Matt Morris is currently the Global Managing Director for 1898 & Co., where he leads a diverse team of ICS cybersecurity professionals.
In a cybersecurity landscape shaped by the upheaval of the pandemic, there are significant opportunities for bad actors and an ongoing challenge for cybersecurity professionals. It’s a dangerous time for organizations with critical infrastructure that are constantly outperformed by sophisticated and well-funded attackers. Improving industrial cybersecurity in 2022 and beyond requires several trends and initiatives to be deployed that will deter attacks and protect the public.
Pressure on CISOs from above
In response to growing threats and recent large-scale security breaches, corporate boards will drive the need to strengthen the CISO role. In recent years, media and executive awareness of malware and ransomware incidents that have brought organizations to their knees has increased. CIOs from critical infrastructure providers see the brand and cost impact of these events and are urging the need for an information security leader with strong decision-making authority. It empowers CISOs to stay current with the latest threats while maintaining an agile and robust security strategy aligned with the company’s revenue and growth goals.
There is also a shift in reporting structures, with the CISO no longer reporting to the CIO or COO. In future they will report to the CEO, CFO or the Board of Directors. CISOs need to be familiar with today’s threats. If they have board reporting requirements, they need a security strategy that shows how a cybersecurity program addresses both critical functions and threats. CISOs need to shift the typical model from focusing on risks and vulnerabilities to a broader focus where they are aware of critical functions. A 2021 Gartner report supports the high level of attention paid to cybersecurity, noting, “By 2025, 40% of boards will have a dedicated cybersecurity committee overseen by a qualified board member, up from less than 10% today.”
Increase in attacks by experienced adversaries and involvement of nation states
Cyber sabotage against critical infrastructure and critical functions of organizations has increased over the past decade. These attacks come from both nation-state actors and non-state actors. Nation-state actors try to drive geopolitical action and disruption, avoiding attributions whenever possible to disguise their efforts. Non-state actors often seek notoriety for their exploits and seek financial gain. Together, these two groups form an ecosystem of brokers that provide access to information and financial channels to those willing to pay.
These cyber threats will continue until 2022. Another factor driving such attacks on critical infrastructure is that there are many more nation states that will step up their activities. Adversary nations see Russia as a “safe haven” for ransomware attacks, and countries like North Korea, China, and Iran see this momentum and will scale up their ransomware and malware efforts in the years to come.
A real-world example: In recent years, malware like Petya and NotPetya have had disastrous consequences for critical infrastructure companies like Maersk. These types of malware and ransomware have also been linked to notorious attacks.
A significant portion of these attacks come from Russia, whether they are considered direct actions of the state or are state-sponsored through various affiliates.
This poses a significant challenge for cybersecurity service providers, especially as other nation-states such as China, Iran and North Korea emulate the Russian approach. On the protection side, we need to make attributions where there are enough signatures and signals that allow cybersecurity teams to pinpoint where the attacks are coming from.
An evolution towards mitigation
Global cybersecurity skills shortages reached an estimated 3.5 million workers in 2021, and shortages of skilled professionals pose an extraordinary risk for critical infrastructure organizations. It coincides with evolving threats that are hurting private industry and the US economy . To combat these threats, businesses in 2022 and beyond will prioritize cybersecurity as a core principle. Organizations need robust awareness training to prevent human access points and broader development of cybersecurity skills that outperform those of threat actors. This is not yet the case and is often increasing due to increasing digitization, which increases points of attack and vulnerabilities. And the bad actors have ready access to skilled employees and capital resources, as well as a steady list of exploitable vulnerabilities.
It’s time for critical infrastructure providers and cybersecurity professionals to realize that current methods aren’t working. They implement safety precautions in all substations and facilities, patch systems and continuously perform other tasks. Despite these efforts, boards of directors, CEOs, and CISOs still see that a determined adversary can breach a company’s defenses and hold them for ransom.
Developed by Idaho National Laboratory, Consequence-Driven, Cyber-Informed Engineering (CCE) offers a new approach to risk mitigation. This is the approach taken by third parties like 1898 & Co. who use strategies specifically designed for critical infrastructure. CCE requires acceptance that attackers will be successful, especially if they are determined and well-funded. It is a philosophy that human-designed systems come with risks and that there are always imperfections.
CCE builds roadblocks so that if there are undetected vulnerabilities in a utility’s infrastructure, an attack won’t cause a grid outage. CCE practitioners get organizations to think like their enemies, rank the systems that matter most, and then consider how best to protect those systems from hacking. While digitization offers value for customers and shareholders, it is often implemented without cybersecurity considerations. CCE enables OT cybersecurity teams to prioritize consequences, gather data on systematic dependencies, find the attack paths that produce the greatest impact, and then disrupt those paths when possible.
These trends all point to a broader need for an OT-centric approach, more cybersecurity resources, OT-focused managed services offerings, and the use of CCE to reinvent threat detection and mitigation.
The Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology leaders. Am I Qualified?