The concept of OT/IT convergence isn’t new, but as the attack surface continues to increase, so too does the likelihood of an attack successfully causing a severe physical impact. We’ve seen a number of attacks that have leveraged the connection between OT and IT in recent years, from the attack on the Ukrainian power grid to the more recent TRITON industrial control malware attack. Prior to this convergence, attacks on IT had a relatively limited impact on the physical world—stolen credit card numbers and compromised personal data. Individual victims were offered identity theft protection and organizations with good backup and recovery practices in place were able to ‘copy and replace’ their data—and those lacking such practices either adopted them or later suffered the consequences. Breaches and attacks were detrimental, but they were not physical. Attacks that previously aimed to harvest data will now focus on not just stealing data, but using it to cause physical harm and disruption.

It’s not hard to imagine the potential damage. Take the revenge sewage attacks in Australia from 2001 that resulted in millions of liters of raw sewage spilled into local parks and rivers, or the 2016 attack on a U.S. water utility plant, in which attackers were able to manipulate the amount of chemicals distributed to the public.

Confidentiality, integrity, and availability, also known as the CIA triad, is a concept that has been adopted by experts in information security as the unifying attributes of a strong cyber program. However, MITRE and others have now added safety and reliability as core pillars to cyber resilience on account of the increasing connectedness of our cyber-physical world.

We predict that attacks on Industrial Control Systems (ICS) across all critical infrastructure sectors will increase in frequency and intensity, forcing the owners of those systems to either invest in newer, more secure systems, or reevaluate their entire security architecture and reassess the manner in which OT and IT functions connect. Furthermore, the kinetic impact of a major attack on critical infrastructure will prompt legislative action and new regulation on a sector that is currently majority owned and operated by the private sector.

Related blog posts:

A Recipe For Disaster: The Rise Of Ransomware Against Critical Infrastructure

It's 2018. Do You Know Where Your Windows 98 Devices Are?

The Secret To Stress-Free IT-OT Convergence

How To Gain Value And Reduce Risk In Oil & Gas ICS Networks

Financial services had the highest cost of cyber crime in 2017 with the annualized cost reaching more than $18 million according to a Ponemon Institute study. This year, financial services experienced the highest frequency of data breaches across the 17 industries analyzed. However, the U.S. financial sector has taken significant strides to improve cybersecurity in recent years and a number of regulations have been proposed to further enhance the security posture of U.S. banks. Federal cybersecurity standards were introduced in 2016 and earlier this year the New York State Department of Financial Services (DFS) announced 17 new cybersecurity regulations that apply to regulated entities doing business in the state.

Many would argue that large U.S. banks are at the forefront of the cyber maturity curve, largely on account of regulatory oversight by the Office of the Currency (OCC) and the Federal Financial Institutions Examination Council (FFIEC). Top U.S. banks have also taken a leadership position on standards for cybersecurity across the industry. Currently, U.S. banks are leading the early adoption of network segmentation. Multiple attacks targeting the Society for Worldwide Interbank Financial Telecommunication (SWIFT) software prompted the development and subsequent release of the SWIFT Customer Security Controls Framework (CSCF). Many banks began segmenting SWIFT and other payment related applications—marking the onset of segmentation with network controls. U.S. and EMEA banks have adopted a more modern and programmatic approach centered on network segmentation and are working hard to implement further controls around their critical applications.

The international lag in implementing cyber best practices is partially due to a lack of international regulation, ownership and adoption. However, the SEC issued guidance twice already this year and recently announced that it wants better controls, such as those outlined in the National Institute for Standards and Technology (NIST) Cybersecurity Framework: network integrity is protected, incorporating network segregation where appropriate. The NIS Directive, which is the first piece of EU-wide legislation on cybersecurity, was released in January and updated again in October. Attacks on the financial services industry will continue in 2019 and—whether required by a new international regulatory agency for financial services or not—we predict that network segmentation will rise as a critical approach to preventing future breaches.

Increasingly, we’re seeing not just remarkable advances in medicine, but in medical device innovation. This year we saw the introduction of things like a fingerstick-free continuous glucose monitoring system, enhanced visualization and access for diagnostic and therapeutic applications through SpyGlass DS and a non-invasive handheld platform used for assessing head injuries. Healthcare breakthroughs are no longer limited to operational techniques, cures for disease or revelations about how the human body works. Advances in technology have played a significant role in advances in healthcare; however, when the two are merged, there’s also a significant introduction of risk. In 2017, the FDA recalled almost half a million pacemakers over hacking concerns and researchers have warned against the dangers of hackable implanted medical devices. More and more medical devices have sensors and other software components that are susceptible to compromise just like any other connected device.

