Industrial cybersecurity: Be informed, be very, very informed
By David Stroud, head of Europe + APAC at NanoLock Security
Thanks to high-profile hacks with visible, real-world consequences like the Colonial Pipeline hack, 2021 will be remembered by many as the year cybercrime prevention started to actually matter.
While cybercrime has been a major concern for decades, the devastating impact on everyday life rendered by the largest attacks of 2021 functioned as a wake-up call for large segments of the population that had never previously prioritized the security of their network, data, or devices. The alarm reached not just regular citizens, but the industrial companies, manufacturers, utilities providers, and governments responsible for creating and administrating the infrastructures on which citizens rely.
Now that these larger parties—and crucially, their customers and communities—understand the stakes of the cybersecurity game, what should they expect in 2022?
Ransomware will continue to shrink in scope, but scale in severity
Though 2021 was rife with panic-inducing headlines over the surging scourge of ransomware, the total number of attacks actually dropped relative to the prior year. This may assuage fears for individuals, but for manufacturers, enterprises, and utilities it should do the opposite; the prevailing wisdom is that attack totals dropped because hackers grew more sophisticated and strategic in their targeting, not because they lost interest.
To an individual consumer victimized by a one-off ransomware attack, a few thousand dollars in remediation costs can seem steep (and obviously undesirable), but such a sum pales in comparison to the opportunity cost hacker groups must sacrifice. Why spend time hacking a single smart phone and negotiating with an individual for $3,000 when they could hack an industrial or critical infrastructure company and negotiate for $3 million?
This interpretation is supported analytically by the fact that the average ransom demand rose dramatically from the 2020 figure and anecdotally by the dozens of breaches into industrial and manufacturing enterprises, utilities, and critical infrastructure targets.
This trend is something we can expect to continue in 2022. While consumers may misread the reduced frequency of individual attacks as a signal to reduce their worry over ransomware affecting their personal devices or data, the new trends should spike their concern for the integrity of the enterprises and public entities who otherwise enable their lives and lifestyles.
IIoT environments, particularly in critical-infrastructure applications, will face increased assault
When identifying a target for their efforts, hackers are looking for an organization with a broad attack surface, little to no leverage to withstand interruptions in service, and the resources to pay a large ransom without permanently crippling their business. Squarely at the nexus of each of these qualifiers are IIoT environments and critical-infrastructure operations.
The IIoT market is predicted to reach $110B by 2025, and the edge of critical infrastructure networks expands by millions, if not billions, of devices per year. Connecting all these devices has made administrating the complex matrices of utilities and industrial infrastructure a lot more efficient and effective, but it has vastly expanded the potential attack surface for bad actors.
If a network belonging to a utility, industrial company, or critical-infrastructure organization is compromised, service cannot be suspended for long without dramatic consequences to the consumers and communities dependent on them. This gives hackers immense leverage. For example, when the Colonial Pipeline hack took place, the company shut down its operations for five days, with full function not returning until a few days after that.
This may seem like a short time in the grand scheme of things, but in the moment it felt like a millennium for the millions of Eastern Seaboard residents dependent on the pipeline’s operation and for the company executives who eventually paid the hackers’ $5 million ransom (though they eventually recouped most of it).
We should expect to see more of this in 2022. Hacks into the Colonial Pipeline, water-treatment facilities in Florida and Southern California, and even the world’s largest meat supplier demonstrate how broad a qualification critical infrastructure really is—and how vulnerable each of the groups defined by it are. This will likely also contribute to a higher ratio of cyber-incidents that lead to disruptions in safety outcomes relative to previous years.
In order to avoid such outcomes, organizations need to incorporate preventive security alongside detection solutions while making sure to implement zero-trust protection throughout the entire company—from the IT network to the device/ machine level.
Attacks will diversify in style, sophistication, and source and governments will have to respond
The long-held misconception that cyberattacks primarily come from outsiders was amended to include attacks from insiders and supply chain sources in 2021, but in 2022 these added vectors will take center stage. Cyberattacks are increasingly exploiting weaknesses across organizational boundaries, requiring completely new methods to manage trust relationships and supply chain related risks. This task will only grow more difficult for utilities, industrial, and critical infrastructure companies as their attack surfaces broaden.
The specific style of attacks from insider and supply chain sources will also grow more difficult to intercept and contain. ML/AI-assisted attacks represent a more resilient opponent than wholly human-designed programs and further obsolete hack-and-patch approaches. Plugging holes as they arise is a completely backwards strategy against an opponent who will relentlessly search for new holes in increasingly creative ways.
As the source and style of attacks diversify, the origins will grow more confusing. It will become more difficult to distinguish a private actor attack from a nation-state-backed attack. This is in no small part by design, as it is in the interest of nation-states to preserve some sort of plausible deniability, given cyberattacks on the critical infrastructure of a geopolitical rival could (and perhaps should) be viewed as an act of war.
In terms of potential impact, they certainly qualify. The governments of both Russia and China have been credibly accused and, in some cases, confirmed to be behind such hacks. How governments react to future cyberattacks will be a hugely important thing to watch in 2022.
Conclusion
The magnitude, scope and nature of the cyberattacks in 2021 clearly indicate that new cybersecurity paradigms are required and that current industry approaches are insufficient. Not that we should need it, but 2022 will provide further proof of this, especially for utilities, industrial, and critical-infrastructure entities. The attacks they face this year will be varied in style and source, and it won’t always be clear who is ultimately behind them.
A recommendation for these targets?
Integrate solutions to prevent outcomes, design programs to drive employee awareness of cyber-hygiene best practices, and build an attack-response protocol. Each of these steps are crucial because, for today’s hackers, getting access is a matter of when, not if.