It wasn’t long ago that the phrase “IoT security” seemed like an oxymoron. But now, awareness of the importance of the topic has never been higher. Given the expanding footprint of connected devices within everything from buildings to factories, adversaries have never had more of a variety of endpoints at their disposal to target. Here, we project what will happen in the game of cat-and-mouse that is cybersecurity next year.
1. Building Security Concerns Grow
In 2020, the prospect of smart building security is bound to become more of a top-of-mind concern for facility managers. With buildings accounting for eight out of 10 connected things in 2020, according to Gartner, smart buildings could provide new avenues for adversaries to attack. Experts are divided, however, whether there will be a significant uptick in such attacks next year. Mirel Sehic, global director of cybersecurity for Honeywell Building Solutions, expects such an increase. Attackers could use building management systems as a pivot point to get to IT data as well as to manipulate building controls.
“I don’t know that we’ll see more threats there next year,” said Andrew Howard, chief executive officer of Kudelski Security. To back up that statement, Howard said the networks inside many buildings are highly segmented. “And so while there might be one system that’s internet-connected, the reality is that most of them are not,” he explained. “And if they are, they tend to be VLAN-ed off on isolated networks. It’s not like a lot of the IoT networks you see out there where all these devices are just on some like flat network architecture.”
“My experience with most buildings, whether they’re new or old, is that the old guard put in segmentation very heavily,” Howard said. For instance, the elevators might be segmented from the building management system, which is, in turn, isolated from escalators and so forth. “Security cameras in a building might be internet-connected, but it’s generally pretty hard to pivot from the cameras to the building management system,” Howard said.
The prospect of networked building systems became a prominent cybersecurity worry after the 2013 Target credit card breach. In that incident, one of Target’s HVAC vendors was breached, allowing the attacker access to its internal network, including its payment system. In that episode, hackers made off with 40 million credit card numbers.
One challenge in terms of securing buildings is that the landscape is often fragmented. “You haven’t yet seen a big player pop up and be the security provider in that space,” Howard said.
2. 5G Security Begins to Rear Its Head in 2020
In 2019, 5G seemed like a theoretical possibility. In the first half of the year, there were demos in trade shows and individual locations, but now telcos are beginning to build out their 5G networks.
As 5G deployments continue to roll out in 2020, it is likely attacks will follow, as Howard explained. Cesar Cerrudo, chief technology officer at IOActive, agreed. “Anytime we have more interconnected things, we have more security problems.”
The prospect of 5G eventually becoming a foundational protocol could mean that everything from surveillance and traffic cameras to vehicles is connected via the protocol. That could give attackers the means to paralyze neighborhoods, cities or even whole countries, Cerrudo said. 5G could also provide link devices that primarily use a different wireless protocol. For instance, 5G could serve as a sort of backhaul for LPWAN devices to the cloud.
For one thing, 5G, like other wireless, is prone to denial-of-service attacks and jamming, although the protocol does have anti-jamming properties.
Telecommunications and infrastructure firms are touting 5G for an array of use cases, including in the industrial realm. The potential of 5G to be used for critical industrial processes with a tangible business impact is a potentially risky proposition. Complicating matters is the fact many industrial environments deploy “outdated, legacy devices,” said Jason Haward-Grau, chief information security officer at PAS Global. “Adversaries will begin to target these environments, bringing dire consequences such as unauthorized changes to configurations that make industrial processes do something they are not supposed to do, thereby resulting in an industrial accident, outage or even environmental excursion,” he said in prepared remarks.
3. Managed Security Services Market Surges
In recent years, a growing number of companies have given up on the prospect of managing security alone. One growing segment is managed security services, which is expanding at an annual rate at roughly 15%, according to a research synopsis from Kenneth Research.
“I think it will accelerate at a faster rate in 2020 [than it has in recent years],” said Howard, whose firm offers such services. In general, many organizations with digital transformation efforts struggle to find sufficient talent to address the growing complexity of cybersecurity. “And that leads them to go look at managed services,” he said.
Cerrudo also expects increased demand for security consultancy business. “Demand should increase as our technology dependence and use increase, too,” he said. Organizations that can help unify cybersecurity for consumers and businesses. “Companies look for services to help with their problems and services adapt to companies needs,” he said. “In this process, different approaches are taken, which can include partnerships, outsourcing, SaaS solutions, regular services and more.”
Yet the complexity of the cybersecurity market leaves some firms reticent to move to embrace outsourcing completely. “One change that I’ve seen in the market is more of a willingness by bigger companies to bring in a managed security provider for pieces of the security puzzle, but not all of it. So in the past, they would have insourced everything or outsourced everything. I think we’re seeing a lot more hybrid models,” Howard said.
4. OT Cybersecurity Gains in Clout
To some extent, cybersecurity for operational technology is already gaining in importance, thanks in part to the revelations that safety instrumented systems are a current target. Mirel Sehic of Honeywell expects this trend to accelerate in 2020 as more OT environments embrace digitization.
