Cybersecurity Challenges Insights
- Alert fatigue, the amount of data collected and the maturity of cybersecurity are immediate challenges that should be addressed if there is any hope to keep up with cyberattacks.
- Misinformation may be the next trend in cyberattacks, which may cause even more cybersecurity challenges, but the common attacks aren’t going anywhere either. Where there is a way to make money, such as in ransomware attacks, there will be a supply of attackers ready to strike.
- Executives and people with the power to make change have the ability to bring together the right workforce to put in place mechanics of cybersecurity solutions to better fend off cybersecurity challenges with sustainable results.
The cybersecurity landscape has been under attack for some time now, and the response has mainly been reactive. Most organizations are simply patching as vulnerabilities are found and doing damage control if there is an active attack. However, there are many questions looking toward the future of cybersecurity, such as what are the immediate cybersecurity challenges as opposed to long term, what is the future of cyber warfare going to look like and what should everyone be focusing on to prevent attacks?
Joining Gary Cohen, senior editor of Industrial Cybersecurity Pulse, to discuss these challenges are Jim Crowley, CEO of Industrial Defender; Ryan Heidorn, co-founder and managing director of Steel Root; Pranav Patel, founder and CEO of MediTechSafe and Resiliant; and Tyler Whitaker, CTO at Leading2Lean.
This discussion has been edited for clarity.
ICS Pulse: What do you see as the near- and far-term industrial cybersecurity challenges right now?
Ryan Heidorn: In my experience, being more on the IT (information technology) side within industrial environments, certainly some of the trends around automation are going to be addressed, or some of the scalability issues that we’re running into now with the volume of data and telemetry that we’re collecting from IT and OT (operational technology) systems is becoming unwieldy for human consumption. We see a lot of defenders, obviously. They’re a huge trend in alert fatigue. There’s some promise with some of the machine learning-based solutions that are out there today, but we’re desperately in need of some maturation in that field before it really becomes impactful.
Pranav Patel: The near-term goal is about demonstrating credibility and long-term is about achieving maturity. When talking about industrial cybersecurity in an OT domain, most of the implementations today are relatively smaller in scale, such as some pilots. Getting them to deliver tangible results and value that’s anticipated helps build credibility, and that actually takes you to a broader, larger-scale implementation. Otherwise, what you’ll do is pilot to pilot at every place, which means going back to those original stats, and it creates a lot of frustration and a lot of opportunities for improvement. So, I think that’s the first stage near term.
Don’t spend so much up front, don’t make it a capital project and not see value, because that’s poor in terms of getting a return. Start to demonstrate value and then spend more, and the next phase of that is really maturing that across the board. Then, maturity itself is a hard thing. As Ryan just said on the IT side, we’re still maturing. A lot of IT are mature, but still maturing. So I think that’s how you probably want to think about it: Demonstrate credibility and then mature.
Tyler Whitaker: From a near-term perspective, network connectivity is going through the roof. The days of siloed, air-gapped infrastructure for OT systems is going away. IoT, data capture and digital transformation is the macro trend. I don’t see any way to get around connecting systems for more connectivity, so cybersecurity professionals need to plan for that. They need to build a playbook to make that happen and do that in a secure and efficient way.
From a long-term perspective, OT systems need to be designed with security in mind from the get-go. The longevity of these assets is really the hindering factor in cybersecurity. For OT systems, I’ve got customers that are still running on World War II-era equipment. The security there was the padlock on the door to the plant. These assets are going to be in service for decades, and so the faster we can implement secure by design systems on the OT side, the more we’re going to be capable of addressing security concerns for the decades to come.
ICSP: What do you see as major challenges moving forward?
Jim Crowley: The biggest challenge is that we’re actually really geopolitical. As much as we all try to help our customers or invent new tools and technology to put strong defenses in place, the problem is that we’re really in a cyber war. The policy makers have to start thinking that way, because ultimately, if you’re just in a defensive position, you’re never going to win. It’s just going to be investment after investment and layer after layer, time over time, year after year.
The policy makers really need to start thinking about, “OK, how do we get to a cease-fire, a truce and a treaty around these particular issues?” I haven’t heard any talk like that yet, but that’s certainly where we need to go to solve these cybersecurity challenges. Because if you just look at the scale of the ransomware attacks that have gone on in the last 6 to 12 months, it’s exponential. We have to figure out a way to tamp down some of this activity and get people to the table to say it’s not acceptable behavior to be attacked constantly like this. Because our customers will never be able to keep up. There’s just no way.
ICSP: What do you think the future of cyber warfare is going to look like? Is it continued daily ransomware attacks? Is it supply chain attacks? What is next on the horizon?
