We wrote recently how cybersecurity should be viewed as an ongoing process, that companies should always be on the look-out for threats and preparing its infrastructure for cyber attacks that will keep reinventing themselves. [Cybersecurity-No Finish Line]. So when it is reported that vulnerabilities in software programmes are on the increase, there should be no surprised reactions. However, there should be a more aggressive and targeted response by companies to prepare for it.
Fireeye’s report, Overload, indicates that vulnerabilities in industrial control system (ICS) software programmes are set to escalate. The report examined more than 1,500 ICS programme vulnerabilities, and showed the total number that occurred in 2015 was significantly higher than in previous years – more than 350 vulnerabilities while previous year counts had not crossed the 300 mark.
Security researchers have already reported increasing vulnerabilities in the last six years, and the report predicted that more disclosures will come at an average rate of about 5% in the next few years. The report points to recent attacks on utilities and indicated that one-third of these vulnerabilities did not have a software patch to fix the problem at the time that the problem was disclosed.
Utilities and other companies managing assets with ICS programmes are recommended to train security teams to understand control system components, locations and functions. To protect against cybersecurity attacks, utilities must track vulnerabilities and available patches.
The lack of vendor fixes and slow patch times for most industrial environments presents a significant opportunity for potential adversaries, according to the report but it also presents an even greater opportunity for cybersecurity startups.
Cybersecurity –opportunities for startups
With the rapid adoption of the Internet of Things (IoT) in products ranging from connected cars to industrial workplaces, the need to secure cyberphysical assets is growing. In fact, according to Lux Research, venture capital investment in cyberphysical security startups rose 78% to US$228 million in 2015, and will rise to US$400 million in 2016 as rapid IoT adoption raises the threat to products such as connected cars, smart homes, and future factories.
As organizations begin to connect their internal processes and machines to the internet, security remains weak due to multiple factors, including finance and the lack of adequate solutions. This expands the landscape of vulnerabilities and creates an even bigger market for security startups.
"Connected consumer and business products have begun flooding the market, but security has been an afterthought. The world now has to figure out how to secure the multitude of things that have recently become connected," said Mark Bünger, Lux Research vice president. "Unlike the hacking of credit card numbers and Hollywood feature films, these attacks have more dangerous consequences and threaten the integrity of critical infrastructure." Lux Research analysts studied funding of cyberphysical security firms, notably by venture finance firms, and the startup environment, finding that the US is a firm leader, accounting for nearly 50% of the IoT security startups. One-third of these startups are Israel-based. Combined, 77 startups assessed by Lux have raised US$808 million since 2000, with many receiving no venture capital funding.
More than 50% of the startups aim to deliver horizontal security platforms capable of supporting multiple types of IoT devices and environments. Securing industrial control system networks is a huge initiative across the IoT security landscape while securing the connected car is also proving to be popular in the market.
Device behaviour analysis, network behaviour analysis, and combinations of the two approaches are especially active areas of innovation, according Lux's analysis of startups by the types of countermeasures being developed. Methods for performing authentication and encryption in IoT environments are also a major focus.
Holistic cybersecurity solution -a market differentiator
Cyber security technology on its own can only partially address the issue of cyber threats. [Cybersecurity For The Critical Infrastructure Sector.] Businesses need to deploy the proper organization and processes early on in order to supplement the impact of cybersecurity protection technologies.
In a recent interview, Marius Münstermann, Key Account Manager, Rohde & Schwarz SIT recommends that stringent cybersecurity measures be put into place right from the start as new technologies and processes are adopted - not later. [Prioritising cybersecurity as “tommorrow may be too late”]
He says that while there is evidence that utilities are starting to work on their cybersecurity issues, there is still a great deal of work to be done. There is no doubt that old infrastructure has to be made secure which will take time and will more than likely cost a great deal of money. Added to this is a lack of skilled manpower which also proves to be a challenge for utilities as new technologies are implemented. To overcome these challenges, Mr Münstermann suggests that utilities analyse their current situation and identify the “crown jewels”, in other words, the assets that essentially drive the business forward. He points out that it is also important for utilities to choose the right cybersecurity partner. Mr Münstermann says that many vendors are joining forces and sharing their expertise to offer well-rounded and holistic solutions.
There appears to be a promising business opportunity for those able to offer a one-stop cybersecurity solution-one that will help secure physical assets as well as provide skilled expertise and support on a long term basis.
A space to watch for sure.