Because of that risk, the FDA issued industry guidance for networked medical devices in 2005. Since then, the FDA has taken proactive steps to address the concerns and risks of connected medical devices, including an MOA with DHS for the coordination of information sharing relevant to device vulnerabilities and recently published draft recommendations to industry regarding medical device design, labeling and documentation. Most recently, the FDA published a proposed rule that, if finalized, would establish classifications for new types of medical devices and provide guidelines for the de novo classification process.

We predict that new regulations will drive improvements in medical device classification which will ultimately prompt significant changes to network architecture in the healthcare industry. A 2017 analysis of outdated OS usage showed that thousands of organizations across industries nearly tripled the chances of a data breach by running outdated operating systems. Within healthcare specifically, an estimated 15% of operating systems and browsers were out of date.

The size of this risk, coupled with the cost to mitigate it will force the healthcare industry to reassess its traditional approach to networking. Replacing thousands of old operating systems is expensive, and because there are so many other critical systems and applications that rely on those outdated operating systems, we predict that the industry will look to new approaches such as network segmentation to mitigate cybersecurity risks—something we expect to see across other industries as well.

Rooted in the NIST concept of continuous monitoring, CDM was first introduced by the Department of Homeland Security (DHS) and the General Services Administration (GSA) in 2012. The program is structured in four phases to determine what is on the network, who is on the network, what’s happening on the network, and how data is protected on the network. The Advancing Cybersecurity Diagnostics and Mitigation Act was introduced this September and seeks to authorize the cyber program in law; the bill passed the House, but must also pass the Senate and be signed by the President. While there have been procurement challenges and disagreements as to the type of data individual agencies should be required to provide, a recent memo from the Office of Management and Budget Director stated that, “…agencies are solely responsible for the state of their cybersecurity posture and must work closely with DHS in order to accomplish CDM program goals at the agency level.”

CDM will continue to mature in the Public Sector as the leading method for continuous risk identification, prioritization, and mitigation—'ongoing’ activities that are equally applicable and important for other industries such as Financial Services and Healthcare. There are multiple frameworks designed to help decision makers across industries—the Cybersecurity Assessment Tool developed by the Federal Financial Institutions Examination Council (FFIEC), the Financial Services Sector Cybersecurity Profile, and NIST’s continuous monitoring guidelines. Each is effective, but we predict that as the benefits of the CDM program are recognized, other industries will start to adopt the program for those same benefits and capabilities.

Charlie Sheen joked about his HIV diagnosis in an email to Sony Pictures Television Executives. However, that personal health information was later publicly disclosed as a result of the 2014 Sony breach. Network attacks on healthcare organizations will continue putting millions at risk, phishing attacks will continue to provide unauthorized access to millions of records and both intentional and unintentional human error will continue to compromise the security of electronic health records.

We’re going to see more creative approaches to hacking and leveraging data by malicious actors in 2019. Hackers will employ the data harvested from a breach to exact more personal consequences on strategically targeted victims. Even if an individual has no known affiliation with a healthcare provider, anyone is subject to indirect compromise. This problem reaches beyond the obvious risks of sharing health information between offices; the attack surface has broadened to the entire healthcare supply chain.

Attackers are seeking to gain comprehensive access to entire verticals and will employ any means necessary. In one scenario, hackers tried to gain back door access to steal credit card data—targeting fast food restaurants, chicken restaurants, poultry farmers, and finally hardware vendors that sell to the poultry producers. Although this particular example isn’t connected to healthcare, it demonstrates the innovative methods we can expect bad actors to utilize.

Credit card numbers have traditionally been a major target, but we expect there will be an increased interest in gaining proof of identity, such as passports and driver’s license numbers—things that don’t expire as quickly as credit cards, have a higher value than traditional PII on the black market and can be used to access PHI. While the breach of financial data can be devastating, insurance and other identity theft protections offer some relief. The theft of PHI, however, can have enduring repercussions.

The cybersecurity skills shortage has been an ongoing challenge across all industries, particularly in the federal government. Automation and machine learning have allowed some organizations to offload time consuming and unnecessarily burdensome tasks and retool a portion of their workforce. However, some have argued that advances in technology will eventually make the human workforce obsolete. That’s unlikely; instead, we predict that we’ll see improved collaboration between humans and machines—intelligence automation (IA)—that will not only address the skills gap but also result in stronger cybersecurity practices and programs. Consequently, we’re going to see additional roles for those in the cyber field.

A team from Harvard Medical School’s Beth Israel Deaconess Medical Center (BIDMC) hypothesized that pathologists working with computers will outperform pathologists operating alone. While the human pathologists successfully identified cancer 96% of the time, the computers were only 92% accurate; however, the team’s hypothesis was proven correct when human analysis was combined with deep learning, resulting in a 99.5% success rate. This example applies beyond healthcare and we predict that humans and technology will evolve to achieve greater success with less manual human effort.

