2020 was a “transformative” year, a year of adaptability and tackling new challenges. As we worked with organizations to deploy mission-critical data security, cryptography was comparatively stable. What cryptographic trends will gain traction in 2021?
The cloud will play a bigger role, especially in financial services
The movement toward broad acceptance of cloud-based encryption and key management will accelerate as more of the pieces come together. Organizations have become more aggressive with the cloud, especially financial services organizations that are moving toward payment processing in the cloud.
Cloud providers are offering more robust and flexible security to meet the demands of organizations who want to retain control of the keys and avoid being vendor locked. Cloud providers have been listening to enterprises about their concerns around data security practices and are making forward strides with data access, key management, and data retention policies.
Homomorphic encryption will be part of your vocabulary
Homomorphic encryption allows for data to remain encrypted while it is being processed and manipulated. Homomorphic encryption could be used to secure data stored in the cloud or in transit. This gives organizations the ability to use data — such as doing analytics on your customer base — without compromising the integrity of the data as a whole.
BYOE adoption will increase
Bring Your Own Encryption (BYOE) will increase. BYOE is the next evolution of organizations being able to determine the level of control they want when it comes to managing their data security policies.
For example, what happens if an organization gets subpoenaed and its cloud provider turns its files to the authorities? If the organization controlled its keys and could do client-side encryption on-premises, the data would be useless. There will likely be a big catalyst event whereby a company goes, “Whoa — what do you mean, a third party can release my information over to a legal authority?”
Encryption + key management, critical with shorter certificate lifecycles
Organizations need both encryption and key management to be tighter than ever. As the industry moves to one-year certificates, organizations are managing shorter digital certificate schedules. It’s ever important to keep track of expiration dates and automation will play a big role.
To improve their security postures, organizations will emphasize bringing key management up to the same level as their encryption programs. What happens if you have deployed good policies, you deployed good encryption, but you deployed poor key management?
Cryptography will be significant in DevSecOps, especially for code signing
Getting tools that DevOps needs to secure its infrastructure — without slowing it down — will be critical. Looking at key management, hardware security modules (HSMs), crypto, and third-party monitoring tools, organizations will emphasize giving DevOps teams what they need to integrate security and quickly identify and troubleshoot trouble areas.
The goal will be to take away the pain points while expanding the use of encryption within the organization. When it comes to code signing, HSMs play a critical role. Code signing certificates, secure key generation, and certificate storage should be centralized and automated, natively integrating with CI/CD systems.
Manufacturers of long-term devices to embrace crypto agility
There has been a lot of talk in 2020 about quantum computers breaking current cryptography. In 2021, manufacturers of devices — satellites, cars, weapons, medical devices — that will be used for 10 to 20 years, will be smart to embrace quantum-safe cryptography. A crypto-agile solution could entail implementing hybrid certificates: signing them with conventional asymmetric encryption now but incorporating enough flexibility so they will transition smoothly to counteract the quantum computing threat when the time comes.
Whether it’s the cloud and organizations retaining control of the keys, BYOE and homomorphic encryption, DevSecOps embracing cryptography, or hybrid certificates for crypto agility, two themes stand out:
- Encryption and key management: you can’t have one without the other
- Shorter certificate lifecycles require more attention to key management than ever
We’re in for an exciting year ahead!
TrapX Security and Enterprise Strategy Group (ESG) have released findings of a research that surveyed 150 cyber and IT professionals directly involved in security strategy, control and operations within manufacturing organizations about their current and future concerns.
Manufacturing industry under threat
The research findings point to an industry whose security teams are seeing the IT and OT environments converging at a rapid pace. Yet manufacturing organizations are struggling to safeguard OT assets as they are using the same tools to safeguard their IT infrastructure as they are for OT.
As a result, IT teams can’t keep up with growing volumes of security data or the increasing number of security alerts. They lack the right level of visibility and threat intelligence analysis and don’t have the right staff and skills to handle the cybersecurity workload.
Consequently, business operations are being disrupted and cyber-risk is increasing as more than half of the manufacturing organizations surveyed have experienced some type of cybersecurity incident on their OT systems in the last 12 months taking weeks or months to remediate.
IT and OT convergence best practice for manufacturers
Manufacturing organizations have large and growing investments in IT and OT technology to combat a rising threat landscape and achieve more agile business processes. As the research reveals, IT and OT integration is fast becoming a best practice.
49% of organizations say that IT and OT infrastructure are tightly integrated while another 45% claim that there is some integration. This integration will only increase as 77% of respondents expect further IT and OT infrastructure convergence in the future.
However, only 41% percent of organizations employ an IT security team with dedicated OT specialists, while 32% rely on their IT security team alone to protect OT assets. 58% use network technology tactics like IP ranges, VLANs, or microsegmentation to segment IT and OT network traffic.
24% of organizations simply use one common network for IT and OT communications, reducing the visibility and response required for OT-focused attacks.
Common tools and staff may make operational sense, but deploying a plethora of IT security technologies to prepare for the specific threats of OT leaves IT teams unprepared and vulnerable to attack.
