This post is part of an ongoing blog series examining predictions and recommendations for cybersecurity in 2018.
Machine learning is a buzz topic of conversation in many industries, but is it over-hyped or a real game changer? In the healthcare and cybersecurity industries, at least, I’m leaning toward game changer, and here’s why.
There are endless applications of machine learning within healthcare that can improve patient outcomes and patient care. The most obvious one is to use machine learning algorithms to improve diagnoses and care plans – far more accurately than a human doctor, and with much better results. We’re already beginning to see headlines: Stanford has developed a deep learning algorithm to identify skin cancer; Google used machine learning to create a tool that detects breast cancer better than human pathologists; and a JAMA article described the success of using machine learning to detect diabetic retinopathy in retinal photographs. We’re only witnessing the beginning of a long line of breakthroughs that will change the way people think about machine learning, from interesting research into a new standard of care for patients.
Cybersecurity, like healthcare, has some very compelling applications for machine learning as well, many of them equally game-changing. Ten years ago, organizations could protect themselves from cyberattacks with signature-based security products at the endpoint, on the network and in the cloud. But it didn’t take long for cyberattackers to catch on to the fact that they could beat signature-based security by automating the creation of unique malware, and that shift marked the end of pure signature-based malware detection.
Is machine learning the silver bullet for cybersecurity? Maybe that’s a little dramatic, but machine learning definitely will have a growing impact on the effectiveness of cyberattack prevention. Machine learning is one of the methods used by our Traps advanced endpoint protection to identify malicious files with a very high degree of accuracy. On the network, LightCyber behavioral analytics uses machine learning to “learn” the expected behavior of users and devices and then detect behavioral anomalies indicative of attack.
Healthcare and cybersecurity both generate a massive amount of data, and machine learning offers a standardized and proven approach to drawing meaningful conclusions from huge and seemingly unrelated data sets. The healthcare industry, in particular, has been impacted greatly by targeted and non-targeted cyberattacks in the past year and, hence, is very well-positioned to benefit from machine learning advances on both the patient-facing and cybersecurity fronts.
As we head into 2018, CISOs of healthcare organizations should start planning to adopt machine learning in their cybersecurity programs. Applications for machine learning will expand over time, but it’s already proven to be effective at identifying advanced malware in healthcare IT environments.
This post is part of an ongoing blog series examining predictions and recommendations for cybersecurity in 2018.
After a series of high-profile attacks against its members in 2016, the Society for Worldwide Interbank Financial Telecommunication (SWIFT) established a Customer Security Controls Framework that includes a set of 16 mandatory controls. SWIFT requires self-attestations to be completed by the end of 2017. These will be made available to SWIFT counterparties in support of the transparent exchange of security status information. Without going out on a limb, my prediction is that some SWIFT members will not be able to comply with all mandatory controls by that deadline.
That being said, my recommendation for financial institutions is to incorporate the best practices for cyber hygiene found in the SWIFT mandatory controls into your overarching security program. Avoid the temptation to treat the SWIFT controls as “one-offs” to be addressed separately. Integrating them into your cybersecurity program will provide a more holistic approach and enable you to ensure ongoing compliance.
The SWIFT mandatory security controls can be viewed as measures of good cyber hygiene for their members. I won’t cover all 16 here, but I will highlight a few to provide some flavor for the controls.
SWIFT Environment Protection (1.1): Network segmentation of the local SWIFT infrastructure from the rest of the IT environment would be a major first step. This would limit access to/from the local SWIFT elements from attackers on potentially compromised endpoints and even malicious insiders.
Operating System Privileged Account Control (1.2) and Multi-Factor Authentication (4.2): In addition to the policy of least privileges, administrator-level accounts should be protected with multi-factor authentication (MFA). Of course, MFA should also be in place for access to critical systems, such as SWIFT. This limits the value of any credentials stolen by an attacker.
Internal Data Flow Security (2.1) and Logical Access Control (5.1): To ensure the integrity of communications between SWIFT-related components, obtain visibility into and control the traffic flow based on applications, users, and content. Security policies may then be defined with the context of actual application and user identity to safely enable authorized access to the data.
Security Updates (2.2), Malware Protection (6.1), and Software Integrity (6.2): Patching software for security vulnerabilities in a timely fashion is clearly a necessity. However, in instances where this is not possible due to software past end-of-support or other extenuating circumstances, advanced endpoint protection from both malware and exploits is an alternative to maintain the integrity of the production environment. In general, advanced endpoint protection is superior to legacy antivirus and anti-malware solutions.
Logging and Monitoring (6.4): With the local SWIFT infrastructure protected by network segmentation, those firewalls will have significant information on both normal and unexpected data flows into and out of the environment. Those firewall logs should be reviewed for anomalies in traffic patterns as these may signal undesired activity.
The two most recently publicized attacks on SWIFT members occurred in October 2017 (Taiwan and Nepal). Prior to these, there was an attack in December 2016 (Turkey). Although one could say the pace of attacks against SWIFT members has slowed from the peak seen in mid-2016, it would not be prudent to ignore the recommended security controls. Whether or not you are a SWIFT customer, ensuring that basic cyber hygiene is part of your overall security program is well worth the time and effort.
