2019 Predictions: ICS Cyber Security Challenges for CISOs

2019 Predictions: ICS Cyber Security Challenges for CISOs

When I was invited to become a Nozomi Networks Advisor, I welcomed the opportunity to use my understanding of cyber risks to critical national infrastructure to support the company’s advocacy for stronger cyber security across public and private sectors.

As we head into the coming year, the folks at Nozomi Networks asked for my thoughts on the challenges that lie ahead for CISOs and their security teams. Here are six cyber security predictions for 2019:

Unsophisticated attackers will get better at breaking into OT networks, but will likely lack the level of sophistication needed to have a significant physical impact.

Ever more sophisticated tools and techniques for hacking are available for downloading from the web. This means that the number of unsophisticated hackers able to break into systems will rise – but what they’re able to do once they get in is another question.

If you look at Russia’s attacks on the Ukrainian power grid, attackers were able to remain undetected and do reconnaissance work for months. To bring down power for nearly 250,00 customers, they had to thoroughly understand the operations at the targeted plant. That level of sophistication can’t be bought and sold on the internet, which means that the real damage will continue to be done by actors with access to the right skills and resources. It also means early detection will continue to be critical, before the adversary has gathered enough information to be truly disruptive.

The things that have been holding back Russia, China, North Korea and Iran from a critical infrastructure attack on the U.S. could shift

When it comes to nation state threats on U.S. critical infrastructure, we think of four key actors: Russia, China, Iran and North Korea. Each country has been held back from a serious attack on U.S. infrastructure for different reasons. Think about a graph with an x and y axis. The x axis represents capabilities and the y axis represents destructive intent. At the moment, Russia and China have the highest capabilities, but they fall lower on the scale of destructive intent. Of the group, they’re more rational and more dependent on their own critical infrastructure. On the other hand, North Korea and Iran have higher destructive intent, but fall lower on the capabilities scale. But it won’t stay this way forever.

The level of destructive intent of Russia and China could change overnight – which is a concern given the capabilities they already have. And North Korea and Iran are strengthening their capabilities every day. North Korea’s attack on Sony is a good example. In the news, the focus was on all the embarrassing emails, but the attack was about more than just leaked emails – Sony’s networks were damaged. And Iran made headlines when it pulled off a damaging cyber attack against the Sands Casino. The U.S. has yet to experience a highly-damaging attack on critical infrastructure, but that should not make us complacent.  

Growing cyber-dependence will make critical infrastructure attacks harder to stop.
Within infrastructure like the U.S. electric grid, there is still a fair amount of physical redundancy to back up cyber controls. But as we move to embrace virtual infrastructure, we are also abandoning that physical redundancy, making it easier for an attacker to have cascading impacts that can cause real damage. With fewer physical controls in place it will be harder to regain control of systems, minimize damage and stop an attack from progressing.
Given the benefits of the networked world, the move to digitalization isn’t going to slow down. It’s important that we realistically assess our dependence upon cyber and the potential consequences of a disruptive attack. Maintaining physical backups or other redundancies, changing operational processes, and even keeping less data can reduce the impact of a successful attack.

The U.S. will get more aggressive in naming hackers.

Until relatively recently the U.S. typically did not publicly attribute various cyber incidents to specific nations, despite public pressure to do so. It can be difficult to attribute cyber activity with 100% certainty – but U.S. government officials also understood that attribution should be followed by a response, and the U.S. just didn’t have the tools needed to respond effectively. And many cyber incidents in recent years were just not worth going to war over.

But in the last several years, the U.S. has gotten better at other kinds of non-cyber responses, like creating a more robust sanctions regime and criminal indictments. Attribution is becoming more common – which we have seen with additional sanctions against Russia in response to attacks targeting U.S. critical infrastructure and recent indictments of Iran’s Revolutionary Guard members for malicious cyber activity. As we continue to improve our non-cyber responses and further develop our cyber toolbox, we’ll see that the U.S. is less hesitant and more aggressive when it comes to calling out attackers.

Critical infrastructure organizations will more fully embrace a cross-sector approach.

The DHS established the National Infrastructure Advisory Council (NIAC), which is made up of leaders from private sectors like electricity, transportation, communication and others. The council has done a lot of good work. While at the DHS, we conducted several tabletop exercises that resulted in some surprising realizations. For example, at one session it became clear just how interdependent electricity and financial services organizations would be in the face of a critical infrastructure attack. If the electric grid were taken down by a cyber attack, financial services organizations would be vital to help finance an industry response.

The sectors are developing ways of working together before an attack occurs to understand how their organizations are interconnected and plan out how a cross-sector approach could lead to a smoother response should an attack occur.

Election security isn’t as bad as many people think – and it will keep getting better.

For all the talk about U.S. election security, one thing is for sure – we’re in far better shape today than we were in 2016.

I was in charge of cyber and infrastructure security at DHS when we officially designated election infrastructure as critical infrastructure. Most security researchers focus on the security of the voting machines themselves, but so much more comes into play and needs to be protected: voter registration databases, the process of loading ballots into the machines, vote tabulation, getting results to the Secretaries of State and to the news networks. Election infrastructure is much more complicated than just voting machines and government officials on both the federal and state levels are, for the most part, working hard to ensure the resilience of our elections against cyber threats.

As awareness and public pressure has grown, progress has been made – but there’s still much more to be done to ensure the integrity of our elections in 2020 and beyond. This is particularly true with regard to influence operations from Russia and potentially other adversaries, where the necessary whole-of-nation coordinated response has been absent.

Building a Secure Future for the World’s Critical Infrastructure

Protecting industrial networks from a growing list of attackers and cyber threats is a complex problem that requires smart, aggressive and innovative solutions. That’s what drew me to Nozomi Networks. The sophistication of the company’s solutions is impressive, as is the broad set of industry customers using its technology. I look forward to helping the team establish a secure future for the world’s critical infrastructure.

If you would like to learn more about how to build cyber resiliency across your industrial organization, I suggest you contact Nozomi Networks or request a demo of its advanced operational visibility and cyber security solution.