Everywhere we turn, there seems to be another network security breach. As much as we love talking about how a connected society offers so much in the way of building communities, sharing information and delivering personal and business efficiencies, the digital age brings with it significant risks.
From a business perspective, you can’t read an article about an organization’s future plans without some mention of their digital transformation initiatives. Unfortunately, as technology matures and evolves, cybercriminals do too. In fact, they’ve outpaced their victims in that regard.
There are three fundamental reasons we’ve gone from spotting news headlines about a major cyberattack once a quarter to seeing them almost daily:
- Many companies and industries starting their digital transformation journey are already way behind their “digitally transformed” counterparts when it comes to investing in IT
- Those early in their journey are investing in cybersecurity at a lower rate as a proportion of IT spending
- They don’t have a post-breach mindset; They’re waiting for a breach to happen before investing in security rather than preparing early on to prevent a breach before it happens
The situation gets even worse when you look at companies and industries that are part of our critical infrastructure.
The reality is that there’s a perfect storm brewing around operational security. It has less to do with what hackers are doing and more to do with what businesses and critical infrastructure companies aren’t doing. Don’t get me wrong, this isn’t about victim blaming. It’s about understanding the root cause of the security vulnerabilities that our businesses and critical infrastructure are facing.
Ransomware is Leveling the Playing Field
We used to worry about our ID, credit card, or personal information being stolen. Banks and securities companies, technology firms and even retailers were attacked and personal information about customers was stolen.
Some of the most significant data breaches in history have hit well-known companies like Yahoo!, First American Financial Corporation, Equifax, Facebook, Target, Home Depot, and Marriott. Yet these organizations were well into their digital transformation. They had made significant investments in IT and cybersecurity, but they were still victimized. It’s scary to think that these breaches may have only been a practice run for what we’re facing today.
Ransomware is moving away from directly stealing monetizable assets. We’ve gone from worrying about whether someone was able find your email address and passwords, or perhaps your credit card information, to fearing for our safety.
Taking down a social media site, while certainly annoying and disruptive, pales in comparison to taking down a fuel system à la Colonial Pipeline, or a food source like JBS, or compromising the safety of our water supply as with the Oldsmar Water Plant hack.
So far these threat actors were nothing more than common criminals looking for a payday, but the fact that they were sophisticated enough to launch ransomware attacks warrants a closer look.
With today’s ransomware tactics, everyone’s fair game. Why go after ID, money or personal information when the prize can be millions of dollars? Shutting down operations via encrypted computers now can be monetized into millions in bitcoin. This can be especially painful for critical infrastructure companies who are expected and even mandated to ensure service reliability.
Critical Infrastructure is the Weakest Link
Let’s peel the proverbial onion back a bit. One key indicator of an organization’s emphasis on digital transformation is how much money they spend on Information Technology (IT) as a percentage of their revenue. The idea being that you need to up-level your technology to benefit from the agility, efficiencies and scale promised by digital transformation.
In a 2020 CIO Insider Report, a study by professional services firm Deloitte showed that the top industries in terms of IT spending were:
- Banking and securities
- Technology and telecommunications
- Business and professional services
- Education and non-profits
- Travel, media and hospitality
- Healthcare services
Each of these industries were well above the average in IT spending. Now go back to the largest data breaches in history, and you’ll find several of these industries on in the list. How could this be?
It’s because security is often overlooked during digital transformations. Global consulting firm McKinsey did a study that highlighted this exact fact. They found that security is not often a central part of transformation. It’s included, but usually later in the process. So, while organizations may be increasing their investment in IT, it doesn’t automatically mean they’re increasing their investment in cybersecurity.
Today, the most notable breaches – at least those that are known publicly (since there are far more attacks that aren’t reported) – are related to critical infrastructure. There has been a significant uptick in ransomware attacks on energy and utilities companies, manufacturing and even transportation companies.
Why the sudden shift? The logical reason is that these industries, according to the same Deloitte report, are among the lowest in terms of IT spending. They spend less on IT and therefore even less on security. This is deeply concerning. We consistently hear from customers that budgets are tight and they have to find money to support increases in security spending.
Now, some point out that the recent attacks on Colonial Pipeline, JBS and others didn’t directly impact the Operational Technology (OT) networks – the networks that monitor and control industrial equipment, assets, processes, and so on. These networks were shut down out of an abundance of precaution to prevent further threats, or to prevent an indirect impact of the attack on OT systems.
So far, it would appear that fewer attacks have been successful in targeting OT environments. Yet these IT attacks are having a tremendous impact on OT.
You can learn a lot from those who have already experienced an attack. Once a company experiences a breach (ransomware, or other malware attacks) it becomes less likely to be hacked a second time. Why? Because companies typically implement technology improvements and increase security investments so they don’t get caught off guard again. Now, just imagine that they had done that prior to an attack. We call this a post-breach mindset.
The reality is that as more devices become interconnected during digital transformation, it becomes a matter of time before you’re hit. That is why you should adopt a post-breach mindset pre-breach. After all, the technology exists to see every device, managed and unmanaged, that is connected to your network.
A zero-trust approach to IT and OT security will provide the detailed threat intelligence reporting needed to understand vulnerabilities and risks. It will detect anomalies, analyze threats and protect you before attacks reach your OT networks and wreak havoc. And it will prepare you to defend critical processes and keep business running as usual when they do. Whether it’s an internet of things (IoT) device such as a surveillance camera, or a sensor on a conveyor belt, implementing purpose-built security solutions designed to protect both OT and IT networks now will limit the damage later.
The leadership of any organization needs to mandate taking a fresh look at their infrastructure. Don’t work back from “if” you are attacked as part of the analysis. Working back from “when” you are attacked is the right mindset. Do not wait for it to happen before you make all the necessary investments and changes to prevent or contain upcoming breaches. Start by looking at what the impact will be. Do the math on losses to productivity, to your reputation, public confidence and yes, the costs of lost business. Take that view now. Don’t wait.
As a company with a rich history of providing OT and IoT security and visibility for some of the largest enterprises and critical infrastructure providers in the world, we’re experienced in addressing these challenges and are ready to help.
The perfect storm is brewing. Be ready before it hits.
Join us for a discussion on:
- Why it’s a formidable threat
- How Ransomware as a Service (RaaS) works
- DarkSide, the malware that attacked Colonial Pipeline
- New research findings on ICS and medical device vulnerabilities
- How security camera vulnerabilities threaten business confidentiality and open the door to malware
- Research Report: OT/IoT Security Report 2021
- Blog: Demonstrating the Link Between Functional Safety and ICS Security
- Blog: Colonial Pipeline Ransomware Attack: Revealing How DarkSide Works
- Blog: Black Hat: Understanding TRITON, The First SIS Cyber Attack
- Webpage: Nozomi Networks Labs
- Data Sheet: Threat Intelligence
Armed with an outstanding track record of matching technical capabilities to market needs, Edgard Capdevielle has been a rainmaker in security, data center and cloud storage for many years. He is often invited to share his unique insights as a keynote speaker and panelist at industry and cybersecurity conferences worldwide. As CEO of Nozomi Networks, Edgard is deeply committed to protecting our critical infrastructure from escalating threats, and helping industrial organizations address their complex network visibility and cybersecurity challenges.