Virtualization Technology News and Information
Article
RSS
Qualys 2022 Predictions: Security in 2022 - more spending, more integration, more problems in operational technology

vmblog predictions 2022 

Industry executives and experts share their predictions for 2022.  Read them in this 14th annual VMblog.com series exclusive.

Security in 2022 - more spending, more integration, more problems in operational technology

By Paul Baird, CTSO UK, Qualys

Based on CVE Details, 2021 will see the most software vulnerabilities discovered so far, from small issues in niche software packages through to critical problems that affected millions of IT assets. At the same time, companies had to manage security across remote devices, cloud services and traditional IT platforms during the upheavals caused by the COVID-19 pandemic.

In 2022, companies will have to update their processes to manage security. As part of this, the IT security team will take on more responsibility for other areas of technology.

Remote work first to put emphasis on asset management process changes

When the pandemic began and we all rushed to remote working, IT teams understandably went into overdrive. Many organisations had to make changes to their security working practices, while employees purchased new hardware or software to work remotely. In this panic, any prior asset inventory programme went out the window. IT Operations and IT Security teams lost all visibility of what existed as those assets were no longer on the corporate network. Overall security posture suffered as a result.

Today, employees have settled into the routine of remote working. However, companies are still mainly in the same fire fighting mode when it comes to security, rather than treating this as now ‘business as usual.' A good example of this is asset management - IT teams found traditional asset inventory challenging when everything was in the office. Sticking to those traditional ways now everything is scattered across home offices and a wide range of locations? It is almost impossible.

Without that up to date asset inventory to show what endpoints exist, which ones are still on the corporate network, what devices exist remotely, and the level of security they each have, organisations will fall at the first hurdle of basic security hygiene in 2022. Many teams have been putting this off as they expect to go ‘back to normal', but this is not going to happen. Instead, teams have to rethink their strategies and processes so they can support employees working remotely first, and then apply the same approach to office locations.

Asset inventories are accurate ... now what?

This new emphasis on managing assets everywhere consistently and continuously is the goal that all security teams aim to achieve. However, real world organisational design and responsibilities can hold teams back. In 2022, the change to remote work will mean that the processes around managing updates and deploying patches will have to be updated as well.

This is less about the technology side, but more about how teams collaborate to manage patching and updates across operations. For larger enterprises, this can be difficult when there are multiple teams involved, different business units to manage, and when there are different stakeholders involved.

One way that companies will change this is by looking at the incentives that exist around IT and the business. For example, making security a business priority is something that has been discussed for years, even decades. The rise of ransomware attacks - and the large costs associated with them - will force companies to address this area, and boards will put more goals in place to ensure their systems are secure. Making business unit leaders responsible for areas like updates being deployed successfully supports that business risk management approach.

Operational technology will have to catch up with IT security

This year, Gartner predicted that we'll see cyberattackers weaponising operational technology (OT) environments to successfully harm humans by 2025. I fear that this will happen much sooner in 2022. In 2021, a newborn baby died during a ransomware attack on a US hospital that took down the entire IT estate. More attacks that target OT systems will take place, and they will affect critical infrastructure if those systems are not protected adequately.

The challenge here is that OT environments tend to run on old technology. These assets are expensive and have to last for years; many of them have security issues that are known about but either have not had fixes applied as stopping a production line to apply a patch can cost thousands or millions in lost productivity. Equally there may be no patch for issues when equipment is End of Life.

The traditional approach to protecting these systems has relied on air gapping - running on entirely separate networks that are not connected to the public Internet. However, this is no longer an option. Companies want data from their systems in real time, in order to compete with other players in the market, so more OT networks are being connected despite those risks. At the same time, researchers have found more attack frameworks aimed at bridging those air gaps too, so sticking with traditional security models alone is not enough.

Perhaps the biggest issue is that for years OT has been kept entirely separate from the IT function, so most IT teams were grappling to even understand what is in use and what threats exist. In practice, OT security is a decade behind IT Security in best practice design and processes. In 2022, the thirst for more data and the risk of attacks will force more investment to improve OT security.

IT Security teams will be asked to lead on this, as they have the best understanding of the modern threat landscape. However, making this work in practice will involve all teams collaborating with each other effectively. The work here will be hard, and it will depend on having full oversight of all the assets that are getting connected - from cloud and containers that can be updated in seconds through to those OT assets that have been in place for years, and that won't change in the near future.

Setting out the right security processes and practices that take all those assets into account will involve getting the right risk management approach in place. It won't be possible to apply the same approach everywhere, and prioritisation will be critical in order to make this a success. However, it will be necessary work in order to prevent another situation like the Capital Pipeline shutdown or healthcare organisation attacks from recurring.

Ransomware will affect more companies with their OT assets in 2022. Cyber insurance providers are dialing back their coverage around ransomware attacks, so companies will not be able to rely on these policies to cover paying out. Instead, companies will have to acknowledge the business risks and fix them, rather than just accepting them on a risk register and hoping that a breach won't happen.

##

ABOUT THE AUTHOR

Paul Baird 

Paul Baird is CTSO UK for global cloud security company Qualys. He brings more than twenty years of experience to Qualys, and his last role was as Head of Global Cyber Security Operations for Jaguar Land Rover. He is interested in the cross-over between IT and operational technology security, as well as how to help IT security teams implement better practices.

Published Tuesday, December 21, 2021 7:34 AM by David Marshall
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<December 2021>
SuMoTuWeThFrSa
2829301234
567891011
12131415161718
19202122232425
2627282930311
2345678