2022 has been a year of both progress and increased peril for public sector cybersecurity. The federal government made important strides in articulating how agencies can better protect their networks, primarily in the form of Executive Orders, and Cybersecurity and Infrastructure Security Agency (CISA) directives.
At the same time, geopolitical developments highlighted the increased dangers to America’s critical infrastructure. And the macrotrends affecting cybersecurity continued to accelerate:
- Continued migration to the cloud;
- the move to mobile and bring-your-own-device (BYOD);
- the convergence of IT, operational technology (OT) and the Internet of Things (IoT),
- the sharp increase in work from home (WFM) that has remained even as we move beyond pandemic restrictions.
Based on what I’ve seen as a Public Sector CTO, here are six predictions for the coming year.
The Digital Attack Surface Will Continue to Increase
Cyber attacks continue to accelerate. The attacks are very organized and likely coming from nation-states. Not only are the attacks increasingly organized, they are also ramping up in levels of sophistication. This has expanded the attack surface to include non-traditional systems such as water treatment plants, pipelines, power stations, railways, etc.
The fighting between Ukraine and Russia has raised the visibility of these critical systems and has created heightened concern about the ability of the public sector to fend off these attacks. Public sector organizations need to leverage new cybersecurity solutions to be better positioned to meet these attacks. Many of the approval processes unique to the government could potentially slow adoption of new cybersecurity tools that could strengthen protection of these sensitive resources. Delays in updating standards to adopt cloud-based solutions may significantly hamper the ability of the public sector to respond to threats and protect critical systems.
Evolution of OT Threat
We saw an escalation of coordinated attacks on OT systems in 2022. Attacks against OT systems will rapidly expand going into 2023 and beyond. We will also see a sharp increase in Zero Day vulnerabilities against OT infrastructure. Unfortunately, OT will be a bullseye for cyber attacks next year. The potential damage and disruption of a successful breach, plus the generally weaker security posture of OT, makes these systems highly attractive to attackers.
Our society depends on OT in ways people do not truly understand, ranging from fuel pipelines that power homes, to HVAC systems in the buildings where people work. We will see CISA continue to provide guidance to the public sector and critical infrastructure operators on securing these systems. Currently the main type of attacks against critical infrastructure is ransomware, but this will evolve to attacks targeted at controlling OT environments and damaging OT hardware.
Zero Trust Continues to Evolve
The promise of a comprehensive Zero Trust Architecture will deliver stronger public sector cybersecurity – “Never Trust, Always Verify.” This scope will broaden in 2023 to encompass medical environments, OT, and IoT assets.
The focus will be on taking Zero Trust to the next level. The Administration released several Executive Orders in 2022 and CISA released guidance for compliance and timelines. The next leap will be from a network focus to combining network with user actions. Historically IT, OT, IoT, and Internet of Medical Things (IoMT) have been kept separate and treated differently. This has to change going forward because everything is connected. For a Zero Trust environment to be complete, it must have visibility into everything connected to the network.
Increased Focus on Supply Chain Trust
Recent cybersecurity exploits have demonstrated the vulnerability of the software supply chain, for example Log4j. Modern software typically uses open source libraries, often from several different sources. As the public sector strives to secure its networks, it must require the integrators and vendors they work with to have the same level of diligence.
The Cybersecurity Maturity Model Certification (CMMC) was created to manage this risk and provide assurances to the public sector on the cybersecurity hygiene of integrators and independent software vendors (ISVs). Presently CMMC is directed at Department of Defense Industry partners, but this will likely be adopted across civilian agencies as well.
The soft underbelly of the public sector are the power stations, water treatment plants, K-12 schools, universities, pipelines, etc. All of these systems are critical to keeping modern society running smoothly. Too often today these systems are taken for granted.
The vast majority of critical systems lack security systems and do not have a picture of all the assets on the network – OT, IT, and IoT. Many of these power and water facilities have been the victim of ransomware attacks. These attacks will escalate and be combined with coordinated attacks from nation state actors. We desperately need to provide basic cybersecurity capabilities to these environments, with a focus on speed of deployment and visibility of all assets.
AI/ML Powered Cyber Attacks
As cybersecurity attacks continue to rapidly advance, an unfortunate emerging trend seems to indicate the leverage of Artificial Intelligence (AI) and Machine Learning (ML). No longer are cyber attacks mainly orchestrated by a lone teenager working with limited resources as they test their abilities. Today, cyber attacks are much more sophisticated and originate from nation states.
This means they have access to vast resources and many different skill sets. These new attacks will leverage AI and ML, giving the attacks a level of sophistication never before seen. Leveraging AI and ML will unfortunately provide a dangerous new tool for cyber attackers, making disabling damage to sensitive critical infrastructure more likely. Attacks could also originate from hardware, with exploits designed into the hardware or specific applications, such as TikTok or Huawei.
As we head into 2023, the public sector must harden its defenses and ensure 100% visibility into all of its IT systems in order to protect our critical infrastructure. The time to act is now and we must remain hypervigilant as a new era of threats is upon us. Is your organization ready?