Howard agrees. “Customers I talked to with OT environments are very nervous about security,” he said. “And I think [this trend is] likely to accelerate.”
One contributing factor is the immaturity of the market. “I think in the OT space is where the IT space was from a security perspective 10 years ago,” A decade ago, finding cybersecurity standards for IT environments was tough. Cyber professionals could find NIST guidelines, but there wasn’t much in the way of nuanced guidance for specific industrial environments.
The situation is leading to an uptick in OT-focused organizations, such as Siemens’ Charter of Trust and the not-for-profit MITRE Engenuity’s Center for Threat-Informed Defense. Howard expects more organizations to pop up in 2020 with a focus on OT cyber standards. “I think the OT space is tougher than the IT space around this topic. Because the reality is, in the IT space, the difference between laptop A and laptop B and server C is just not that different, especially as the operating systems have consolidated,” Howard said. “But the difference between a Rockwell PLC and a Honeywell manufacturing system is just enormous.”
Mark Carrigan, chief operating officer at PAS Global, observes there has been a proliferation of OT-focused security standards like ISA/IEC 62443 and the European Cyber Directive, as well as frameworks from the likes of NIST, NERC, SANS and the Center for Internet Security. “In 2020, increasing adoption of these frameworks and standards will reduce cyber risk, however, they will increase industrial cybersecurity cost and complexity as organizations work to adopt and attest to their use of these frameworks and standards,” Carrigan said over email. “Given the relative immaturity of adoption, organizations are also likely to evaluate adopting multiple frameworks, thereby, increasing cost and complexity further.”
5. Secure by Design Approach Finally Gains Ground
No product designer thinks deviously that they should create a connected product with no security. But if the company the designer works for has difficulty aligning priorities around the time to market, cost and customer experience. But given the amount of attention surrounding IoT security, things are looking up, according to Charlene Marini, vice president of strategy, IoT services group at Arm. “IoT device makers and deployers of connected devices will put plans in place to upgrade the capabilities they offer to ensure secure IoT systems,” she said over email. The mindset shift will mean device makers begin prioritizing the creation of a trusted connectable and manageable products. This new mindset will include “[e]mbedding life cycle management capabilities at design time, writing software with security and privacy principles at the forefront and providing accessible updates to deployers of their devices,” Marini said. For organizations deploying IoT devices, the mindset shift will involve enlisting the help of experts with experience working on managing IoT networks at scale.
Marini’s colleague, Hima Mukkamala, senior vice president and general manager, IoT cloud services at Arm sees that regulation like EU’s General Data Protection Regulation and California Consumer Privacy Act continuing to underscore the importance of privacy and security in IoT devices. “Given the increased volume of IoT devices and more government regulations coming in, data privacy and security become paramount in driving IoT solutions,” he said over email. “Security will be a key factor in the decision making process for organizations as they look at deploying IoT infrastructure in 2020.”
Carl Wearn, head of E-Crime at Mimecast has a similar perspective. Projecting an uptick in IoT-related cyber risk next year with the risk of “embarrassing security and extortion opportunities,” Wearn predicts growing legislation relating to the use of such connected devices. “This area of connectivity and the general lack of security inbuilt to these devices has been significantly ignored for too long and public awareness as to their uses and potential exploitation is growing,” Wearn said.
6. AI Hype Persists, But Vertical AI Approach Emerges
The amount of puffery surrounding artificial intelligence in cybersecurity has arguably begun to decrease. But don’t expect the situation to improve dramatically. The term “AI” is slapped onto all of things, many of which are simply decision trees, algorithms or software. That’s not to say that AI doesn’t have tremendous potential, of course. But the actual term “AI” has achieved a sort of umbrella status to mean nothing in particular. “I’ll give you an example’” Howard said. “I was in a meeting with a lot of other cyber security leaders and the topic was about how artificial intelligence is driving change in behavior.” The various people in the room began to provide examples regarding how they used AI to minimize their cyber-risk. “And they kept naming off examples,” Howard recalled. “By the time I got to the seventh one, I just raised my hand and I said: ‘No one has described an artificial intelligent use case. You guys are just describing process workflow and software. If there’s not something like a machine learning model or neural networking capability behind the scenes, it’s just software.’”
There is reason for optimism that AI in cyber will grow up, according to Artem Kroupenev, vice president of strategy at Augury, whose firm focuses on using IIoT sensors to monitor machine health. Given the current state of AI maturity, products that are carefully designed for a specific use case tend to be more effective than those with more of a generic approach. In 2020, “[we] will see the first signs of concrete adoption of AI within industrial enterprises around specific vertical use cases,” he said, referring in particular to the IIoT landscape.
Referring to the use of artificial intelligence in cybersecurity, Cerrudo explained: “If you want to provide better solutions, you have to narrow your focus and heavily invest in R&D. AI use keeps growing and maturing and the more targeted the use, the more precise it becomes. Broadening the scope adds complexity and reduces efficiency.”