Cyber attacks come in a wide range of flavors, from phishing and malware to ransomware and social engineering where cyber criminals trick you into revealing sensitive information. How organizations cope with the increasing threats of attacks will affect our quality of life globally. Infrastructure attacks can have a profound impact on organizations as well as the overall population.
We caught up with Haydn Povey chief strategy officer for IAR to get his insights on developments in security against cyber attacks. During a lengthy conversation, Povey explained the 10 trends that he believes will play out over the coming year:
- Legislation is getting teeth.
We’ve been working to pass legislation for some time. I’m on the board of the IoT organization. Over the last three years, we’ve seen governments step up with regulations. But those laws are mostly carrots. We’re now seeing to see the stick. In the UK, we’ve seen new legislation for security and telecom. It dictates the punishments as high as $10B if you foul up around electronics security. These require provable points. The legislation also supports a guaranteed service. If you say 10 years in service, it’s 10 years. That’s the law. That the big stick that’s finally coming.
- Supply Chains will accelerate security.
The Biden has an executive order around the bill of materials. Every organization must ensure that what they think is in their product actually is in the product. If your product has an exploit, you have to secure your supply chain. You have to ensure that what is going into your device. This is to prevent malware. These are efforts are moving to legislation and punishment.
- Security will become simpler.
Right now, security has a million different meanings. We must simplify security so you can prove it in a law court. That simplification. We have to have standard terminology and some form of equivalence. This is not to take away differentiation. You have to have a mechanism for delivering equivalence so you can say whether you’re secure or not secure.
- Security will become everybody’s problem.
Security has to become everybody’s problem. We need a security officer who works in the CEO’s office. Security has to be thought about up and down. Engineering has to deliver around that and the whole organization needs to be focused on security. Some think of it as malware, protecting IT, feature enablement, and value-add capabilities. The big trend is that security is a requirement for the organization and not just the product. It’s how you manage the lifecycle or the product. That's broad re-engineering. If you have to produce a secure product for your customers for 10 years, you have to figure out how to do that.
- Security outcomes will become important.
What do we want out of security? How do we make sure we value security correctly? If I just spent 10M on IT, I don’t want to see anything walking out the door. Counterfeit products account for over $500B of trade. That’s 3.3% of global trade. In Europe is 6.8% of all trade. Electronics are a massive proportion of that. How do you stop my competitors from stealing your products? $60B in It was stolen in the EU last year.
- Security will become a central value.
Right now, security is considered a cost. It is central as an enabling service. Security isn’t something you buy, it’s something you experience. Millennials want to experience a car, not own one. They want great hair; they don’t want to own a hairdryer. This shift in security from a product to an experience is central. It demonstrates a sea change as it moves from a cost to an enabler.
- Connectivity will continue to rise.
More and more devices will be built cloud-ready and manufactured with certificates and identity, so they appear on the network as known. We have millions of devices present and we don’t know their identity. We have to change that radically. We’re working with chip manufacturers to pre-provision with a certificate, so the devices are pre-known and validated. Users need to know that they’re connecting to. You need to have zero implied trust, so trust will be through validation. That will have to be built by the giants since they have the momentum.
- Health care will drive consumer IoT.
The ability to monitor ourselves and manage our health is growing. That will drive huge privacy concerns. Everything that touches your body needs to be managed to stay private. Nothing is more private than health monitoring.
- Critical infrastructure will connect.
Smart city technology is growing. During 2013-2020, we’ll see a 4000% increase in security attacks on critical infrastructure. That can cripple water plants. By 2025, 30% of critical infrastructure systems will experience a security breach. That includes transportation, water, and electricity. Just one breach of a power grid will have a huge impact. It’s only a matter of time before people will die because of these attacks. We have to subject them to remediation. The threats on critical infrastructure are fairly doom and gloom.
- We’ll see cybersecurity mesh.
Cybersecurity is a broad term and we’re seeing a lot of different platforms. Some that are in networks, and some alone. We have to get them to work as a cooperative ecosystem. IoT has to be rooted in the security system. We have to move to zero implicit trust and prioritize interoperability from lots of different vendors. That means 10s or 100s of vendors.