In 2018, we’re likely to see hackers build on the success of brutal attacks such as WannaCry ransomware. On the defense side, companies are beginning to take a holistic approach to security. With corporate leadership increasingly backing efforts to bolster security protections, companies are committing to security as continuous improvement.
In many cases, the roadrunner is outsmarting the cyber-attacking coyote. Some cybersecurity experts note that you don’t necessarily have to outrun the coyote – you just have to outrun the roadrunner next to you, since cyber attackers seek the least-protected companies. In all, we’ll watch 2018 play out with attacks getting more creative while companies – with the financial blessing from the c-suite – will become more adept at protection.
The Attackers Are Getting Smarter
The 2017 ransomware attacks set the scene for 2018 protections. Yet it’s the next wave beyond ransomware the worries cybersecurity experts. “The impact of WannaCry was pivotal. Attackers became empowered by WannaCry, since it resulted in at least a million dollars in public loss. I fear we’re going to see a pivot from PC-focused ransomware to more IoT and IT attacks,” Kevin Tambascio, manager of the Cybersecurity Office at Rockwell Automation, told Design News. “On the positive side, I’m seeing security become a funded, organized initiative within companies. There are more and more tools to help companies detect anomalous behavior in their organizations.”
Tambascio is concerned about a possible shift from PCs to network attacks. “Even after the ransomware attacks, the landscape continues to change. Attackers are pivoting from PCs to newer platforms where they feel they’ll have better success. In 2018, we’ll see new generations of attacks that we won’t be able to defend,” said Tambascio. “There is not a single technology or network design that will offer all the protection an organization needs. We believe in a defense-in-depth security strategy.”
This article is part of Design News’ 2018 Look Ahead package, offering perspective and insight on 10 areas of advancing engineering. Before you dive too deeply into 2018, prepare yourself for what will surely be an innovative new year with Design News’ 2018 Look Ahead articles.
Where Are the Weaknesses?
It’s in the nature of hackers to be step ahead of cyber protection. Companies don’t always know where they’re vulnerable until the attack hits. “The implementation of security in many IoT products will not match the pace of advancement of cyberattacks,” Alan Grau, president and co-founder at Icon Labs told Design News. “Many companies are focused on security at the cloud and on secure communication. There is far less emphasis on security at the device level and ensuring that IoT devices are protected from attack.”
While companies beef up their cloud, network, and device security, there is one weakness that can’t be defended without ongoing personnel education. “You have to understand the risk that is present. We’re talking about firewalls, antivirus, but in the background, you have people, and they’re still a weakness in security,” said Tambascio. “That means educating your people. People have to evolve.”
While people in the organization may be the weakest link, many companies are slow to identify this problem and commit to an ongoing education strategy. “In most cases, the biggest problem is lack of education and understanding around cybersecurity,” said Grau. “While some companies have dedicated cybersecurity staff, many don’t. They have bright, talented engineers but lack the depth of understanding of cybersecurity.”
Has IT Won the Battle for Network Ownership?
For a couple decades, there has been conflict between the IT department who wants all patches updated right now, and the operational tech team (OT) who live and die by uptime. “The challenge is the request for high availability. On the IT side the most important thing is the integrity of the information. So, hat means organizations need to consider patch management,” Josh Kass, product manager of networks at Rockwell Automation, told Design News. “In the industrial space, it’s very difficult for the OT people to take a system down to do a patch. They need to develop the process internally to do the patch.”
For many years, the OT team won the argument – the patch can wait; we need uptime. But cyber threats have tipped the scale in favor of the IT department’s warnings about the importance of patches. “The days of not doing a patch because of up time are coming to an end,” said Kass. “The organization says we’re going to do patches every 30 or 90 days depending on acceptable downtime, but there has to be more patch management.”
2018 Will See the Holistic Approach to Cybersecurity
One of the changes we’re likely to see in 2018 is the shift to a broader approach to cybersecurity. Protection will become an assortment of defense efforts inside and outside the network. “A few forward-looking companies are beginning to address security in a holistic fashion. These companies are developing products that include strong built-in security, and they are also addressing security at all levels – cloud, network and device,” said Grau. “Many companies, however, are deferring security until a later release or they are enabling a few, minimal security features provided by the hardware or OS. These companies are not necessarily insuring that all main attack vectors are being protected.”
The holistic solution will take security down to the device level. “I think advances is the underlying security technology will continue to provide strong protections,” said Grau. “Examples include new hardware-based security solutions and secure MCUs for IoT devices.”
One of the ongoing dangers comes from hackers who can build on previous successful attacks to create new attacks. One odd way to avoid an attack is to create protection that is simply better than the next company’s protection. While this might ward off the net attack, it’s a weak approach to security.
“Too often, vulnerabilities that have been known for years are still present in industrial devices. Attackers are able to recycle old attacks with success against these targets,” said Grau. “Hackers often target the weakest devices they find. As a result, companies that have security that is weak but ‘not as bad as the other guy’ often feel a false sense of security. While many hackers simply target the weakest devices they can find, there is a growing threat from more sophisticated attacks. Companies need to be far more proactive, building security into IoT devices and taking a holistic approach to security.”
Pacific Design & Manufacturing, North America’s premier conference that connects you with thousands of professionals across the advanced design & manufacturing spectrum, is back at the Anaheim Convention Center February 6-8, 2018! Over three days, uncover software innovation, hardware breakthroughs, fresh IoT trends, product demos and more that will change how you spend time and money on your next project. CLICK HERE TO REGISTER TODAY!
Rob Spiegel has covered automation and control for 17 years, 15 of them for Design News. Other topics he has covered include supply chain technology, alternative energy, and cyber security. For 10 years, he was owner and publisher of the food magazine Chile Pepper.
Image courtesy of Rockwell Automation.