2020 was a significant year for technology with the Covid-19 pandemic playing its part
People have gone through a lot in 2020. Its scary to think that just a year ago, people were standing up proclaiming loudly that 2020 was going to be their year. I have not heard any similar proclamations about 2021.
Obviously, the main event of the year has been the Covid-19 Pandemic. This had an inadvertent impact on the tech industry as it fast tracked adoption and growth in many areas. But, it also opened the door for cyber crime to become a major problem.
Below are some of the biggest stories of the year.
Total Cyber Protection
In the 1970s, Ajax Amsterdam and the Dutch Football Team changed the way the world saw football when they won nearly every trophy on offer by playing Total Football. The concept of Total Football is that every player on the field can play any position with relative ease. It meant that teams who were very structured had little to no answer to the attaching flair that the Dutch displayed.
This means that football teams who played total football had very little weaknesses. Perhaps this is the approach that companies need to take when developing a cyber security policy/protocol.
A report by the World Health Organisation points out that, as the coronavirus pandemic continues to disrupt global health, economic, political and social systems, there's another unseen threat rising in the digital space: the risk of cyberattacks that prey on our increased reliance on digital tools and the uncertainty of the crisis.
Here are three reasons robust cybersecurity measures matter more than ever.
- A heightened dependency on digital infrastructure raises the cost of failure. In a pandemic of this scale - with cases of coronavirus reported in more than 150 countries - dependency on digital communications multiplies. The Internet has almost instantly become the channel for effective human interaction and the primary way we work, contact, and support one another. Businesses and public-sector organizations are increasingly offering or enforcing “work from home” policies, and social interactions are rapidly becoming confined to video calls, social media posts and chat programmes. Many governments are disseminating information via digital means. For example, the UK has made digital the default mode of communication, instructing citizens to rely on official websites for updates to avoid flooding phone-based information services with requests. In today’s unprecedented context, a cyberattack that deprives organizations or families of access to their devices, data or the internet could be devastating and even deadly: In a worst-case scenario, broad-based cyberattacks could cause widespread infrastructure failures that take entire communities or cities offline, obstructing healthcare providers, public systems and networks;
- Cybercrime exploits fear and uncertainty. Cybercriminals exploit human weakness to penetrate systemic defences. In a crisis, particularly if prolonged, people tend to make mistakes they would not have made otherwise. Online, making a mistake in terms of which link you click on or who you trust with your data can cost you dearly. The vast majority of cyberattacks - by some estimates, 98% - deploy social engineering methods. Cybercriminals are extremely creative in devising new ways to exploit users and technology to access passwords, networks, and data, often capitalizing on popular topics and trends to tempt users into unsafe online behaviour. Stress can incite users to take actions that would be considered irrational in other circumstances. For example, a recent global cyberattack targeted people looking for visuals of the spread of COVID-19. The malware was concealed in a map displaying coronavirus statistics loaded from a legitimate online source. Viewers were asked to download and run a malicious application that compromised the computer and allowed hackers to access stored passwords;
- More time online could lead to riskier behaviour. Inadvertently risky Internet behaviour increases with more time spent online. For example, users could fall for “free” access to obscure websites or pirated shows, opening the door to likely malware and attacks. Similarly, there could be hidden risks in requests for credit card information or installation of specialized viewing applications. Always, and especially during the pandemic, clicking on the wrong link or expanding surfing habits can be extremely dangerous and costly.
Where do we go from here?
Another report by the WHO suggests that COVID-19 is changing everything. Along with social distancing, obsessive sanitisation, broken supply chains, fragmented workforces and the rise of video meetings, the pandemic is driving acute systemic changes in consumer and business behaviour. These changes are causing an outbreak of new and unanticipated business moments. The resolve to transform is palpable.
Businesses know they must rapidly innovate, take advantage of new digital tools and leverage cloud services to emerge from the crisis ahead of their competitors with momentum for the long-term transformation of their business in the altered global landscape.
This innovation is good news, but it is coming at a cost. As digital spreads its roots deeper, it also increases the risk and impact of cyberattacks.
The report adds that the WHOs COVID-19 Risks Outlook found 50% of enterprises were concerned about increased cyberattacks due to a shift in work patterns alone. These concerns are merited. Hasty and unplanned decisions related to digital transformations will add substantially to the spate of cybersecurity issues.
Cybersecurity matters even more given the increased dependency on digital infrastructure to ensure collective resilience. Many of the industries which are transforming serve critical functions – and a break in their supply chains could affect the movement and availability of life-saving drugs, components, equipment, and raw materials.
