2022 Cyber Predictions: Critical Infrastructure Attacks will Increase at Inopportune Times

This is part of our cyber predictions series. We heard from top cyber leaders on what the new year could bring for cyber.

Syed Belal, Director, Cybersecurity Consulting Services at Hexagon PPM:

Critical Infrastructure Attacks will Increase and at the Most Inopportune Times

Pipelines, meat producers, grain cooperatives, oh my! Hackers got hungry in 2021 and critical infrastructure seemed to be their main entree. The Colonial Pipeline hack made everyday citizens aware of just how large of a real-world impact cyber attacks can have. Attacks on JBS and New Cooperative demonstrated how critical resources that keep entire industries alive can go under if a single endpoint is vulnerable. Despite government action such as the DOE’s 100-day Action Plan and TSA’s Pipeline Directive, it’s unrealistic to think that hackers are going to be scared out of attacking critical infrastructure in the future. I predict that entities large and small will be hit, specifically over major holidays when folks aren’t attending to their networks as closely as usual and recovery abilities are handicapped.

A Legitimate OT Cybersecurity Regulation (Not a Standard) Will Be Passed in 2022

The Biden Administration’s efforts over the past 6 months to improve critical infrastructure and its security show immense promise. We’ve seen increased funding in the billions and general heightened awareness that the systems that quite literally keep our country running are extremely attractive to adversaries. One thing we haven’t seen? An actual regulation for critical infrastructure companies to improve their cybersecurity. Yes, we’ve seen standards...but those aren’t mandatory. It’s quite possible with the momentum we’re seeing now that the government could pass a regulation or two in 2022 for critical infrastructure security.

Smaller Power Generation and Utilities will be Increasingly Targeted

Utilities and the electric sector have long been targets for attackers, but what most don’t realize is how vulnerable smaller entities are. Yes, hackers are likely actively trying to shut down the entire power grid as we speak, but attacks on smaller targets are often more successful. Smaller, more regional players typically have less mature programs in place and lack the resources they need to have a strong security posture. In 2022, I predict we’ll see smaller entities in major headlines, potentially (yet, hopefully not) with some type of human cost, and possibly see state and local governments waking up to the reality that cybersecurity should be a top-of-mind topic in executive-level discussions.

Zero Trust Won’t Make its Way to ICS/OT….Yet

Zero Trust is based on three key concepts –

  1. All resources are accessed securely regardless of the location. This implies that no device/user/application should be trusted with the assumption that threats are present both inside and outside of the OT/ICS network.

  2. Adopt a least privilege strategy and strictly enforce access control. In other words, disable all the services/ports/protocols that are not required for the user’s job responsibility.

  3. Inspect and log all the OT/ICS network traffics

To achieve the above three key concepts, continuous adaptive risk and trust assessment in OT network are needed that includes but is not limited to:

  • 100% OT/ICS endpoints discovery, visibility, and control

  • Ability to manage agentless IIoT devices and cyber OT systems

  • Micro-segmentation to limit lateral movement through IT/ICS networks and contain breaches

  • Continuous logging (SIEM), monitoring (IDS), assessment, and remediation of OT cybersecurity risk

The goal is clear that OT/ICS needs to achieve Zero Trust Strategy. However, adopting it will take some time because, first, traditional approaches to micro-segmentation pose significant limitations that impact its effectiveness and adoption. Secondly, the least privilege in OT/ICS is limited to users. There are OT/ICS devices and applications that are designed to have administrator privilege and were not designed considering the principle of least privilege. Finally, inspecting and blocking suspicious traffic have a high number of false positives and may block legitimate traffic which will have an impact on business availability.