Against a backdrop of uncertain economic conditions and geopolitical unrest, 2023 nears its end. But it isn’t all bad news. In the race against cyber criminal gangs and malicious threat actors in 2023 major catastrophes have not materialized, and the state of cyber defense is stronger than ever. New solutions for IoT and OT security, a focus on open source vulnerabilities, and progress in security awareness training within organizations are all signs of stronger defenses. What’s more, in a recent survey over half of IT leaders said the weakest part of their cybersecurity was IoT, but they are taking action on it in both budget and personnel.
With this optimistic outlook in mind, here are 10 predictions for the future of cyber-physical security in 2024:
- Increased global conflict will bring more hacktivists aiming for maximum impact, which means targeting cyber-physical IoT systems
With a number of high-profile geo-political conflicts dominating news headlines heading into 2024, it is not hard to imagine a world where our wars are fought using cyber vulnerabilities. Where cybercriminals use out-of-date firmware and unsecured passwords on an IoT end-point device to breach and control critical infrastructure and deny service of critical security systems. That is why CEOs and security leaders need to ensure they have automated and agentless solutions maintain effective IoT cyber hygiene.
- AI will bring new cybersecurity threats, especially on integrity of data
AI is advancing in ways that will lead to data integrity as a key issues for organizations. Today organizations rely on a variety of data sources to provide enhanced business intelligence and threat detection in real time. Conversely, these technological advancements, coupled with new cybersecurity threats, have muddied the waters when it comes to guaranteeing the integrity of data records, including video and audio. Organizations can overcome this challenge with automated IoT service assurance solutions that ensure organizations can meet compliance mandates for chain-of-custody requirements.
- Discussions around shortages of cybersecurity talent will become fine-grained.
The number of open and unfilled security positions continues to grow. Yet not all cybersecurity functions are understaffed to the same degree. At the Gartner Security and Risk Summit one example was with a large organization that had 50 people working on data center security but only 2 on IoT security, despite all the company’s revenues being dependent on IoT systems working properly. The growth of managed services is a way to proactively address cybersecurity concerns without increasing headcount or relying solely on internal resources, but clearly understaffing in IoT security will emerge as a key organizational risk.
- Not paying ransomware will drive focus on business continuity.
One of the most significant stories of 2023 was the ransomware attacks on MGM and Caesar’s, with MGM choosing not to pay the ransomware and instead rely on their ability to rebuild all their systems (including IoT, such as slot machines, door locks, and payment systems). With increased SEC and legislative action to prevent organizations from paying ransoms this will force more focus on disaster recovery and overall business continuity.
- Physical security breaches will increase as more threat actors go in physically. Increased cyber-attacks on security systems (increase in volume and velocity) to cripple security systems function.
By the end of 2024, there are projected to be more than 207 billion IoT connected devices worldwide – many of these security end point devices. Once breached, physical security systems can enable many other forms of attack on an organization, including planting ransomware, launching DDoS attacks, exfiltrating sensitive data, and potentially putting control of security systems in the hands of cyber criminals. From there, it’s not hard to imagine the devastation an offline surveillance or access control system could cause. That’s why in 2024 we will see more examples of how cyber security and physical security are intertwined.
- Board-level Focus on IoT Security as it grows as an existential threat. Legislation to make manufacturers liable will spur action.
Both the SEC and Congress have been putting more focus on corporate responsibility for cyber breaches. Analysts at the research firm Gartner predict that by 2024, 75% of CEOs will be held personally liable for cyber-physical security incidents that occur within their organization. By assigning liability to an individual, the thinking goes, there will be an increased budget and focus on cyber-physical security from the top down. While Europe already has the General Data Protection Regulation (GDPR) in place to mandate privacy and security compliance, expect to see the U.S follow suit with many directives impacting executives and boards directly.
- Industry-specific cybersecurity credentials will continue to grow
Many industries have formed information and resource sharing groups around cybersecurity, as it is a high risk to all industry participants. This collaboration is leading to industry level certifications being established, for example the Security Industry Association in 2023 promoted the “SICC” credential for cybersecurity in the context of physical security. Expect other industries to follow suit in 2024.
- Procurement and cybersecurity teams will work more closely together to prevent vulnerable devices from entering or operating in the enterprise
In a world where device data such as deployment dates, warranty expiration, or end-of-life status is readily available to security teams (or should be), the connection between security and procurement becomes inherent. This partnership facilitates better planning and a decrease in device vulnerabilities. For example, many devices come out-of-the-box with communication protocols like Bluetooth, Zigbee, WiFi, and others “cyber-breach enablers” – procurement can enforce that all new devices come with those disabled. What’s more, procurement teams are now invited to impose specific requirements back on suppliers, such as mandating a software bill of materials (SBOM) or verifying the implementation of acceptable cybersecurity practices by the supplier.
- Cyber insurance requirements will demand more IoT system reporting
In order to get cyber insurance in 2024, expect your insurer will want to focus on how you are securing your IoT and OT systems. Many organization derive their business value from IoT, which naturally leads to increased scrutiny by insurers.
- Compromised credentials expands to biometrics: Theft of video surveillance data will be used by criminals to thwart biometric systems.
2023 saw an astonishing rise in the frequency and quality of deepfakes, again another example of how AI is changing the imperative for video integrity. The technology is changing so quickly, in fact, that attackers can now inject the deepfake directly into the video stream, bypassing some liveness checks provided by biometric systems. To this end, ensuring the security of video surveillance systems and integrity of the data they produce will be paramount in 2024.