Vendors prioritising speed to market over “security by design” is exacerbating the rising risk of a calamitous cyber attack on critical national infrastructure, the World Economic Forum’s fifteenth Global Risks Report warned this week, as 76.1 percent of those surveyed said they see the risk of such an attack rising in 2020.
The WEF asks 750 global experts to rank their biggest concerns in terms of likelihood and impact for the report: “Economic confrontations” and “domestic political polarisation” dominated their concerns, with “destruction of natural ecosystems” and the risk of a full-blooded attack on critical infrastructure also ranking highly.
(Human activity has already caused the loss of an estimated 83 percent of all wild mammals and half of plants – which underpin our food and health systems)
Cyberattacks were, overall ranked the second most concerning risk for doing business globally over the next 10 years. They ranked fifth as a short-term threat.
Critics have long warned that companies are pushing products to market with poor security baked into them, for example hard coding credentials into the systems, with many also pointing to a poor response from regulators to the problem: most regulatory frameworks offer guidance only. Even Europe’s NIS, for example, puts no pressure on vendors to deliver secure products; the onus is on end-users to patch and secure.
Read this: Critical Infrastructure Security: “The NIS Directive Sucks”
Renaud Deraison, Co-Founder and CTO at Tenable, said in an emailed comment: “This year’s WEF Global Risks Perception Survey (GRPS) resonates with my own concerns that a serious cyberattack against critical infrastructure is imminent.
“The prospect of attackers turning the lights off, manipulating the water supply or bringing cities to a crashing halt may seem unrealistic, but we’ve seen evidence of threat actors testing their capabilities in all corners of the globe.”
(Indeed ransomware forced the city of New Orleans to declare a “state of emergency” just last month, December 2019, after services were crippled by the attack).
Read this: Ransomware-Seized New Orleans Declares State of Emergency
Security experts have long warned that industrial systems remain particularly vulnerable to attack, with the increasing convergence of IT and Operational Technology (OT) — as plants seek to capitalise on the data their systems generate and take advantage of predictive maintainance — also opening up new threat vectors.
As cyber criminals rake in millions in earnings from increasingly sophisticated and target ransomware attacks every quarter, much like the real ecosystem, approaches to the digital ecosystem need to change, and urgently.
Meanwhile, as the Global Risks Report 2020 notes: “Organized cybercrime entities are joining forces, and their likelihood of detection and prosecution is estimated to be as low as 0.05 percent in the United States.”
Read this: NCSC Warns of Highly Automated Phishing Campaign “Spreading Indiscriminately” Across the UK