Cyberattacks have the potential to damage a country’s power grid, with their major goal being to cause widespread infrastructure failures. So, concerns about cybersecurity continue to be at the top of utilities’ agendas, driven by the rising interconnected nature of infrastructure and systems, and the growing number of attacks targeting utilities.
Technology trends in cybersecurity
Listed below are the key technology trends impacting the cybersecurity industry, as identified by GlobalData.
AI malware threats
Artificial intelligence (AI) plays a key role in defending against cyberattacks, but a growing concern is the prospect of AI being used offensively within malware. Hackers have already started using AI to accelerate malware, causing code to constantly change and thus making it more difficult to detect. Future AI techniques could allow hackers to bypass facial security and spam filters, promote fake voice commands, and bypass anomaly detection engines. Criminals mask their activities from security tools by blending in and posing as real users in the targeted organisation’s network, using stolen credentials, and running legitimate tools to dig through victim’s systems and data.
The manufacturing industry and power plants are being threatened by the convergence of operational technology (OT) and information technology (IT). Both were once separate networks, and the security risk was lower. Many IT and OT-related networks handle critical national infrastructure, such as power grids, and the impact of a breach, resulting from immature Internet of Things (IoT) technology, would be significant.
The cost of data breaches
The cost of data breaches continues to rise, and many affected organisations are unaware of the ultimate cost. Canadian financial services group Desjardins said the cost to it of a data breach in 2019 (in which an employee improperly collected information about customers and shared it with a third party) was $108m. It had originally estimated the cost would be $70m. A weighty penalty was also applied to hotel group Marriott for breaching General Data Protection Regulation (GDPR). These fines have yet to be confirmed, which probably means both firms’ lawyers are working overtime to minimise the damage. In May 2020, EasyJet admitted a cyberattack had affected approximately nine million customers.
Cross-site scripting (XSS) was a prime cyberattack method in 2019, according to research by PreciseSecurity.com. XSS, in which an attacker aims to execute malicious scripts in a victim’s web browser, made up nearly 40% of all attacks logged by security researchers, with 75% of large companies across Europe and North America targeted during the year.
Attackers interact directly with an application’s processes, passing data designed to masquerade as legitimate application requests or commands through normal request channels such as scripts, URLs, and form data. There are three main ways to protect against XSS: sanitising user input such as Get requests and cookies, validating user input, and utilisation of a content security policy that helps define rules to block malicious content.
The end of passwords?
Apple’s decision to join the Fast Identity Online (FIDO) Alliance in February 2020 may help reduce the use of passwords. The addition of Apple means that all the main platform providers are now members of the alliance. FIDO hopes to address the problems associated with passwords by providing a set of standards for simple, yet strong, authentication. Despite today’s sophisticated cyberattacks, safety mechanisms, notably passwords, remain stuck in the past, meaning attacks are easy to launch.
Supply chain breaches
Large organisations are at constant risk of cyberattacks, which are increasingly being launched through the supply chain. A 2019 report from VMware Carbon Black claimed that 50% of attacks adopt a technique called island hopping, in which they target not only the main organisation but also the networks of any other organisation in that company’s supply chain.
Supply chain attacks are increasing, with the hacking group collective Magecart increasingly involved. Online shopping cart systems, notably the Magento platform, have been targeted by groups stealing customer payment card information.
CISOs must know their business better
Cyberattacks by activists are helping drive a sea change in Chief Information Security Officer’s (CISOs) relations with their companies’ senior executives. According to EY’s Global Information Security Survey, about a fifth of attacks (21%) come from so-called hacktivists or tech-enabled political and social activists, which is second only to attacks from organised crime groups (23%). The increase in activist attacks has direct implications for CISOs because they are regarded as being too reactive and compliance-driven. According to EY’s Global Board Risk Survey, only 20% of boards are confident that the cybersecurity team is effective.
The CISO and the cybersecurity team must have a deeper understanding of the business environment and be better business-aligned, both to win the confidence of boards and to secure the resources needed to protect their company. EY’s research shows that 59% of organisations say the relationship between the cybersecurity team and the lines of business is at best neutral and, in some cases, non-existent.
Many chief information officers (CIOs) accept that old-style perimeter-based security architectures are insufficient to defend against attacks. Adopting a zero trust environment can be a critical defence against such targeted attacks, but it is not easy. Google took six years to migrate its staff to a zero trust framework. For the time being, firms will continue to use virtual private networks (VPNs), especially with many employees working from home in response to COVID-19.
Malware authors are starting to pack and build their attack payloads in such a way as to evade AI defences. Attackers have begun packing larger samples with a significant amount of commodity libraries and benign code, accompanied by a tiny percentage – sometimes less than 1% – of malicious payload, or code with malicious intent. The intention is to bias the package by including so much benign code or common software that a machine learning (ML) algorithm will let it through.
This is an edited extract from the Cybersecurity in Power – Thematic Research report produced by GlobalData Thematic Research.