IT & OT convergence demands greater cybersecurity

Posted on 25 Jul 2017 by Jonny Williamson

The world’s key industries need to improve their approach to digital security as information technology and operational technology move closer together, a core enabler in embracing the Internet of Things.

Industrial Internet CyberSecurity Attack Hack Data Crime
Within an ever more connected ecosystem, data security remains a high priority for many manufacturing executives.

The rapid evolution of threats and the increasing magnitude of attacks, compounded by more companies bringing IoT operations online, is creating a perfect storm in the potential scale and impact of cybersecurity incidents.

This is the principal finding of the Cisco 2017 Midyear Cybersecurity Report. It states that the recent WannaCry and Nyetya attacks foreshadow what Cisco is calling “destruction of service” (DeOS) attacks.

DeOS attacks look like traditional ransomware, but are much more destructive. These could eliminate an organisation’s backups and safety nets, required to restore systems and data following an attack.

Cybersecurity threat landscape

Cisco security researchers watched the evolution of malware during the first half of 2017 and identified shifts in how adversaries are tailoring their delivery, obfuscation and evasion techniques.

Specifically, Cisco saw that victims are increasingly being required to activate threats by clicking on links or opening files. Fileless malware is also being developed that lives in memory and is harder to detect or investigate as it is wiped out when a device restarts.

Finally, adversaries are relying on anonymised and decentralised infrastructure, such as a Tor proxy service, to obscure command and control activities.

Additionally, while Cisco has seen a striking decline in exploit kits, other traditional attacks are seeing a resurgence, including email spam, spyware and adware, and the growth of Ransomware-as-a-Service.

Business email compromise (BEC), a social engineering attack in which an email is designed to trick organisations into transferring money to attackers, is becoming highly lucrative. Between October 2013 and December 2016, $5.3bn was stolen via BEC, according to the Internet Crime Complaint Center.

Just 31% of manufacturers – fewer than a third – regard cybersecurity as a high priority.
Worryingly, 40% of manufacturing security professionals said they do not have a formal security strategy.

Common challenges

As criminals continue to increase the sophistication and intensity of attacks, businesses across industries are challenged to keep up with even foundational cybersecurity requirements.

As part of its Security Capabilities Benchmark Study, Cisco surveyed close to 3,000 security leaders across 13 countries and found that across industries, security teams are increasingly overwhelmed by the volume of attacks.

This leads many to become more reactive in their protection efforts.

  • No more than two-thirds of organisations are investigating security alerts.
  • Even in the most responsive industries (such as finance and healthcare), businesses are mitigating less than 50% of attacks they know are legitimate.
  • Across most industries, breaches drove at least modest security improvements in at least 90% of organisations.

Regarding manufacturing, 40% of the industry’s security professionals said they do not have a formal security strategy, nor do they follow standardised information security policy practices, such as ISO 27001 or NIST 800-53.

Cybersecurity advice

To combat today’s increasingly sophisticated attackers, organisations are urged to take a proactive stance in their protection efforts.

  • Keeping infrastructure and applications up to date, so that attackers can’t exploit publicly known weaknesses.
  • Battle complexity through an integrated defense. Limit siloed investments.
  • Engage executive leadership early to ensure complete understanding of risks, rewards and budgetary constraints.
  • Establish clear metrics. Use them to validate and improve security practices.
  • Examine employee security training with role-based training versus one-size-fits-all.
  • Balance defense with an active response. Don’t “set and forget” security controls or processes.