A feature of these vehicles was that they were autonomous. While we are not flying our cars around, we are making strides towards autonomy. However, it this beneficial for everyone?
The major problem with these vehicles is that they are run by artificial intelligence (AI); and AI is highly susceptible to cyber-crime. Will this kill the AV dream? Hope for the best, plan for the worst, Guidehouse Insights’ Sam Abuelsamid told Motor World adding that the cyber threat to AVs is real, but the industry can take steps today to ensure resilience
The article points out that there was a time when the only real security concern for vehicle owners was that someone would pop their lock and either steal the stereo or hotwire the engine and drive off. However, as we add increasing connectivity and the electronic controls that will eventually lead to full automation, the risks become exponentially greater. Cyber security is a very real concern that all automakers and suppliers deal with daily.
There was never much cause for concern around cyber security until the late 1990s; even then, it was closer to 2010 before most people really started paying attention. In the early days, most electronic control units (ECUs) in vehicles were not even reprogrammable. The algorithms that ran on those relatively primitive microcontrollers, which powered systems like antilock brakes, were actually encoded right on the silicon dies.
The article adds that in some cases, a chip could be replaced with modified calibrations for the engine management or transmission. Even when reprogrammable flash memory became available, someone would need physical access to the vehicle and a proprietary diagnostic tool to make changes. At that point, you were more likely to break—or ‘brick’—the ECU than accomplish a malicious hack.
The article points out that, fast forward to 2020, and the majority of new vehicles have an embedded LTE data modem, Wi-Fi and Bluetooth, and many reprogrammable safety critical ECUs. Within the next few years, nearly all new vehicles will be connected in some way with 5G and vehicle-to-everything (V2X) joining the communication suite. At the same time, more sophisticated, partially automated systems are becoming commonplace.
As we deploy highly automated vehicles (AVs) that can operate without any human intervention, connectivity becomes essential. After all, how can you tell a car to go park itself, or return from the parking garage, or summon a robotaxi if you cannot communicate with it? AVs will also need to download map updates, traffic and road conditions, enable teleassist capability, and more in real time.
Who is likely to attempt a hack on a car, and why? There are those who will attack a system just to see if they can do it, and what they can accomplish. Similarly, the vandal may simply be out to cause some seemingly minor trouble, like disabling a friend’s car. The more troubling cases could involve active attempts to steal data or otherwise commit financial crimes, and those involving state actors.
The article points out that the first confirmed hacks shared with the public came out in 2015, and both were executed by security researchers. A team from the University of Washington managed to get into GM’s OnStar telematics system and show how they could manipulate steering, braking, the engine, and other systems remotely. GM was notified of the vulnerability and corrected it before it was made public. A similar attack was famously executed by Charlie Miller and Chris Valasek on a Jeep Cherokee using vulnerabilities in the Chrysler Uconnect system and wireless provider Sprint. That incident led to the recall of more than one million vehicles to have their telematics systems updated.
Imagine a scenario in the not too distant future where thousands of AVs roam around a large city, and millions exist worldwide. Each is continuously connected to the others, as well as data centres. What if those vehicles suddenly came to a stop, and a message appeared on infotainment screens demanding payment of one million bitcoins to release the cars? There would be instant gridlock across countless cities.
The article adds that this is an example of a ransomware attack, which in truth is probably the least of the industry’s worries. What if someone found a way to infiltrate a data centre and send a command to the entire fleet to accelerate as quickly as possible? Or to tell every AV to turn left immediately? The potential casualties in cities around the world could be enormous. This is an unacceptable outcome of the move to take human drivers out of the loop.
The article points out that the first step to a solution is admitting there is a problem. When the first demonstrations of security vulnerabilities in vehicles occurred around 2009 and 2010, automakers publicly denied a problem existed. By 2015, that had changed. GM appointed its first chief product cyber security officer, Jeff Massimilla, and began creating a team entirely focused on security within its product development organisation.
Several automakers including Tesla, FCA and GM established responsible disclosure or bug bounty programmes, while others had less formalised processes. Responsible disclosure programmes have proven essential in many industries, such as technology, financial services, and aviation. These programmes provide security researchers like Miller and Valasek a pathway to report any vulnerabilities they discover to the manufacturer before they are disclosed publicly. This gives the manufacturer an opportunity to correct the problem, hopefully before bad actors can exploit it. Increasingly, security researchers that have demonstrated an ability to find vulnerabilities receive job offers from the very companies whose products they infiltrate. Miller and Valasek are now responsible for security engineering at Cruise, the GM subsidiary developing its automated driving system.
