With 2023 fast approaching, it’s a good time to reflect on the changes to both physical and cybersecurity this past year and make some assumptions for what to expect in the coming year.
Physical security systems remain the primary way for preventing unauthorized access to an organization and to capture and record video evidence that can be analyzed and used to ensure safety for both employees and company operations. Especially, when cyber criminals use physical access to plant malware and find ways to breach systems, physical security’s role as that first line of defense is more important than ever.
When it comes to cyber, more than ever, the focus from threat actors to breach and exploit IoT and OT systems like physical security has risk implications across the entire enterprise. Looking at 2022, there are some clear trends in the threat landscape that should be considered in planning for 2023 – particularly around the large scale of devices used in IoT/OT operations, the lack of IT skills by the people who manage them and limited number of people to perform cyber hygiene.
The shift by threat actors to open source software vulnerabilities (think Log4j), where the vulnerability may be present in many systems at scale, is particularly worrisome. Open source vulnerabilities require multiple manufacturers to provide patches, which are done on different time schedules (leaving open the vulnerability window for an extended period) – in some cases, they never get patched.
Another aspect of what’s changed across 2022 is the increased focus on mandates, compliance and corporate responsibility. The SEC has moved to make public companies more liable for cyber breaches. The US Federal Government has issued mandates to government agencies on remediating vulnerabilities within systems, likely to be followed soon by a push to implement zero trust approaches and a more comprehensive reporting of cyber incidents.
And, whether it is through industry-level compliance requirements (as more malware becomes industry-specific) or more broad-based ones like ISO 27001, there is a push to include IoT and OT devices such as physical security systems in compliance and audit efforts around cyber.
From the trends and situation described above, here are five predictions for risk management, and another five for threat intelligence, that organizations should expect in 2023:
Convergence in organizational structure – threat actors target companies, not departments or other silos. So, why should an organization’s response be fragmented and uncoordinated? Many organizations are bringing together different parts to collaboratively work on defenses and responses to threats. In 2023, this will likely evolve into more formalized reporting structures that continue to bring all parts of an organization’s attack surface into consideration.
Rise of industry-specific responses – it’s not uncommon for market competitors to coordinate and collaborate on issues and threats that can impact all of them. Safety is a good example of this in many industries and, likewise in 2023, we will see more efforts on industry-level coordination on cyber threats. Some have already become quite advanced in developing and sharing best practices and programs on security, such as the Real Estate Cyber Consortium, whose members represent over 20 billion square feet of commercial real estate. If your industry does not have that level of coordination, 2023 should be the year you start working across competitive lines.
Board-level involvement – increasingly, boards of directors are being encouraged to have outside advisors on cyber and to have a cyber committee in place, similar to other board committees like finance or governance. In addition, the SEC is placing more accountability on boards and senior management with respect to cyber. Be prepared in 2023 to have the data, trends and policies on IoT/OT security in place for them to review and expect guidance for improvement to be coming from the board in response.
Cyber insurance drives change – cyber insurance is critical for an organization to absorb the damages that come from cyber-attacks and security failures. Yet cyber insurance is becoming more expensive, harder to get, and requires more details and documentation. This may lead organizations to self-insure, forcing more internal risk assessments and governance policies on the entire operation – especially IoT/OT because of the increased exploits of those devices.
Procurement gets more involved – assessing the threat from existing IoT/OT devices is requiring more involvement with the manufacturers of those devices, specifically around them providing a software bill-of-materials (SBOM) and early notification of when devices will come to the end of their support life. Procurement organizations will play a major role in making this happen in 2023.
Finding and remediating botnet armies already planted – DDoS attacks and ransomware have become “-as-a-service” businesses, with cyber criminal organizations providing them at larger scales than ever before through botnet armies they control on infected devices. A single infected device hosting a botnet can create millions of attack vectors. In 2023, this will force organizations to be more focused on whether their devices are already hosting the botnet army; identifying and remediating devices already infected will be the best way to prevent DDoS attacks from happening in the first place.
Asset discovery is not just for IT anymore – gone are the days when an operator of a physical security system can be unaware of every device on their network. Using agentless asset discovery solutions will become a requirement in 2023 for knowing what should (or should not) be on your network and for assessing if it contains known vulnerabilities. In addition, these solutions will help to detect if the network remains segmented and firewalled off from other corporate networks.
Focus on known exploits – there are over 170,000 known vulnerabilities, with more found every single day. Organizations are stretched thin as it is with existing physical and cybersecurity demands. That’s why CISA’s efforts in proving a catalog of Known Exploited Vulnerabilities (the CISA KEV catalog) is incredibly valuable to focus on the vulnerabilities currently being used by threat actors. In 2023, the combination of the KEV catalog along with SBOMs will help guide organizations to efficiently remediate the largest sources of risk to them.
Scale/time drives automation – in most organizations, IoT/OT devices exist at anywhere from 5x to 20x that of traditional IT devices and, because of their operational nature, exist widely spread across the organization rather than being contained in neat-and-tidy data centers (think cameras hanging outside of buildings). Studies have shown that manually updating camera firmware is beyond almost any organization’s resources and outsourcing it to a security integrator to do it manually can be a budget-breaker (especially since firmware updates are now coming a few times a year as new vulnerabilities are found). This will force organizations and service providers to focus on automated methods for vulnerability remediation and cyber hygiene in 2023 and to leverage this automation into enabling easier compliance and audit reporting.
Repatriation not just remediation – with many IT systems, cyber hygiene is a routine operation on a single system; with IoT/OT systems like physical security, it is a lot more complicated. Remediation of the camera device through firmware updates or password rotations can sometimes cause the overall workflow to fail – the VMS might not be compatible with the new firmware version or the camera device’s new password is not also updated in the VMS. That’s why, in approaching IoT/OT security in 2023, teams will need to be focused on performing cyber hygiene in a way that also considers the entire workflow of tightly-coupled devices and applications, with repatriating them back to full network and operational status being the goal.
While the threat landscape in 2023 is likely to be more dangerous and complex than in previous years, there are many positive changes afoot that will help organizations meet the challenges highlighted above. Governments, industries and organizations all have upped their game in 2022, allowing us to build on those efforts in 2023.
Physical security teams are being empowered in many sectors to drive their organization’s overall IoT/OT efforts and have more of a “seat at the table” than ever before. Frameworks, best practices and risk visibility are all becoming more mature and “normalized”, so when an attack takes place, the organization is better prepared for it.
One final prediction based on these trends: By the end of 2023 it will be clear that organizations have become more resilient to cyber-attacks on their physical security and other IoT/OT environments, denying cyber criminals the “low-hanging fruit” that these systems have been in previous years for breaching an organization. Here’s to a safer and more secure New Year ahead!
This article was originally published in the December edition of Security Journal Americas. To read your FREE digital edition, click here.