Winston Churchill famously stated, “those that fail to learn from history are doomed to repeat it,” so as we begin to make predictions about what the future holds, let’s take a moment to review one of the biggest trends of recent history: ransomware.
According to the Ransomware Task Force, ransomware payments increased 311% in 2020 at a cost of more than $350 million. In 2021, these statistics will almost certainly increase after high-profile ransomware attacks, such as those against Colonial Pipeline, JBS and CNA Financial, resulted in ransomware payments as high as $40 million.
Fast forward to today. REvil, DarkSide and dozens of copycat ransomware groups know the same thing that we know: the number of connected devices in operational technology (OT) environments is growing every day, organizations are embracing automation across the enterprise, and the adoption of network segmentation is not happening as quickly as it should.
OT Cybersecurity Predictions
As we look ahead to 2022, that means OT security issues, such as those we will cover below, will become increasingly commonplace. But it isn’t too late for organizations to change their future for the better.
Prediction 1: Hackers will use IoT as an entry point: Forescout research has identified dozens of IoT vulnerabilities affecting millions of these devices, making them an attractive target for attack. Hackers will take advantage of IoT devices misconfigurations, such as the default, unwanted services left enabled, and devices left exposed on the Internet. Most companies will be slow to respond because of their limited visibility and minimal network segmentation in place to take impacted devices quickly offline.
The first step to secure the IoT attack surface is visibility since you cannot protect what you don’t know exists. Organizations need to have deep visibility into all of the devices on their network and understand the risk posture of IoT devices, which often go overlooked, so they can take corrective actions, such as changing passwords, disabling services, and reducing exposure. Organizations also need to accelerate the scale of their network segmentation initiatives to cover the entire enterprise network instead of dragging their feet with small pilots that leave most of their network vulnerable.
Prediction 2: Supply chain software vulnerabilities are ripe for an attack: Forescout revealed more than a dozen vulnerabilities affecting hundreds of device manufacturers that enable hackers to exploit a common TCP/IP stack for Denial-of-Service (DoS) attacks or Remote Code Execution in OT systems. Hackers will continue to seek out these sorts of widespread vulnerabilities that affect third-party software components to disrupt and control OT systems and devices.
This threat is particularly challenging because of the shared responsibility between OT device manufacturers and the organizations using them. Most organizations are at the mercy of their vendors to disclose any potential software vulnerabilities. Ideally, OT device manufacturers should incorporate software validation into their product development, which organizations should recognize and reward in the sales cycle. Due diligence should include an assessment of a vendor’s development lifecycles, update policies, use of exploit mitigations, and knowledge about third-party hardware and software components. But pragmatically, organizations also need to be proactive with network visibility tools that can indicate the presence of vulnerable components to mitigate future risks on critical devices.
Prediction 3: OT as a target for extortion: One of the most notable ransomware attacks of 2021 was against Colonial Pipeline since the company shut down its OT environment to prevent the attack from spreading. This shutdown of their pipeline caused a major gas crisis. Attackers certainly took notice of the impact of this crisis and realized that compromising OT environments with OT device vulnerabilities could result in substantially higher ransomware payments.
When ransomware strikes IT systems, organizations need to move quickly to contain it, but when ransomware strikes OT systems it may already be too late because they are an immediate target of extortion since they can halt operations once they are taken offline. This is yet another reason that organizations need to accelerate their network segmentation initiatives and have visibility of vulnerabilities within their networks so that even if a hacker does compromise an OT device, they have minimized their ability for lateral movement.
Prediction 4: The ‘connected building’ will be as prizeworthy a target to hackers as hospitals: Ransomware attacks against hospitals and healthcare systems have been unfortunately common throughout the pandemic, which is partly because of their network weaknesses. The influx of building automation systems in airports, corporate buildings, satellite campuses, utility companies and similar entities has created an expanded and as appealing attack surface for hackers as hospitals. Hackers only need to be right once and find one misconfigured or vulnerable connected lighting or HVAC system to cause havoc.
Organizations that are embracing so-called “smart” technology need to do so intelligently. Companies must re-evaluate the security policies associated with their building automation systems and corresponding connected devices and employ zero trust enforcement. It can be complicated, so companies must seek out more flexible policy language that allows zero trust and threat-focused rules to reflect the system or device’s business intent.
Preparing for OT Security in 2022
To have a chance of successfully defending their networks and avoid being the next target in 2022, companies need to follow the familiar advice of allocating more budget (including people and tools) to OT cybersecurity initiatives. But this allocation must be targeted to those initiatives that make an actual impact on the enterprise-wide cybersecurity readiness, rather than siloed projects. As of today, there are three main capabilities that every company must have to enable the successful defense of OT and IoT in the years to come: 1. Identify all devices in their networks, regardless of where they sit and how they connect; 2. Minimize the exposure and associated risk of these devices, which includes segmenting the network; and 3. Enforce policies across the enterprise by orchestrating and maximizing the value of all the security tools at their disposal.
