In the past 12 months, a series of high-stakes cyber-physical attacks targeted U.S. critical infrastructure. Breaches of the Colonial Pipeline, New York Metropolitan Transportation Agency, JBS Meat Processing Plant, and a Florida city’s water system exposed the vulnerability of US critical infrastructure, as digital attacks triggered cascading consequences in the physical world.
Underpinning critical infrastructure is a layer of operational technology (OT) that enables systems to run continuously and reliably, 24/7/365. Most OT is built upon legacy technology created long before the world became digitized and cybersecurity best practices emerged. Once walled off from other networks, OT has become increasingly connected to outward-facing networks, creating a more attackable target. OT cybersecurity failures can create safety risks, incur millions of dollars in operational downtime losses and ransom payments, and downstream disruption for daily people – all consequences brought to bear in 2021.
Successful cyberattacks like those targeting NYMTA and Colonial rarely occur in an echo chamber, and provide a blueprint for defenders on where to sharpen their focus. It’s with this lens that Josh Lospinoso, CEO and co-founder of Shift5, has forecasted likely events to come in 2022.
Read on for Josh’s predictions and guidance for where cybersecurity professionals in rail, aviation, and national security should double down on defense:
Zero-days Will Target OT Systems
Cybercriminals are rational economic actors, and they’re seeing that physical effects of cyberattacks (like those experienced by Colonial Pipeline) can result in 7- and 8-figure payouts. Thanks to the interconnected nature of digital components, operational technology is deeply embedded within the digital landscape. The result is that attacks — even from the IT side — have become much more devastating. When OT assets can’t operate, operators lose money very quickly and are often desperate to get back up and running. In 2022, we will see threat actors narrow their efforts to capitalize on these issues. These systems were never designed with a witting cyber adversary in mind — they were designed to maximize safety and availability against a wide range of physical operating conditions. We must expect and prepare for an onslaught of cyber-physical ransomware attacks and exploitation of zero-days in OT systems.
The U.S. Government Will Push Cybersecurity Measures For Transportation
The U.S. government has historically been unwilling to mandate cybersecurity measures for organizations and critical infrastructure. New policies in the form of Executive Orders were created this year in response to SolarWinds and the Colonial Pipeline attack spurred the Transportation Security Agency (TSA) to implement new cybersecurity requirements for pipelines. Given how fast the transportation and other sectors are incorporating digital systems and how successful attackers have been targeting critical infrastructure, there will be moves within the U.S. government to be more proactive in proposing cybersecurity measures for key sectors.
Autonomous Transportation Assets Will Be The Next Attack Vector
As transportation vehicles on roads, rail lines and in the air become more autonomous they are increasingly at risk of cyber attack. Western Australia’s mainline rail network is now fully-automated and more planes and helicopters are unmanned, which means they can be remotely controlled. Aircraft, trains and ships today run on data which can be remotely accessed. Once an attacker can take control of a transportation operation system or manipulate data on its internal communications network, there’s little to no security. The danger of sabotage and destruction is real. We will need robust security on these systems that lack a human layer of protection.
Cyber Privateering Will Expand Beyond Russia
Russia has perfected the art of cyber-privateering — enlisting the aid of private threat actors and groups that aren’t formally sanctioned, but are secretly supported by the government. In exchange for launching cyber attacks against Russia’s enemies, the Russian government turns a blind eye to the other hacking the private groups do for their own personal profit. Meanwhile, Russia is able to claim innocence as it maintains political distance from the attacks. Over the next year, we will see other nation-states, such as China, Iran, or North Korea, emulate this model to advance their cyber capabilities.
Adversaries Will Seek To Topple The Jenga Tower Of Code That Is American Software
The hasty cloud migration the pandemic prompted has increased the layers of software stacked on existing software, creating a Jenga tower of code that can easily be toppled if one piece is tweaked. We saw this with the SolarWinds and Kaseya attacks, and most recently Zoho, and we’ll continue to see even more such attacks in the new year as attackers move up the software supply chain.
Machine Learning Will Power The Next Wave Of Cybersecurity Innovation
The security practices of patching vulnerabilities, requiring passwords, and listing known signals of bad actors do not adequately enable organizations to keep up with the rapidly-evolving threat landscape. Machine learning can help move the industry forward — particularly because it provides the ability to identify previously unknown bad activity. In 2022, we will see a surge of innovation as vendors apply machine learning to a range of persistent cybersecurity problems, such as phishing attacks, unusual network traffic and business email compromises. We’ll also see machine learning models used in non-security disciplines like computer vision and reinforcement learning applied to old cybersecurity problems, such as detection of phishing attempts and endpoint protection.
As cyber-physical assets become an increasingly attractive target for malicious adversaries, OT systems like those found on trains, planes, and tanks become increasingly critical to defend. Shift5 helps operators gain visibility, detect threats, and maintain the resilience of OT systems across aviation, rail and metro, and defense spaces. Follow Shift5 on Twitter and LinkedIn.