in media is the tip of iceberg and isn’t indicative of current trends because it’s a small sample size.
Governments can only see so much because organisations are privately monitored, and the companies monitoring them are not at liberty to discuss what they observe on their networks.
As end users start to adopt basic monitoring solutions for OT networks, there’s going to be more malicious activity. The greatest threats are likely to be already operating undetected on enterprise and critical infrastructure networks at the moment. Nation states will only make their presence known on a network depending on geopolitical tensions/when they want to.
Geopolitical. I expect to see Iran increasing in their aggression in cyber space and hold more US critical infrastructure at risk in the event of geopolitical tensions.
Nations of inferior conventional arsenals will turn to asymmetric cyber capabilities as a way of responding to physical force. We saw an example of this earlier this year when the US allegedly carried out a cyber attack on Iran in retaliation to them bringing down a US drone.
The ‘I’ in CISO will start to disappear for companies with big industrial footprints. As IT and OT begin to be viewed as one, enterprises need to govern and secure them accordingly. Unless you’re a bank, the idea of being a CISO is going to become a thing of the past. The CISO is gaining responsibility for OT and as a result the role will be more than taking responsibility for securing information, they will have all the OT security responsibility too. Wherever there’s technology, it needs to be secured.
No downtime. Last year I predicted that there would be no hours of electrical downtime as a result of a cyber attack worldwide. As far as I know that is true and I would predict that the same will be true again for 2020. The electric sector is at enormous risk due to its vulnerable nature, and I expect it will continue to be targeted throughout 2020, however I would predict that no customers will lose power for any period of time as a result of a cyber attack. As an example, a utility in Salt Lake City suffered a cyber attack earlier this year – the first official attack on a utility, and nobody lost power.
OT targeted ransomware. It’s a fair prediction to make for 2020 that we will see an increase in ransomware spilling over from the IT network into the OT environment. If I was a CISO at a manufacturing facility, I’d be worried about that.
If IT and OT networks are unsegmented, then an attack on IT could easily spill into the OT environment too. Implications could be worse for OT than IT as the OT network cannot restore a production line in the same way as IT can restore to the last backup. Businesses need to consider how much downtime they are willing to take to avoid paying a ransom.
5G. More things will be connected, which equals a greater attack surface, for example, smart cities and buildings are increasing in number. 5G connectivity will expose legacy systems in cities, enabling connections to new threats as well as an increase in new connected buildings and factories running off the same infrastructure. 5G is going to expand the scope of OT security in the same way as IT/OT convergence exposed manufacturing plants and factories to threats. 5G opens the aperture to common everyday use cases that affect the public at large.
Cloud. With the rush to the cloud, I’d expect to see an increase in the ability to pool customer OT data and identify emerging threats more quickly, and not being reliant on manual updates to be protected against known threats.