This year’s Cybersecurity Predictions blog series examined Sure Things” (predictions that are almost guaranteed to happen) and “Long Shots” (predictions that are less likely to happen) in cybersecurity in 2017. Here’s a round-up of what cybersecurity experts from Palo Alto Networks predict for 2017. Be sure to click into each post for even more predictions.
Ryan Olson predicts the political leaks we saw in 2016 will be the new normal.
This post is part of an ongoing blog series examining “Sure Things” (predictions that are almost guaranteed to happen) and “Long Shots” (predictions that are less likely to happen) in cybersecurity in 2017.
It’s time again to make our annual cybersecurity predictions, and this year, I have the pleasure of doing two! Since my Magic 8 Ball hasn’t been too dependable in the past and inspecting animal entrails is not really my thing, I’ll go with a more useful and less messy approach of looking at trends. Calling the future is a pretty challenging task, but one’s probability of success could be much improved if looking at the trajectories of past events and extrapolating.
Holidays and Hurricanes
Speaking of trajectories, at the beginning of September, I had to make a go/no-go decision about my family vacation to Hawaii. For weeks I had been hyping up the trip to my three-year old daughter, who loves beaches and adores sea animals. However, looming ready to spoil our Labor Day–week vacation was Hurricane Lester, which had reached Category 4 status on its approach to the Hawaiian Islands. Much of the archipelago was already on watch as just days before, hurricane Madeline grazed Hawaii, fortunately leaving the islands intact, but still causing quite a stir.
Having been through two major hurricane events while living on Oahu, I knew of the devastation a direct hit could bring and thus my first instinct was to cancel the trip. At the same time, I couldn’t bear the thought of breaking my daughter’s heart after getting her hopes so high. Two-hours before our scheduled flight departure, Lester was still on course to hit the islands, and I was faced with a tough decision: cancel my trip and disappoint my little girl or fly anyway and hope that the hurricane changes its path at the last minute. I’ll keep the suspense high and tell you my decision later, but first, let’s get back to the predictions.
Cyber-hurricane watch is in effect
As I observe the movements of the cybersecurity industry, a couple of approaching “storm systems”– which I foresee causing potential devastation to critical infrastructure operators – are ransomware and cybersecurity regulations. The devastation for ransomware is more strongly related to critical service uptime and safety, while the impact of regulations comes in the form of administrative costs. With that said, here are my predictions for 2017.
Sure Thing: There will be public disclosure of an increasing number of successful targeted ransomware attacks to the OT environment of critical infrastructure each causing millions of dollars in losses.
Long Shot: A new transportation-sector cybersecurity regulations or legislation will be in the United States.
Let’s take a closer look at each prediction separately.
Ransomware in Critical Infrastructure
The direction of ransomware in critical infrastructure is pretty clear and concerning. In September of 2016, we heard of a concrete manufacturer who experienced significant downtime and other related financial damages caused by the successful ransomware attack. In 2016, there was the breach to an Electric Authority who while not an operator of the grid interacts with many of the organizations who do manage the local grid. Of more increasing concern was the breach to a Municipally-owned Electric and Water Utility. Here the attackers successfully breached the business network adjacent to the OT environment. This caused a reported $2M in remediation and legal costs. Highlighting the increasingly targeted nature of ransomware is the news of ICS-specific ransomware in July 2016. Here the E-ISAC reported ransomware apparently targeting Industrial Control Systems (ICS) in the form of a zip file named after a major supplier of ICS automation products.
These successful breaches have been to networks adjacent to OT and either did not cause downtime or, if they did cause downtime, had their impact contained to the ICS operator itself and did not affect services critical to the general populace. However, looking at where this is all headed, it is only a matter of time before there is a successful downtime-causing attack to a major critical infrastructure environment, such as the electric grid or transportation system supporting a large population.
The ability to gather intelligence for ICS environments, introduce ransomware, and make sure that it successfully compromises these specialized systems takes a lot of effort, possibly requiring the involvement of an insider. Hence, I believe that this attack will most likely involve well-resourced cybercriminals targeting an organization in an attempt to extract a hefty ransom. The impacted authority will be faced with a grave decision – pay the ransom in the hopes of quickly regaining functionality, or choose not to pay the ransom and instead remediate the situation with a functional disaster recovery plan and augment that with third-party resources and technologies whose total cost will end up far exceeding the ransom. None of us hopes this type of attack happens, of course, but such an event would cause the entire industry to wake up and think more urgently about how to safeguard ICS environments.
Regulations for the Transportation Sector
There are already cybersecurity regulations governing various sectors of critical infrastructure protection. These regulations include the NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) standards for the electric sector, CFATS (Chemical Facility Anti-Terrorism Standards) for the chemical sector, and the NRC (Nuclear Regulatory Commission) regulations for the nuclear power facilities. However, an area that has not had any cybersecurity regulations put in place is the transportation sector (and its widely varying subsectors). The importance of this sector is immense as the impact to daily life could be disastrous should key transportation services be disrupted. Consider that the transportation sector as defined by the U.S. Department of Homeland Security includes the following: aviation (including airports, aircraft, and air traffic control systems); mass transport and passenger rail; highway and motor carriers; maritime transportation systems; pipeline systems; freight rail; and postal and shipping. Yes, that’s about as critical as critical infrastructure gets.