The article adds that, like many other industries, the auto industry formed an information sharing and analysis centre (Auto-ISAC). ISACs provide member companies with an organisation where they can share information about security threats and best practices in a non-competitive environment. In the auto industry, the challenge with cyber security is the long value chain where potential attacks can happen or vulnerabilities can be implemented. Any given vehicle programme has thousands of engineers working on it, with an ever-increasing number of them focused on software and electronics development.
One of the changes within the industry is the implementation of new development, review, and test processes. Rather than approaching security as an afterthought, it must be designed from the ground up for software and hardware. The new verification tools used to continuously test flaws in the software could be exploited to inject malicious instructions. Access to code repositories must be controlled and changes must be documented, maintaining a chain of trust. That documentation is important for engineers working on the software and for regulatory purposes. In Europe, software is included in the type approval process before vehicles can be sold, as well as for after-sales service. Once a vehicle has received its type approval, any software changes that affect regulated systems must go through an amended type approval process.
Notably, this has affected Tesla, which pushes out regular and frequent updates to its customers for many features including its Autopilot driver assistance system. Some features distributed to Tesla owners in North America are not available in Europe because Tesla has not submitted them for amended approval. New development tools are becoming available to automate this process of documenting what has changed.
The article points out that systems are needed in vehicles to maintain security. With most ECUs now being reprogrammable, it is crucial to establish that only verified updates are ever applied. A number of suppliers now offer systems for encrypting and digitally signing software update packages. In the vehicle, the digital signatures must be verified before the updates are applied. Another solution is to continuously check the software against known encryption hashes to make sure it has not been tampered with.
Monitoring systems embedded in the vehicle can continuously monitor all of the message traffic across the vehicle network, looking for anomalies that might indicate either an attack or even just an error. When these anomalous messages are detected they can be blocked, the system can go into a fail-safe mode, and the driver or control centre alerted.
AVs will feature levels of redundancy and diversity in the actuation, electronic, and software systems never used in automotive industry before. With no human driver in place to take over if something fails, backup compute platforms are required. AVs will likely be using backups with distinct hardware architecture and software algorithms that execute similar functionality. This can be used as a verification that the primary compute is functioning properly and also to get the vehicle to a safe, minimum-risk condition if a serious problem is detected.
The article adds that it is not just the developers and the vehicles that need to be secured: the network infrastructure that manages AVs must be too. Control centres will most likely be the primary attack surface for bad actors. Many networks have been breached over the past decade, from banks and manufacturing to retail and movie studios. If attackers found a vulnerability in a remote operation system or a dispatch platform or map updates, it could spread to the entire fleet.
Best practices need to be implemented at every level of the chain when deploying AVs. This includes designing data and control centres for security from the ground up.
Strategy eats culture for breakfast
We have spoken extensively about the effective approach towards cyber security and that there needs to be an effective culture that is built and developed so that employees know what standard operating procedures (SOPs) are needed in specific situations.
The problem with developing a culture is that it takes a long time and the cyber threat is immediate. When facing a clear and present danger, nothing beats strategy. After all, Strategy eats culture for breakfast.
I recently read a Forbes article which pointed out how this can be done effectively. Especially when it comes to remote working, which is something that will gain in prominence in the future.
- Encourage cyber ‘social distancing.’The article points out that companies need to encourage employees to adopt the same strategy for cyber viruses they use in the real world. Cyber “social distancing” is about recognizing risk and keeping your distance. The article adds that helpful technology solutions should include a secure email gateway to detect phishing attacks and spam, a VPN solution to secure remote connections or a secure access solution to ensure that only authenticated devices access the network;
- Use a cyber-intelligence approach.The article points out that, to truly strengthen an organization’s cybersecurity posture, look for external signals of impending attacks. The article adds that the ability to predict an attack and prioritize remediations accordingly is key. Go to the hackers’ trenches (e.g., deep/dark Web, hackers’ communities, and closed communities), decode threats that are relevant to the organization and understand the context of the attack;
- Employ cloud-based solutions.The article points out that cloud-based cybersecurity solutions that protect the device, cloud, and identity of the user—that is the ticket for secure remote working. The article adds that the new generation of cybersecurity solutions, optimized for secure remote work, are deployable in seconds, cloud-managed, silent to the user and invasive to the attacker;
- Secure the perimeter.The article points out that businesses need to secure the corporate perimeter when moving to a remote workforce. This means tying VPN to Active Directory and enabling multifactor authentication to make sure the right people are accessing networks, apps, and data. The article adds that businesses should mandate VPN use on public Wi-Fi and remind employees to avoid opening emails and clicking on URLs from unknown senders and to keep passwords safe;
