We’re putting a lot of technology in a lot more places these days, and we’re connecting it to the internet in the hopes of being able to see new patterns so we can change our lifestyles and businesses. This has opened up a huge attack surface. In the last two years, not only have a range of new threats come to light, but old threats have become more powerful, all of which has led experts to believe that the next big cyberattack could take down critical infrastructure — and it’s only a matter of time before it happens.
We’ve covered how an exploit of a piece of Schneider Electric industrial process equipment took an oil refinery offline. Most people are also aware that last year, a malware variant called NotPetya took hospitals in the UK offline because of computer issues and because equipment such as MRI machines were affected. For most security professionals, those attacks are just the beginning.
A new report out from security group Pwnie Express claims that 85 percent of the 500+ security professionals it surveyed believe that their country will suffer a major cyberattack on its critical infrastructure in the next five years. What’s even worse is that most of these respondents believe that the least prepared industries are those with the biggest ramifications for health and safety — public health, water and wastewater, and the energy sector. In many cases it’s not that these organizations are doing nothing, it’s that the threat is so large and new they don’t know where to begin.
Back in 2015, I was talking to the CEO of American Electric Power at a Fortune event, and he told me that the company had an entire floor of employees focused on cybersecurity vs. just a handful of employees a few years earlier. And those employees were constantly fending off attacks. But his focus at the time was centered more around protecting the organization’s computer networks. Now threats come over networked cameras or through hackers attaching a rogue thermostat to a network.
And as to the facilities that are getting connected, their IT operations staff are busy doing other things. The security folks Pwnie Express surveyed said their employers were more than twice as likely to have a security policy in place for IT devices than for IoT. If those companies do have a security policy, only a little more than one-third of their security pros said that they themselves are involved in checking that the devices are compliant, and two out of five said they either didn’t ensure devices were compliant or they weren’t sure if anyone in their organization checks if they are or not.
DeSisto also says the survey results that surprised him the most were that professionals were abundantly aware of increased risks, but their companies had done little to try to address clear problems, such as not knowing what was on a network. “The complexity makes it hard for people to solve,” DeSisto says. “There are a lot of stakeholders, no standards, long life cycles, and any number of things in the wild, running in non-traditional environments.” So they give up.
Unfortunately, many of the concerns about security vulnerabilities are going to get worse before they get better. Almost a third (64 percent) of survey respondents said they are more worried about device threats than they were at the same time last year. The reigning solution so far seems to be some type of network monitoring function that can help security professionals. And it would be beneficial for companies to at least know what’s on their network, especially when 51 percent are concerned with purpose-built rogue devices yet only 24 percent can monitor for them in real time.
But if you download the document looking for the easy way out, I’m sorry to say that the checklist contains 46 items that range in complexity from “Eliminate unnecessary services and unused ports” to “Conduct security testing on third-party devices and software utilized in your business and products.” The problem with putting connectivity in everything is that criminals can take advantage of just about anything. No wonder security professionals are ready to give up.