Simon Chassar, CRO at Claroty, looks at how the critical infrastructure threat landscape will develop in 2023 and how organizations will need to respond and adapt.
There is going to be an increase in the number of threats from nation-state actors, as well as groups that are associated with nation-states in 2023. Their activity targeting the critical infrastructure industry, from manufacturing to water and energy, will continue to grow, fueled by ongoing global geo-political conflicts such as the Russia/Ukraine war, as well as the current economic climate.
Additionally, as IT and operational technology (OT) systems continue to converge, nation-state actors and cybercriminal groups will shift their focus from IT to OT and cyber-physical systems; from stealing sensitive data to disrupting mission-critical operations. For all its benefits, IT/OT convergence without proper security means that threat actors can take down operations by exploiting an IT access point or a cloud vector. This yields maximum financial or political gain for the attacker because businesses have more incentive to pay a ransom when their means of production are at stake, which can have a long-term impact on revenue and the supply chain.
Market and regulations
Governments are going to continue to increase regulations in order to improve the standard of cyber security, particularly in the critical infrastructure industry. The US took the lead in implementing regulations after the Colonial Pipeline attack and Biden’s 100-day sprint initiative. We are now seeing other nations such as Australia, UK, Germany, and Japan following suit and implementing their policies and regulations for critical infrastructure and healthcare environments.
It's not only governments themselves taking the initiative, but organizations such as NIST, MITRE, ISO, and WEF, have started to release advisories around critical infrastructure and OT security to encourage better cyber resilience. These organizations will only increase their advice to major markets such as energy, oil, water and healthcare. The challenge for organizations in 2023 will be adopting these policies into their frameworks and corporate audit programs – it is the enterprise’s obligation to ensure compliance. As a result, cyber-physical systems (OT/IOMT/IIOT) cyber security will become part of a company’s corporate audit, and there will be a focus by decision-makers on ensuring that the company is delivering the right outcomes of improving cyber resilience as part of digital transformation.
Skills and trends
The role of the Chief Information Security Officer (CISO) is also going to change in 2023, especially as OT environments converge with IT from an overall risk responsibility, and they will emerge as the owner of both IT and cyber-physical systems. CISOs play an important part in maintaining business continuity, particularly availability and up time with reputational and regulatory risk – which will be a key concern to the board. Therefore, a CISO’s role will be defined as the ultimate Risk Officer, and they will become more aligned with the board and will start to gain parity from a level as the Chief Information Officer (CIO).
Additionally, due to the increase in inflation and supply chain costs, companies are trying to balance multiple projects at the same time, including digital transformation, security risk, and IT debt. Decision-makers will have to prioritise these projects and implement risk and mitigation strategies to combat the current economic situation. For example, more organizations will move to multi-cloud in order to deal with their technical debt and gain automation benefits.
The current state of the global economy will also encourage hyperscalers to move towards an M&A cyber strategy. Organizations are implementing multi-cloud environments and looking for security solutions that support these environments, which are secure by design and best of breed. Furthermore, start-ups will struggle as we see less investment from private equity or VCs, therefore creating an opportunity for some of the larger cash-strong security control companies to gain market share at a relatively low price.
Finally, countries will increase their investments in smart city projects in order to gain an ecological and technological advantage over global markets. As a result, at the end of 2023, we are going to see the emergence of 5G IoT with their own connectivity and communication fabric. This will present new challenges to organizations as these connected edge points will need their own version of security and monitoring tools.