Industry executives and experts share their predictions for 2022. Read them in this 14th annual VMblog.com series exclusive.
Security in 2022 - more spending, more integration, more problems in operational technology
By Paul Baird, CTSO UK, Qualys
Based on CVE
Details, 2021 will see the most software vulnerabilities discovered
so far, from small issues in niche software packages through to critical
problems that affected millions of IT assets. At the same time, companies had
to manage security across remote devices, cloud services and traditional IT
platforms during the upheavals caused by the COVID-19 pandemic.
In 2022, companies will have to update their
processes to manage security. As part of this, the IT security team will take
on more responsibility for other areas of technology.
Remote
work first to put emphasis on asset management process changes
When the pandemic began and we all rushed to
remote working, IT teams understandably went into overdrive. Many organisations
had to make changes to their security working practices, while employees
purchased new hardware or software to work remotely. In this panic, any prior
asset inventory programme went out the window. IT Operations and IT Security
teams lost all visibility of what existed as those assets were no longer on the
corporate network. Overall security posture suffered as a result.
Today, employees have settled into the routine
of remote working. However, companies are still mainly in the same fire
fighting mode when it comes to security, rather than treating this as now
‘business as usual.' A good example of this is asset management - IT teams
found traditional asset inventory challenging when everything was in the
office. Sticking to those traditional ways now everything is scattered across
home offices and a wide range of locations? It is almost impossible.
Without that up to date asset inventory to
show what endpoints exist, which ones are still on the corporate network, what
devices exist remotely, and the level of security they each have, organisations
will fall at the first hurdle of basic security hygiene in 2022. Many teams have
been putting this off as they expect to go ‘back to normal', but this is not
going to happen. Instead, teams have to rethink their strategies and processes
so they can support employees working remotely first, and then apply the same
approach to office locations.
Asset
inventories are accurate ... now what?
This new emphasis on managing assets
everywhere consistently and continuously is the goal that all security teams
aim to achieve. However, real world organisational design and responsibilities
can hold teams back. In 2022, the change to remote work will mean that the
processes around managing updates and deploying patches will have to be updated
as well.
This is less about the technology side, but
more about how teams collaborate to manage patching and updates across
operations. For larger enterprises, this can be difficult when there are
multiple teams involved, different business units to manage, and when there are
different stakeholders involved.
One way that companies will change this is by
looking at the incentives that exist around IT and the business. For example,
making security a business priority is something that has been discussed for
years, even decades. The rise of ransomware attacks - and the large costs
associated with them - will force companies to address this area, and boards
will put more goals in place to ensure their systems are secure. Making
business unit leaders responsible for areas like updates being deployed
successfully supports that business risk management approach.
Operational
technology will have to catch up with IT security
This year, Gartner predicted that we'll see
cyberattackers weaponising operational technology (OT) environments to
successfully harm humans by 2025. I fear that this will happen much sooner in
2022. In 2021, a newborn baby died during a ransomware attack on a US hospital
that took down the entire IT estate. More attacks that target OT systems will
take place, and they will affect critical infrastructure if those systems are
not protected adequately.
The challenge here is that OT environments
tend to run on old technology. These assets are expensive and have to last for
years; many of them have security issues that are known about but either have
not had fixes applied as stopping a production line to apply a patch can cost
thousands or millions in lost productivity. Equally there may be no patch for
issues when equipment is End of Life.
The traditional approach to protecting these
systems has relied on air gapping - running on entirely separate networks that
are not connected to the public Internet. However, this is no longer an option.
Companies want data from their systems in real time, in order to compete with
other players in the market, so more OT networks are being connected despite
those risks. At the same time, researchers have found more attack frameworks
aimed at bridging those air gaps too, so sticking with traditional security
models alone is not enough.
Perhaps the biggest issue is that for years OT
has been kept entirely separate from the IT function, so most IT teams were
grappling to even understand what is in use and what threats exist. In
practice, OT security is a decade behind IT Security in best practice design
and processes. In 2022, the thirst for more data and the risk of attacks will
force more investment to improve OT security.
IT Security teams will be asked to lead on
this, as they have the best understanding of the modern threat landscape.
However, making this work in practice will involve all teams collaborating with
each other effectively. The work here will be hard, and it will depend on
having full oversight of all the assets that are getting connected - from cloud
and containers that can be updated in seconds through to those OT assets that
have been in place for years, and that won't change in the near future.
Setting out the right security processes and
practices that take all those assets into account will involve getting the
right risk management approach in place. It won't be possible to apply the same
approach everywhere, and prioritisation will be critical in order to make this
a success. However, it will be necessary work in order to prevent another
situation like the Capital Pipeline shutdown or healthcare organisation attacks
from recurring.
Ransomware will affect more companies with
their OT assets in 2022. Cyber insurance providers are dialing back their
coverage around ransomware attacks, so companies will not be able to rely on
these policies to cover paying out. Instead, companies will have to acknowledge
the business risks and fix them, rather than just accepting them on a risk
register and hoping that a breach won't happen.
##
ABOUT THE AUTHOR
Paul Baird is CTSO UK for global cloud
security company Qualys. He brings more than twenty years of experience to Qualys,
and his last role was as Head of Global Cyber Security Operations for Jaguar
Land Rover. He is interested in the cross-over between IT and operational
technology security, as well as how to help IT security teams implement better
practices.