- Consider virtual desktop environments over VPNs. The article points out that companies must ensure employees can securely access everything they need to do their jobs effectively from home. The article adds that using VPNs has been the traditional method, but it limits access to a small number of internal company applications and cannot secure many of the online apps employees need. Companies should consider testing and bolstering a virtual desktop environment to provide a great user experience;
- Trust, but verify.The article points out that when working remotely, it is easier to be misled by fake requests from people you know (spearphishing). The article adds that companies should teach their team how to spot the signs, as well as how to verify any requests. The easiest way is to always use another channel, like calling them or jumping on a video call;
- Carry security protocols over to home offices.The article points out that it is not just about the security platform that the CISO has put in place but how employees continue that business continuity into the home office. The article adds that it’s critical that as users move to remote working the security team has a plan in place to carry all of the security protocols and policies over to ensure that home users are just as secure as if they were in the corporate office;
- Deploy mobile security software. The article points out that the most effective cybersecurity measure is the implementation of an agile mobile security platform that can be installed on any device accessible by the employee—regardless of the operating system or manufacturer—and that is built around a model of data-centric security. The article adds that without those key elements, companies risk slower deployment times, lost company data and extensive overhead costs;
- Remind employees to guard their home routers. The article points out that we have seen with smart cities and enterprises that remote contractors and staff may have the greatest VPN, but their home router may be the weakest link. The article adds that many people buy home routers and never change the default password. Botnets are out seeking these open doors—once they gain access, they infect the worker’s PC and enter the organization through the VPN. This is an area not managed by IT;
- Know your access points. The article points out that the rush to work from home is a situation in which the prepared do better. It is critical to keep an up-to-date network map to handle whatever comes along. For example, show where your VPN access points are and whether they have the correct access. The article adds that most organizations struggle to maintain a reliable map of their changing world, but it can be automated;
- Remember that temporary pain will bring long-term advantages. The article points out that the COVID-19 crisis is accelerating many developments that will improve the cybersecurity posture of organizations. Security teams are looking for SaaS security applications that can be deployed with ease and with no disruption to productivity. The article adds that many organizations are still far away from this, using only on-premises solutions, and the crisis is forcing them to change their approach;
- Create a specific action plan for critical functions. The article points out that, like any new service, secure remote working needs organizations to define and implement security policies, procedures, and controls. However, in most companies, the challenge is that a few critical functions are not designed to work offsite. The article adds that those need a quick process redesign and risk assessment to come up with a short-term action plan followed up with a sustainable long-term control framework;
- Do not wash your hands of cyber hygiene. The article points out that the most significant threat to cybersecurity is still employee negligence. Anticipate a substantial increase in malicious cyber-targeting of remote workers. That article adds that, no matter the location, you must establish a culture of security, protect mobile devices, maintain computer cyber-hygiene, properly deploy and maintain firewalls, have current antivirus software, and, most importantly, plan for the unexpected;
- Focus on endpoint security and VPN use. The article points out that companies need to ensure robust endpoint security and VPN use on all devices, including personal devices that may now be accessing company systems and data. Using a cloud-managed solution enables streamlined centralized control, visibility, and policy enforcement;
- Assess your company’s threat model work. The article points out that a good rule of thumb that easily translates to remote work, VPN use, etc. is to view all traffic and actors as nefarious until proven otherwise. The article adds that, in the end, cybersecurity measures ultimately come down to a company’s threat model work, which is the primary key to driving their cybersecurity risk assessment and countermeasures.
The focus on cyber security peaked in 2017 as the world realised that any defence against this growing threat needs to be formalised and not piece-meal. Roles such as Chief Information Officers were established in companies and they started to hold board positions and are now involved in some of the most intricate planning within companies.
These departments grew as strategy required feet on the ground. I recently read on article on Security Boulevard which pointed out that as a Chief Information Security Officer (CISO), your cyber security strategy plan drives data protection for the organization across every aspect of business processes including new hires and onboarding.
The article points out that it is not uncommon for an organization to have an HR step where the hiring manager requests network account credentials and permissions for a new employee. Without the right procedures in place, hiring managers could ask for extensive permissions and violate the principle of least privilege. High-privilege accounts should be given with caution including virtual and physical access. With the right strategy plan in place, a CISO can maintain hardened cyber security compliance and still offer managers a smooth onboarding transition.
It has certainly been a year full of highlights and lowlights. GTconsult would like to take this opportunity to wish all of its employees, and clients, a happy and restful Festive Season. We look forward to seeing you in the new year where we will see where technology will take us.