When security issues shift from phishing and Trojans to things that explode in the night, they tend to get a lot of attention. Recent military action involving the United States and Iran has led many to speculate about possible cybersecurity repercussions, but experts question whether the threat landscape has actually changed.
"In the cyberworld, there's a war going on all the time," says Elad Ben-Meir, CEO of SCADAfence. "There are attempts of nation state-backed attacks happening all the time."
The Threat Landscape
"These players — Iran, China, and others — are always engaged," says Mark Testoni, CEO of SAP NS2. He says that threat actors are always probing and poking to see which opportunities are available and which data is visible. That constant probing in the cyber-realm marks a clear difference from the situation Testoni remembers from his youth.
"When we go back to when I was growing up in the Cold War era, the battlefields were pretty defined," Testoni says. "It was sea, land, air, and then space over time. Now the Internet is obviously one of those battlefields."
And for many executives and experts, businesses are on the battlefield whether or not they're a direct target. The question is not whether businesses are truly at risk to threats related to international sociopolitical affairs, but rather, what sort of risks? What does that overall threat landscape look like to corporations?
Attacks from Different Directions
"Two weeks ago, I would have said probably the biggest immediate risk is by criminal organizations," says Peter Corraro, cyber governance manager at Wärsilä. Those criminal organizations have an ultimate, straightforward goal: They want to extract data or behavior from the company that can be converted to money.
Nation-state sponsored attacks, on the other hand, "… are going to be more specific, not necessarily financially focused, but looking to impact the organization they're attacking along some other line, whether that's to cause panic or to make a statement," Corraro says.
Making a statement can mean attacking different targets than most criminals might have in their sights. "I think it's well-documented that Chinese actors, among the many things they are looking for is intellectual property [sic]," says Testoni. Other actors, he points out, could have aims that include the large-scale economic disruption that might result from DDoS attacks against financial services institutions.
Outside traditional IT targets, "Industrial infrastructure worldwide is vulnerable to cyberattack and most industrial environments are underprepared for defending themselves. This not only applies to Iran but around the world," says Sergio Caltagirone, vice president of threat Intelligence at Dragos. These industrial targets are vulnerable — and their vulnerability could have wide-ranging impacts.
"All it takes is one or two systems that aren't protected or that haven't been patched, and the attackers will wreak whatever type of havoc they have at their disposal," says Jason Kent, hacker in residence at Cequence Security. The havoc could extend well beyond the shop floor, too.
"You need to remember that every IoT device is part of your network and may be the gateway of choice of the attacker to penetrate your network," says Natali Tshuva, CEO of Sternum Security.
(continued on next page: The positive side)
Defending the Enterprise
The scramble to prepare can have positive consequences, whether or not the anticipated attack takes place.
"The 2012 Disttrack attack against Saudi Aramco, which devastated that company and put all of Saudi Arabia on its heels for half a year, led to the better successful defense of Bahrain," says Roger A. Grimes, data-driven defense evangelist at KnowBe4. "Before the Saudi Aramco attack, Middle East computer security was worse than poor. It was almost nonexistent. But losing 32,000 computers, servers, and workstations in one of the world's first nation-state attacks and the shutting down of the No. 1 wealth producer for the country has a way of creating focus."
With focus applied, Sternum Security's Tshuva says that layers of security are critical for protecting both IT and OT infrastructures. "A lot of enterprises and organizations are focusing on network security solutions to secure the network and another layer of security embedded into each and every device," she says.
Specific layers will vary according to industry. Cequence Security's Kent gives the example of the electrical grid and its member providers as an industry with specific guidelines. "So long as each of these organizations have tightened security to the NERC-CIP [North American Electric Reliability Corp. critical infrastructure protection] standards that govern the security of the grid, they should have implemented key security layers," he says.
And the layers for industry can't be confined to technology, SAP NS2's Testoni says. "Cybersecurity is cultural," he explains. "It needs to be recognized that technologies are tools in the battle, but they aren't the battle."
The security culture needs to extend to the C-suite and the executive board, Testoni says. In fact, he says he can see a day when companies are evaluated on their cybersecurity and resilience just as they are evaluated for their financial statements.
"The fact that our lives are now very dependent on cyberspace means that we have a virtual profile of ourselves on the Internet, in cyberspace, and we're exposed just as much as we are in the physical world," SCADAfence's Ben-Meir says.
And just as in the physical world, challenges should be thought of as opportunities. "I think we have to evolve the debate from whether we do cyber in organisations to how we can create value from it," Testoni says.
Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio