Six Cybersecurity Predictions for Critical Infrastructure and the IIoT in 2019
Those of us who like to think about the future are always tempted to prognosticate at the beginning of a new year. Following are my top six cybersecurity predictions for 2019, based on the developments and trends that we’re watching closely.
- Segmentation and segregation will continue to be evangelized and adopted by the government, critical infrastructure and industrial firms to help secure current infrastructures. Separating and hardening areas that contain particularly sensitive data and reducing the attack surface by segmenting networks and enforcing access controls based on the types of devices or user roles that are allowed to reach certain areas of the network, are key components of a defense-in-depth security strategy.
- Security concerns will begin to deter the rate of Internet of Things (IoT) device adoption growth, and industrial and critical infrastructure markets will start feeling the impact. While stories of compromised IoT appliances may frighten consumers, for manufacturing companies and infrastructure operators the risks of hacked IoT systems involve not just data loss but potential loss of life — costly enough risks to make many organizations pause.
- Multimillion-dollar security breaches will continue to occur, with industrial and critical infrastructure firms increasingly being targeted and victimized. As information technology (IT) and operational technology (OT) converge, bad actors are recognizing that it’s often quicker and easier to access IT networks (and the data or intellectual property they contain) via OT systems, which in many cases include older technology that was not designed with today’s security needs in mind.
- Critical infrastructure and industrial firms will increasingly look to collaborate on security strategies and will push to enable the sharing of information, threats and remedies. More companies are looking toward shared responsibility. Unless the breaches involve consumer data, which must be disclosed by law, most companies do not provide the industry with any information about penetrations or attempted attacks. Knowing what types of attacks are taking place, and which ones are successful, can help organizations defend themselves more effectively.
- Insurance and financial firms will collaborate on strategies for cyber risk profile lending and cyber insurance products for industrial firms. Considering a successful cyberattack’s potential financial cost, whether due to lawsuits, fines from regulatory authorities or the loss of production and intellectual property, it’s not surprising that companies would want to insure against this risk, or that an organization’s cyber risk profile would be incorporated into its corporate credit rating.
- The adoption of integrated silicon hardware “root of trust” and physically unclonable functions, coupled explicitly to cloud computing analytics, will continue to increase. Traditionally, software-based security protocols have been used to protect information systems, with the underlying hardware components assumed to be secure and trustworthy. That assumption no longer holds, and companies are forced to look for new ways to build in trust.
As the year progresses, we know we’ll see new forms of attack, but also new developments in defense. We’ll keep working to tilt the playing field to the defender’s advantage.
Michael Murray leads the Cyber Physical Systems team and Industrial Internet of Things (IIoT) and Industrial Control Systems (ICS) ecosystem business at BlackRidge Technology. Prior to joining BlackRidge, Michael held several senior leadership roles at Analog Devices and most recently, TDK developing sensors, software and machine learning system solutions.