As illustrated through this research, IT teams are repeatedly overwhelmed by the growing volumes of security data, visibility gaps, and a lack of staff and skills.
IT teams overwhelmed by volumes of security data
Security teams are getting challenged by the growing volumes of security data, and the increasing number of security alerts. 53% believe that their security operations workload exceeds staff capacity.
37% admitted they must improve their ability to adjust security controls. 58% of surveyed organizations agreed that threat detection and response has grown more difficult.
When asked to provide additional detail on the specific nature of that growing complexity, 45% say they are collecting and processing more security telemetry and 43% say that the volume of security alerts has increased.
Manufacturers are still working in the dark though with 44% citing evolving and changing threats as making threat detection and response more difficult, particularly true as threat actors take advantage of the “fog” of COVID-19.
“The research illustrates a potentially dangerous imbalance between existing security controls and staff capabilities, and a need for more specialized and effective safeguards,” said Jon Oltsik, ESG Senior Principal Analyst and Fellow.
“Manufacturing organizations are consolidating their IT and OT environments to achieve economies of scale and enable new types of business processes. Unfortunately, this advancement carries the growing risk of disruptive cyber-attacks.
“While organizations have deployed numerous technologies for threat detection and response, the data indicates that they are overwhelmed by growing volumes of security data, visibility gaps, and a lack of staff and skills.
“Since they can’t address these challenges with more tools or staff, CISOs really need to seek out more creative approaches for threat detection and response.”
Manufacturing lacks the visibility needed for effective threat detection
As the IT/OT attack surface grows, security teams are spread thinner as they try to keep pace with operations tasks such as threat detection, investigation, incident response, and risk mitigation.
53% agreed that their organization’s OT infrastructure is vulnerable to some type of cyber-attack, while the same number stated that they had already suffered some type of cyber-attack or other security incident in the last 12-24 months that impacted their OT infrastructure.
When asked how long it typically takes for their firm to recover from a cyber-attack, 47% of respondents said between one week and one month, resulting in significant and potentially costly downtime for critical systems.
Manufacturing organizations lack the visibility needed for effective threat detection and response – especially regarding OT assets. Consequently, additional security complexity is unacceptable – any new investments they make must help them simplify security processes and get more out of existing tools and staff.
37% said they must improve their ability to see malicious OT activity, 36% say they must improve their ability to understand OT-focused threat intelligence and 35% believe they must improve their ability to effectively patch vulnerable OT assets.
44% of respondents highlighted deception technology’s invaluable role in helping with threat research (44%), and 56% said that deception technology can be used for threat detection purposes.
55% of the manufacturing organizations surveyed use deception technology today, yet 44% have not made the connection between deception technology and increased attack visibility.
“This research shows that manufacturing organizations are experiencing real challenges when it comes to threat detection and response, particularly for specialized OT assets that are critical for business operations,” said Ori Bach, CEO of TrapX Security.
“This data, and our own experience working with innovators in all sectors of manufacturing, demonstrate there is a clear need for solutions like deception, which can improve cyber defenses and reduce downtime without the need to install agents or disrupt existing security systems and operations.”
The global number of industrial IoT connections will increase from 17.7 billion in 2020 to 36.8 billion in 2025, representing an overall growth rate of 107%, Juniper Research found.
The research identified smart manufacturing as a key growth sector of the industrial IoT market over the next five years, accounting for 22 billion connections by 2025.
The research predicted that 5G and LPWA (Low Power Wide Area) networks will play pivotal roles in creating attractive service offerings to the manufacturing industry, and enabling the realisation of the ‘smart factory’ concept, in which real-time data transmission and high connection densities allow highly-autonomous operations for manufacturers.
5G to maximise benefits of smart factories
The report identified private 5G services as crucial to maximising the value of a smart factory to service users, by leveraging the technology to enable superior levels of autonomy amongst operations.
It found that private 5G networks will prove most valuable when used for the transmission of large amounts of data in environments with a high density of connections, and where significant levels of data are generated. In turn, this will enable large-scale manufacturers to reduce operational spend through efficiency gains.
Software revenue to dominate industrial IoT market value
The research forecasts that over 80% of global industrial IoT market value will be attributable to software spend by 2025, reaching $216 billion. Software tools leveraging machine learning for enhanced data analysis and the identification of network vulnerabilities are now essential to connected manufacturing operations.
Research author Scarlett Woodford noted: “Manufacturers must exercise caution when implementing IoT technology, resisting the temptation to introduce connectivity to all aspects of operations. Instead, manufacturers must focus on the collection of data on the most valuable areas to drive efficiency gains.”
Azure Defender for IoT – Microsoft’s new security solution for discovering unmanaged IoT/OT assets and IoT/OT vulnerabilities – is now in public preview and can be put to the test free of charge.
The solution can alert administrators about unauthorized devices connected to the network and unauthorized connections to the internet, changes to firmware versions, potentially malicious commands, illegal DNP3 operations, known malware, unauthorized SMB logins, and more.