Some cyber incidents to the airlines industry demonstrate why this is a major concern. In 2013 there was a cyberattack to Passport Control Systems at major airports leading to delayed departures and long waiting times for passengers. Also in 2013, APT campaigns involving Phishing scams were found to be targeting as many as 75 airports in the United States with some organizations successfully breached. More recently in 2016, an outage at a major airlines carrier, while not attributed to a cyberattack, led to a five-hour outage costing $150M dollars and 2,000 flights cancelled over two days.
To be sure, there already are transportation-specific ICS cybersecurity plans in place, such as those from the U.S. Department of Homeland Security involving guidance on best practices. However, for 2017, I think there is the potential for new cyber legislation or regulation that one of the many transportation sector oversight bodies issues under their existing authority, possibly involving rigorous audits and steep fines for violation. This potential for regulation speaks to the gravity of these real-world threats, given that both President-elect Trump and the Republican-led Congress are generally opposed to increasing the country’s regulatory environment.
It’s Not About Being Right or Wrong
So there are my predictions for 2017. It will be interesting to see just how close or far off I am, but measuring my ability to accurately predict the future is not really the objective here. Rather, the purpose is to bring to light some of the key trends in industrial cybersecurity to hopefully build awareness and drive action.
On the former prediction, the unfortunate truth based on what I’ve seen so far is that most OT organizations are ill-equipped to deal with sophisticated attacks. Ransomware is but one of many modern attack methods that call for a different defensive mindset and set of new protective technologies. Granted, OT organizations are waking up and modernizing their OT security, but there is a long way to go for most, especially in being able to stop more advanced attacks. As IT and OT integrate even more deeply, organizations need to educate themselves to find out what attackers are doing and the state of the art, in terms of cybersecurity best practices and technologies.
Similarly, transportation organizations, or more broadly, other critical infrastructure operators not subject to regulations today, need to plan for the potential of such cybersecurity laws. As these organizations plan for upcoming regulations, whether they get put in place next year or further out, it is important to remember that compliance doesn’t mean they are secure. Even a well-crafted regulation that promotes risk management rather than a culture of minimum compliance means that compliant companies establish a good baseline, but they need to strive for more. Fortunately, a good natural outcome of applying the best known practices and technologies is that there is a very good likelihood that one will exceed the requirements of cybersecurity laws and pass their audits with reduced effort and cost. Invest a little more time up front and make it easier on yourself later during the audit.
The decision
Going back to the critical decision I had to make about my family vacation, I ended up trusting my gut and cancelled our trip to Hawaii. We decided instead take a drive south to SeaWorld and the San Diego Zoo Safari, which my daughter absolutely loved. So all ended up well. As for hurricane Lester, it ended up changing its direction and, like Madeline, just grazed Hawaii to cause some heavy rain and winds, but nothing major. My initial reaction was that I made the wrong decision. However, considering the risk to my family’s safety, had I decided to go and the hurricane did hit, I still stand by my decision to forego the trip. The stakes were simply too high.
A parallel statement could be made for successful cyberattacks to critical infrastructure. A “roll the dice” approach is simply not an option. Millions of people are dependent on operators to be proactive and stop cyberattacks. Whether the cyber hurricane hits or not, one needs to strive for more than just hitting the minimum compliance requirements and invest in the capabilities to stop advanced cyberattacks.
At Palo Alto Networks we firmly believe that a key approach to stopping advanced attacks and reducing the efforts to deploy and administer cybersecurity is in adopting a prevention-focused cybersecurity platform that provides as much automation as possible. Learn more about our platform by accessing the following resources.
Join this on-demand webinar to hear from utilities and Palo Alto Networks experts on how to address ransomware.
Get an overview of our Next-Generation Security Platform for Critical Infrastructure by reading this white paper.
See how our Next-Generation Security Platform can be deployed to secure your industrial automation environment by accessing our Reference Blueprint white paper.
What are your cybersecurity predictions for the ICS industry? Share your thoughts in the comments below.
Threat intelligence sharing among vendor and industry peers has come a long way, and in 2017 there will be more opportunities than ever to demonstrate its value; especially as conversations around sharing intelligence between the public and private sectors continues.
Crossing the Last Mile With Threat Intelligence
Security vendors and white hat researchers continuously seek new indicators of vulnerability. Once found, they convert them into prevention and detection controls and deploy them as quickly as possible. This is called actionable intelligence. The problem for the past decade is that most network defenders take days, weeks or even months to finish the last mile—if they do it at all.
What is needed is an automatic way to make the journey. Instead of analysts reading intelligence reports, deciding that the intelligence is pertinent to their environment, crafting prevention and detection controls for their deployed systems, and then deploying those controls, network defenders will, in the future, rely on automated systems which do that for them. They will have to trust that the automation will not take the network down.
