Going forward, the hyperconnected smart society will likely face increased cyber risks on multiple global fronts via numerous evolving threat vectors. Clearly, the technological advances powering business, communications and entertainment bring with them new perils. In this report, we’ve explored such timely topics as the evolving security team, automating the security function, data privacy and securing the ecosystem. Now, we take a look at several emerging cyber security challenges. While none of these topics are new, we believe they’ll soon become major areas of focus for cyber professionals across virtually every industrial sector.
IIoT
As the Industrial Internet of Things (IIoT) continues to expand, millions, if not billions, of cloud-based sensors, machines, and other connected devices may potentially become vulnerable entry points for cyberattackers. The urgency from a cyber perspective is that, in the rush to innovate, the software used in these hyperconnected systems often doesn’t include the appropriate risk management controls.
Clearly, IIoT is creating a new set of attack surfaces. Although manufacturers’ priorities are changing, to this point, the architectural design of sensors in connection with, for example, air quality, traffic, waste management and the overall energy grid, may not have fully addressed security. There can be major operational constraints on individual devices regarding power and weight limitations that can get in the way of embedding controls, but infrastructure security simply cannot be an afterthought.
Organizations should expect to focus on how deeply security is embedded within the products that enable the IIoT and the way these devices are leveraged within the broader ecosystem. With regards to strategically deploying those products across an enterprise or smart city environment, you're talking about a much broader range of people, policies, procedures and technologies, as well as considerations such as anomaly monitoring, identity management, zero trust and more. Going forward, we believe IIoT should be viewed as a component of a broader ecosystem of solutions that ultimately constitute an overarching security posture.
5G networks
The prospective connectivity capabilities made possible by emerging applications sitting on 5G networks is exciting. But these software-based connected ecosystems should prioritize not only technical innovation, but also the security of the devices that can facilitate these connections.
A 5G network is fundamentally different from 4G in terms of speed, bandwidth, latency and overall sophistication. Of course, 5G is going to enable massive connectivity advances, but it also brings a different set of security challenges and requires highly sophisticated security architecture, monitoring and controls. Some of those concerns play into the geopolitical supply chain tensions that exist today regarding the sourcing of key technology components and infrastructure.
It also begs a question about trust. With 5G, cyber professionals will likely be in a position where millions of devices, each with its own digital identity, may be connecting simultaneously in untrusted environments characterized by very fluid connection architectures. In our opinion, this air of unpredictability suggests organizations should assume an ongoing zero-trust mindset and an authentication architecture that is flexible and adaptable to these new dependencies and resilience issues.
AI
Already a burgeoning area, AI — ML and deep learning in particular — will likely remain a captivating topic going forward.
Clearly, securing learning AI applications is a very different challenge to securing conventional systems. There are so many questions: Is the software operating within its trained parameters? How much unconscious bias is present? Is the application being manipulated by a bad actor or adversarial AI in an effort to compromise sensitive information? Looking ahead, cyber professionals may also have to think about the integrity, predictability and acceptability of the AI application within the context of the operating environment for which it's been trained and designed. In this sphere, CISOs and their teams should expect to build strong partnerships with the Chief Technology Officer and their data science team. As a security matter, this is new territory.
In the near future, cyberattackers will likely also make use of robotic process automation, ML and deep learning. Probing and testing the vulnerabilities and defenses of a professional environment may soon be as easily automated as constructing spam campaigns or compromising email. Attackers are using AI, but they don't have boundaries. In the short term, criminals are more likely to have an upper hand in leveraging AI to industrialize attacks. It's already happening and will likely continue.
Today society lives and does business in a digital world of data, devices and dependency. Trust is placed — knowingly or unknowingly — in technology in a way that would be unthinkable a decade ago, which raises questions of security, safety, privacy and even ethics. Security professionals should navigate this new reality, helping business leaders understand the implications of placing trust in technology and its resilience, while simultaneously anticipating how that technology might be exploited by others. This can bring a different and valuable perspective, but there is also a duty to offer advice that is pragmatic and practical.
There are numerous liability issues around AI. Legal frameworks are phenomenally immature and regulatory initiatives abound. It may take time for cyber security professionals to appreciate the implications, while cybercriminals will likely be more entrepreneurial.
It’s a vicious cycle, where every new technology expands the threat landscape, and it prompts rounds of cyber innovation to help improve defense capabilities. Is this race the only way to operate? I think embedding security in every aspect of IT, OT, every related process and procedure at the DNA-level of an enterprise is the inevitable future and the only way out.
Explore more cyber considerations from this report