• Great Question Podcast
  • (R)Evolutionizing Manufacturing
    • Svetlana Diacenco
    674dccc24cb981c26fd17539 Dreamstime M 320591758
    1. Special Reports

    Crystal Ball preview: Top cybersecurity risks in 2025 and beyond

    Dec. 2, 2024
    As we have seen with Boeing Co. and others, ransomware—online extortion schemes perpetrated against vulnerable companies—remains a top concern. And OT and the vast supply chain increasingly are targets.

    Editor’s note: Each year, Smart Industry assembles content that looks ahead and predicts the trends in manufacturing technologies and their evolution in the new year. This year is no different, and the Crystal Ball Report will begin appearing as a web series around the holidays this month. But as a post-Thanksgiving dessert of sorts, we offer this cybersecurity-in-operational-technology look-ahead authored by Carlos Buenaño of Armis.

    As we look ahead to 2025, some of the greatest cybersecurity challenges that manufacturing faces include ransomware attacks targeting industrial control systems and nation-state threat actors targeting supply chain vulnerabilities and, consequently, mounting regulatory pressures.

    Ransomware attacks are increasingly moving beyond IT networks to target OT environments such as industrial control systems. These attacks can cause operational outages, leading to prolonged downtime and severe financial losses. To prevent such consequences, organizations must expand their view of risk beyond IT networks and into OT environments.

    eHandbook: The Smart Industry 2024 Crystal Ball Report

    Industrial supply chains are highly interconnected since many devices rely on specialized software components. Attackers, particularly nation-state threat actors, are increasingly targeting these relationships to infiltrate OT systems. Organizations must also expand their view of risk to ensure the integrity of all partners within the supply chain.

    Stricter regulatory systems rise to meet the threats

    While organizations grapple with these emerging threats to OT systems, industry regulations are emerging with stricter compliance requirements. Regulations such as the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP), Critical Entities Resilience (CER) Directive or the Network and Information Security (NIS2) Directive in the European Union mandate stronger cybersecurity fundamentals.

    Podcast: AI, automation and computer-aided manufacturing

    When planning, consider from where we have come. Many industrial control systems and OT devices are decades old. Even though emerging threats must receive the attention they deserve, we’d be remiss by overlooking how latent vulnerabilities are still a pervasive source of risk that can be exploited by threat actors.

    In fact, according to a 2024 report from NERC, latent vulnerabilities are one of four risk themes that make adherence to critical infrastructure protection standards challenging. Even organizations that don’t have to comply with NERC CIP can learn something from this report.

    Identifying the source of risk: what causes latent vulnerabilities

    NERC defines latent vulnerabilities as “long-standing, higher-risk issues that evade detection and persist within entities’ environments.” Latent vulnerabilities can include violations of access management and revocation, security patch management and vulnerability assessments.

    See also: Partners in IoT that made perfect sense

    In one real-world scenario shared by NERC, thousands of unauthorized users had access to systems they should not have because they were not identified in quarterly access reviews. In another example, relying on an incorrect source for a patch resulted in a critical system application remaining unpatched for over three years.

    Certainly, these issues with access management and security patch management are the results of persisting latent vulnerabilities. However, according to NERC, the root cause of vulnerabilities is “organizational silos, disassociation between compliance and security, lack of awareness, and inadequate tools or ineffective use of tools.”

    NERC even acknowledges that large organizations struggle with the complexity of hundreds of interconnected systems and services, making it difficult to prioritize what tools and resources are required.

    In the examples NERC provided, it’s clear that organizations lack visibility into their risks. It is not just that they have security gaps, it is that they don’t even know these gaps exist.

    Detective controls: how to identify latent vulnerabilities and remediate risk

    NERC recommends “dedicating sufficient resources to the development, implementation, testing, and execution of detective controls.” Detective controls help answer the questions: What are my risks? What are my vulnerabilities? Where are my security gaps? What are my blind spots? How can I remediate or mitigate?

    See also: New report reveals ‘grind’ of digital transformation, slow road to success

    Organizations should avoid relying on manual reports; the examples of latent vulnerabilities shared above should be proof of that. It can be difficult to actively monitor OT devices for a variety of reasons, but it is possible to passively monitor them. Passive monitoring can even discover quiet devices that don’t communicate often and identify a variety of contextual information.

    Another point NERC makes is about the importance of prioritization, since low-impact systems may not pose a significant risk. However, organizations can only make that sort of informed decision if they can obtain the context needed for these devices.

    As it relates to the cybersecurity threats the industry expects to face in 2025, these sorts of detective controls can also discover the lateral movement of ransomware attacks or provide a deeper context into supply chain risks.

    Cybersecurity and compliance is not a point in time

    NERC emphasizes the need for continuous compliance and proactive risk assessment, “and preferably not just in the months leading up to a compliance audit.” There can often be extended periods between audits, so organizations that don’t maintain continuous monitoring can quickly expose themselves to the risk of latent vulnerabilities.

    Webinar rewind: 'Next Year’s AI' and more 2025 industrial technology insights

    NERC exemplifies the value of compliance, not only for improving the security of its entities but also for sharing these valuable insights and recommendations.

    Many other industries may lack the compliance mandate of NERC CIP, but the increasing scale of ransomware attacks and nation-state threats targeting critical infrastructure are increasing regulatory scrutiny.

    Unfortunately, organizations that don’t take a proactive approach to cybersecurity risk in 2025 have a greater chance of becoming the next poster child for compliance.

    For organizations that want to be proactive about their risk, ISA 62443 is another excellent framework of common security standards that organizations can apply to any industrial control system.

    About the Author

    Carlos Buenaño

    Carlos Buenaño is the chief technology officer for operational technology vertical at Armis, a San Francisco-based asset intelligence cybersecurity company with offices in Reston, Virginia, Tel Aviv, Israel, Melbourne, Australia, and London. With more than 30 years of experience in control systems and telecommunications, he has held positions such as principal systems engineer, senior ICS cybersecurity consultant, solutions architect and technical account manager, and principal solutions architect.

    Continue Reading

    Sponsored Recommendations