The gradual spike of ransomware attacks in the United States targeting critical infrastructure signals a new normal. With the level of risk countermeasures and awareness training required across private and public institutions, from the board to employees, the prospect of quickly getting the situation under control appears bleak for a variety of reasons. More attacks must be anticipated in the months and years ahead until there is a cyber elixir.

The low-and-slow attack

In layman’s terms, ransomware is a low-and-slow attack that is a fast-acting poison once armed. Cybercriminals have mastered techniques to design advanced malware, deliver the poison payload by evading network perimeter and endpoint detection and prevention methods. They know how to exploit user psychology and the lack of protection controls on information technology, Internet of Things (IoT) and industrial IoT devices.

Insider threats (malicious/disgruntled employees) are real without role-based access controls, dynamic separation of duties and multi-person authorization ceremonies for oversight. The challenges for network and security operators are steep. Cryptography is the Achilles heel of cybersecurity, and malware writers know how to weaponize encryption methods.

While meticulous and regular system and data backups are crucial for recovery, the damage from a ransomware attack may go far beyond a restore operation. The integrity of affected devices will require extensive and expensive forensic analysis at scale in operations technology environments. While executive orders and guidelines from government agencies are timely and well intentioned, the cybersecurity industry lacks the resolve to address the root cause head-on without return on investment justified in monetary terms.

Supply chain protection is not a cost center

Detection, prevention and forensic analysis is a multi-billion-dollar industry today, but hardening devices and supply chain protection is still perceived (wrongly) as a cost center by device manufacturers, and there is no regulation to motivate innovation. Cyber protection must begin at the factory and persist in the field throughout the operational life cycle of the device. Cyberattacks target devices for data, not users. The user is merely the carbon.

Breaches happen because CISOs are willing to take risks with outdated checklists and input-centric controls for multi-layer defense that the attackers are well versed in. Attackers possess the will and resources to evade detection, persist, propagate laterally and take control of systems.

If you are truly protecting your devices, what are you trying to detect on your network? If you are wearing a raincoat, why do you need an umbrella? You cannot fix a problem on the device with a patch on the network. It’s convenient, but the wrong solution, which only kicks the cyber can down the road. The hackers are professionals who exploit:

• Cracked passwords of a contractor or gullible employee.
• Obscure and insecure servers on the network with unprotected domain user or service accounts.
• Remote access over VPN through a compromised supply chain vendor’s network and/or system.
• Inadequate firewall capabilities to block encrypted command and control beacons (benign dial-home messages). It is abundantly clear that zero-day threat intelligence is inadequate and achieving the objective of a zero-trust architecture, beyond slogans, requires investment and commitment.

Call to action for device manufacturers

What does this mean for the cybersecurity industry? Connecting unprotected devices aggravates the problem. The cybercrime cottage industry has evolved over the years into a strategic cyber war by nation-state actors and a cybercrime syndicate that has mastered the art of capturing cyber hostages for ransom and profit at scale. Software developer kits and help desks on the dark web are empowering operatives across the globe — with no track and trace or punitive actions as deterrence. This is a call to action for device manufacturers and managed security service providers to serve as the first responders and protect cyberspace.

Though digital transformation has been a buzzword for several years, CISOs and product security architects have been, sadly, ineffective in championing the cause of device transformation that will begin the passage to digital transformation. While silicon chipset vendors have stepped up with security innovations, the trust chain has failed to effectively bubble up the stack to the device platform, line-of-business applications, and supply chain ecosystem of cyber-vulnerable services.

Protecting the cyber fabric of software-defined edge gateways and the plurality of connected brownfield and greenfield devices will require a high-spirited and collaborative effort with strategic partnerships between innovators and thought leaders in the device industry.