Predictions for 2021 in Security and Tech

Winston Churchill once said, “I always avoid prophesying beforehand because it is much better to prophesy after the event has already taken place.” Because Mr. Churchill was a brilliant man and I am far less so, I foolishly cheerfully offer my predictions of what I believe will happen in 2021 in the security and tech spaces:

  • There will be at least two significant cyberattacks against critical infrastructure targets in the United States and/or Europe, most likely against electrical power systems. These will be noisy attacks in that they will disrupt large numbers of customers and may last several days. My guess is these attacks will be in the Northeastern United States and in France.
  • In the same vein, there will be a greater emphasis on attacks against various types of Operational Technology (OT) infrastructure. The growing number of sensors and other Internet-enabled devices can be used effectively for a variety of purposes, including penetrating networks and disabling infrastructure as part of ransomware and other attacks. The work-from-home model that will continue at nearly its current pace well into 2021 will be a key enabler of these attacks. A cheap baby monitor that lives on the same home Wi-Fi network that is used to access corporate databases and email does not make for good security.
  • There will be continued high levels of phishing, but we will see an increased emphasis on business email compromise (BEC) as a proportion of total phishing attacks. In fact, we will see record levels of BEC aimed both at senior executives (e.g., CFOs) and lower level employees in HR and finance departments. a) Good security awareness training, b) skeptical employees, and c) communication backchannels to verify these kinds of requests dramatically reduce the chance of bad actors successfully stealing funds, but not enough companies have sufficient numbers of a, b or c.
  • There will be a significant increase in ransomware, but there will be higher ransom demands than we have seen in the past. Recently, there was a $34 million ransomware demand directed at Foxconn Electronics (the highest ransom demand to date that we can tell) and another against Dutch firm Randstad. I expect to see more and much higher ransom demands in 2021 (one ransom demand of $50+ million). At least one of these high-value demands will be directed at a critical infrastructure system.

  • China will begin military operations against Taiwan no later than July 2021 (and will receive very little pushback from most world leaders for doing so). Of course, this will create significant political repercussions, but also major disruptions in the world economy and in the technology space (for example, Taiwan is Apple’s number one supplier, and Google is currently building its third data center in the country.) Chinese President Xi said in early 2019 that Taiwan “must and will be” reunited with China. In May 2020, Chinese Premier Li Keqiang dropped China’s long-standing use of the word “peaceful” in discussing China’s reunification with Taiwan. In late 2020, the senior director at a think tank that specializes in China-Taiwan affairs noted, “This is the most dangerous, the most unstable, and the most consequential flashpoint on the planet.” And, in recent months, there have been a number of incursions by Chinese military aircraft into Taiwanese airspace.

I’d like to hear your thoughts on these predictions.

Are You Paying Attention to SOT and HOT?

Everyone in the cybersecurity space is very familiar with Information Technology (IT), but far fewer are as familiar with Operational Technology (OT) – software and hardware that focuses on control and management of physical devices like process controllers, lighting, access control systems, HVAC systems and the like.

However, cybersecurity professionals should familiarize themselves with OT because it is having an increasingly serious impact on their IT solutions and on their corporate data. Here are two of the several aspects of OT to consider:

Shadow OT (SOT)

Most of us are familiar with “Shadow IT” – individual users or departments employing their own mobile devices, mobile applications, cloud apps, laptops and other personally managed solutions to access corporate resources like email and databases. This phenomenon/scourge/blessing/reality has been with us for more than a decade and is generally well accepted by the IT community. But relatively new on the scene is “Shadow OT” – the use of Internet of Things (IoT) solutions in the workplace. For example, some businesses will employ consumer-grade solutions like routers, security cameras and lights in a work environment, introducing a number of vulnerabilities that are more common in consumer-focused IoT solutions than they are in industrial-grade solutions. Because consumer-grade IoT products are developed by manufacturers who are under enormous price pressure and will sometimes employ temporarily contracted teams to create these devices, the consideration of security in the design process, not to mention the ability to upgrade and patch these devices, is not common.

Because consumer-focused IoT solutions often will have vulnerabilities, they can create enormous security holes when used in the workplace. For example, as discussed at Trend Micro’s Directions ’19 conference earlier this week in a session hosted by Bill Malik (@WilliamMalikTM), a New Jersey hospital installed Bluetooth-enabled monitoring pads in its 2,000 beds to detect patient movement and dampness that would signal a patient needing a nurse’s attention. Doing so makes sense – using technology like this frees nurses from the task of going room-to-room to check patients who needed no help, allowing nurses to spend more time on other, more critical tasks. And, they were able to implement the solution for about $120,000 instead of the $16 million that would have been required to use FDA-approved beds that offered the same functionality. But these consumer-oriented devices very likely have major security vulnerabilities that could allow an attacker to access critical medical systems like insulin pumps and patient monitors, not to mention the hospital’s patient records that are valuable to bad actors.

Home OT (HOT)

Another important issue to consider is the use of OT in the home. Many employees work from home either occasionally or full time and they often do so in an environment populated by Internet-connected thermostats, baby monitors, game systems, voice-enabled home automation systems, security cameras, lights, alarm systems, wearables, refrigerators and the like. Here again, these often insecure solutions typically have numerous security vulnerabilities and access the home Wi-Fi network – the same one the employees use to connect their laptop and desktop computers to enterprise email and other corporate data sources. And, because all of these devices in the home connect through the same gateway, a bad actor’s access to one device exposes everything else on the network – including corporate devices – to unauthorized access and control.

The solutions to these issues won’t be easy. It’s tough to convince decision makers, as in the case of the hospital noted above, to spend 100+ times more on secure technology when they barely have the budget for what they can afford now. And it’s virtually impossible to require employees to disconnect the IoT devices in their homes while they’re working there. However, there are some things that can be done, such as using firewalls, monitoring solutions, VPNs and the like to make things more secure in the short term. Longer term security will require a change in design focus, as well as user education focused on being careful about using an ever-expanding array of OT devices, among other things.