Roles such as Chief Information Security Officer (CISO) and Chief Risk Officer (CRO) have gained traction in recent years, but we predict additional cyber roles will emerge as well. Cyber advisors and AI-assisted cyber centaurs may be employed to provide oversight of not just the technology, but how the workforce is using the technology, implementing new measures to restrict human error and collecting statistical data to guide decision making. We’re already seeing legislation in the works that would require cyber vulnerability disclosures, such as the Cyber Vulnerability Disclosure Reporting Act and recent SEC guidance includes expectations for specific cyber behavior, actions and board involvement in managing enterprise risk. Such legislation would further augment the need for additional roles, which we predict will eventually be mandated as well. Advances in AI will allow a shift from requirements and regulation to AI-based accountability and automated enforcement.

State governments implement federal programs and, partly because of the need to exchange data, are obligated to federal rules and regulations. However, state governments have been quicker to modernize and adopt new technologies than federal rules have allowed. State governments have taken significant steps toward managed services and IT consolidation but federal regulations have struggled to keep pace with advances in technology (See, NASCIO testimony in the House and Senate). For example, IRS Publication 1075 (last updated 2016) is based on law codified more than 40 years ago, the Tax Reform Act of 1976.

Federal security regulations such as IRS Publication 1075, the SSA’s Electronic Information Exchange Security Requirements and Procedures for State and Local Agencies Exchanging Electronic Information, the FBI’s Criminal Justice Information Service Security Policy and the Centers for Medicare and Medicaid Services (CMS) Minimum Acceptable Risk Standards for Exchanges (CMS MARS-E) principally address the same topics, yet they differ in their actual requirements. For example, with respect to access control, some federal requirements enforce a limit of three attempts, while others allow up to five attempts, and another simply gives general recommendations. These inconsistencies are costly and burdensome, as voiced during the 2017 NASCIO testimony before the Senate Homeland Security and 2018 testimony before the House Oversight and Government Reform Committee, and force states to dedicate cyber personnel to compliance tasks instead of critical cyber actions. When asked what they considered their top priorities in the 2018 State CIO Survey, 64% of state CIOs cited “ensuring IT systems comply with security and regulatory requirements.” Yet, compliance does not always equate to security, especially when the requirements are based on laws that were codified in a time when the Internet was not even a concept.

We predict significant movement in 2019 to harmonize federal security regulations for state governments. We expect to see more requests for more efficient federal regulation from both regulators and the regulated. We predict that action to update and unify the requirements will follow, most likely by an organized group (i.e., working group) of those with subject matter expertise.

Building automation systems and other advances in technology are driving the rapid adoption of smart buildings. From remote monitoring and assistive technologies, to adaptive energy systems and networked appliances, leveraging smart technology to make a building intelligent can offer numerous benefits and savings. Over the last decade, we’ve seen buildings evolve beyond basic Building Management Systems (BMS) with isolated subsystems to a more complex ecosystem with a wide range of systems integrated with building automation. With potential smart building laws aimed to accelerate adoption introduced earlier this year, we expect that BAS will increasingly be looked to for cost savings, reduced energy consumption, improved safety, increased convenience, and near self-sustainment.

But, BAS also introduces significant risk. Hackers first gained access to Target’s network in 2013, using network credentials stolen from the retailer’s HVAC provider. There have been multiple instances of ethical hotel hacking to identify vulnerabilities before they are exploited, but there have also been a number of legitimate attacks such as the 2016 attack on an Austrian hotel. The risk extends beyond retail and hospitality to all industries. Datacenters, which are predicted to consume 1/5 of the planet’s power by 2025, are critical across all industries and are also heavily dependent upon a reliable, resilient, and secure HVAC system. If HVAC were to become compromised, thousands or even hundreds of thousands of servers could overheat, potentially halting financial transactions, preventing countless major companies from executing core operations—resulting in a massive cross-industry standstill.

The EPA estimates that there are more than 1,300 deaths per year in the U.S. due to extreme heat. More than 12,000 Washington, D.C. residents were left without power and air conditioning in the summer of 2016 after a transformer caught fire downtown, and just this summer, thousands were left without power or air conditioning in Los Angeles after a heat wave prompted high demand. If you’ve ever experienced such an outage before, you understand how inconvenient and uncomfortable those outages can be, even if they only last for a few hours.

A well-orchestrated attack on a specific region could have devastating physical consequences—even loss of life. As more and more buildings come on the grid and become connected, it’s going to also become easier than ever for malicious actors to gain access and move laterally across larger networks—increasing the volume of potential damages, while also providing the hackers with more places to hide on the networks. Actors may plan entire operations around largescale public events, such as the World Cup, the Super Bowl, and large multi-day music festivals such as Coachella and Lollapalooza. They may gain initial access through local hotels where fans are likely to stay, then target local hospitals and the concert venue. In 2019, we will realize that the threat is as pervasive as the technology we have come to rely on every single day.

Related blog posts:

Working Towards A More Secure Future For Building Automation Systems (BAS)