Crowley: I think that the business model seems to be working for the other side. I started getting into this 20 years ago. I worked for a company, and we were encrypting primarily in intellectual property for U.S. corporations. We were encrypting their patent libraries because they knew that they were targets, and the companies that didn’t encrypt their patent libraries, some of them went out of business because the Chinese stole their technology and became a low-cost producer.
This has been going on for a long time. The business model works for people, and I don’t see it unfortunately changing any time soon, unless there’s some ramifications to it. One of the things that our policy makers need to start thinking about is, what is the economic damage here? If it’s a trillion dollars, how do we inflict a trillion dollars damage back on the other side? That’s the only way we’ll really get anybody’s attention.
Whitaker: Yeah, I think Jim’s exactly right. The economic model is what drives that. There’s definitely nation-states that are participating here, and I think there’s economic drivers there, too. If there’s a way we can fix the economic model to take away the incentive, that’s something to look into, and maybe a global policy type of initiative to make that type of thing happen. I think the attacks are going to go up. Ransomware is going to go up as long as there’s an economic model. I also think that there’s going to be a rise in misinformation attacks.
Spreading false information, allowing folks to use bad information to make worse choices, and augmenting IoT data streams is a way to do that. I think understanding how we authenticate the information we use for business systems is a way to mitigate that risk. But misinformation is a new angle that I would see rise in the next couple years.
Patel: There are two levels of it. One is the nation-state. I think when you impact an economy, you hurt the other side a lot more. There are a lot of state-sponsored things. Most of the war feels like it’s going to get fought in the cyberspace. But then the other side of it is, before you would’ve thought it’s just one-off people who would actually want to capitalize on all of it. Now, that side is becoming very organized.
They’re sponsoring the malware development, and they’re spreading it. When you get organized, it becomes difficult because now there are processes, there are business models and there’s a discipline around it. And the flip side of it. If you think about it, organizations spend an incredible amount of time to protect 99% because they can’t get 100%. The other side is just looking for that 1%, and that changes the game. Their whole attention is to find one of the cybersecurity challenges. Your attention is to run the business, do everything else, and do as well as you can broadly.
It’s not going to go down. There is an incentive for them. There are places where they can hide. So it has to be government really taking an active role into it. There have to be some regulations. The businesses have to get protective. Businesses know how to manage security quite well from a personnel perspective. Organizations would have to do it in the cyberspace. A lot of effort has to be put in place in terms of preparedness and recovery and things like that. But I don’t think it’s going to go away. It’s only going to get worse. That’s the bottom line.
Heidorn: We all agree it’s going to get worse. In terms of trends, obviously supply chain attacks are top of mind for a lot of organizations and governments right now. One piece of that has been perhaps a little bit overlooked from my perspective, and that’s the role of service providers in those supply chains. Ancient history in cybersecurity, going back to the Target breach, right, when the attacker got in through an HVAC contractor. We saw a hint of unfortunate things to come this year with the Kaseya breach, where the attacker breached or exploited a vulnerability in a remote management tool and was able to spread malware simultaneously to thousands of clients at once. I see service providers as a really critical leverage point. That, from my perspective, has really been overlooked in a lot of this discussion.
Other than that, one thing that we really need to look at as a security industry, and our policy makers as well, is the practice of hoarding zero days at the nation-state level. I think there’s more work to be done on responsible disclosure. From the government’s perspective, I look at the NSA a few years back and how their cyber weapons cache was taken, leaked by Shadow Brokers and then weaponized to spread ransomware. Some of those vulnerabilities were 5 to 10 years old. There’s got to be some sort of limit in self interest now that one nation can have a zero day that can just as easily be turned back on their own people and economies. It is certainly one of the most complicated cybersecurity challenges that’s not going anywhere anytime soon.
ICSP: When you look at industrial cybersecurity right now, what is the one thing you wish more people were paying attention to, or the one thing that you think will define this next period?
Crowley: I think it goes back to my message around the basic hygiene. People need to eat their vegetables first and don’t get caught up in all the fancy technology out there. Do the right process stuff, do all the basic boring stuff and don’t get caught up in all of the hype around what we put out as an industry.
Heidorn: I think competition with China will continue to define this next era. They’re playing by a different rule set than we do in America that allows them some relative advantages when it comes to the cyber domain that we don’t have just by virtue of our culture and the way that we have chosen to self-govern. Not proposing any solutions here, but I think that’ll be a defining attribute of the years to come.
Whitaker: We need to focus on the appropriate level of cybersecurity for the risks at hand. I think we go too far in some areas and not far enough in others. We should be paying attention so we don’t handicap our organizations and customer organizations, so that we can’t compete globally. I think that’s something that really needs some attention.
Patel: It requires ownership from line leaders and executives because they probably have an ability to bring everybody together, and once you actually get an engagement, the mechanics usually take place. But rather than delegating and thinking of it as a technical problem, they start to own it as an operational and business problem for sustainability and risk management, and also enable it for growth. That will change the game significantly.