About Azure Defender for IoT
“As industrial and critical infrastructure organizations implement digital transformation, the number of networked IoT and Operational Technology (OT) devices has greatly proliferated. Many of these devices lack visibility by IT teams and are often unpatched and misconfigured, making them soft targets for adversaries looking to pivot deeper into corporate networks,” Phil Neray, Director of Azure IoT Security Strategy at Microsoft, explained.
Azure Defender for IoT enables agentless IoT/OT asset discovery, vulnerability management, and continuous threat monitoring.
The solution can be deployed on-premises and can be integrated with (i.e., send data/alerts to) Azure Sentinel, Microsoft’s cloud-native security information event management (SIEM) and security orchestration automated response (SOAR) solution. It can also be deployed without sending any data to Azure.
After being connected to the existing network, the solution uses IoT/OT-aware behavioral analytics and machine learning to eliminate the need to configure any rules, signatures, or other static IOCs, says Neray.
“To capture the traffic, it uses an on-premises network sensor deployed as a virtual or physical appliance connected to a SPAN port or tap. The sensor implements non-invasive passive monitoring with Network Traffic Analysis (NTA) and Layer 7 Deep Packet Inspection (DPI) to extract detailed IoT/OT information in real-time.”
Out-of-the box integration with third-party IT security tools (e.g., Splunk, IBM QRadar, and ServiceNow) is available, and the solution woks seamlessly with diverse automation equipment by Rockwell Automation, Schneider Electric, GE, Emerson, Siemens, Honeywell, ABB, Yokogawa, and so on.
Advanced hackers could leverage unconventional, new attack vectors to sabotage smart manufacturing environments, according to Trend Micro.
Industry 4.0 Lab, the system that Trend Micro analyzed during this research
“Past manufacturing cyber attacks have used traditional malware that can be stopped by regular network and endpoint protection. However, advanced attackers are likely to develop Operational Technology (OT) specific attacks designed to fly under the radar,” said Bill Malik, vice president of infrastructure strategies for Trend Micro.
“As our research shows, there are multiple vectors now exposed to such threats, which could result in major financial and reputational damage for Industry 4.0 businesses. The answer is IIoT-specific security designed to root out sophisticated, targeted threats.”
Smart manufacturing equipment relying on proprietary systems
Critical smart manufacturing equipment relies primarily on proprietary systems, however these machines have the computing power of traditional IT systems. They are capable of much more than the purpose for which they are deployed, and attackers are able to exploit this power.
The computers primarily use proprietary languages to communicate, but just like with IT threats, the languages can be used to input malicious code, traverse through the network, or steal confidential information without being detected.
Though smart manufacturing systems are designed and deployed to be isolated, this seclusion is eroding as IT and OT converge. Due to the intended separation, there is a significant amount of trust built into the systems and therefore very few integrity checks to keep malicious activity out.
The systems and machines that could be taken advantage of include the manufacturing execution system (MES), human machine interfaces (HMIs), and customizable IIoT devices. These are potential weak links in the security chain and could be exploited in such a way to damage produced goods, cause malfunctions, or alter workflows to manufacture defective products.
Defense and mitigation measures
- Deep packet inspection that supports OT protocols to identify anomalous payloads at the network level
- Integrity checks run regularly on endpoints to identify any altered software components
- Code-signing on IIoT devices to include dependencies such as third-party libraries
- Risk analysis to extend beyond physical safety to automation software
- Full chain of trust for data and software in smart manufacturing environments
- Detection tools to recognize vulnerable/malicious logic for complex manufacturing machines
- Sandboxing and privilege separation for software on industrial machines
Manufacturing facilities and processing centers using AutomationDirect C-more Touch Panels are advised to upgrade their firmware ASAP, as older versions contain a high-risk vulnerability (CVE-2020-6969) that may allow attackers to get account information such as usernames and passwords, obscure or manipulate process data, and lock out access to the device.
What are AutomationDirect C-more Touch Panels?
Manufactured by US-based AutomationDirect, the vulnerable C-more Touch Panels EA9 series are human-machine interfaces (HMIs) capable of communicating with a wide variety of programmable logic controllers (PLCs).
According to the recently published ICS-CERT advisory, they are deployed by commercial, critical manufacturing, energy, water and wastewater facilities around the world.
About the vulnerability (CVE-2020-6969)
CVE-2020-6969, reported by Joel Langill of Amentum Mission Engineering & Resilience, is a vulnerability that could allow attackers “to unmask credentials and other sensitive information on ‘unprotected’ project files, which may allow them to remotely access the system and manipulate system configurations.”
The vulnerability can be exploited remotely without authentication or user interaction, may affect confidentiality, integrity and availability of the system, and requires a low skill level to exploit.
The good news is that there are no known public exploits specifically target this vulnerability and that it has been fixed.
AutomationDirect advises users to upgrade to firmware version 6.53. Prior versions (v5.x and 6.x) are all vulnerable.
Control system devices and/or systems should, in general, not be accessible from the internet, CISA recommends, and control system networks and remote devices should be located behind firewalls and isolated from the business network.