06 Feb Emerging trends for the roaring ‘20s
Morey Haber, Chief Security Officer at BeyondTrust, gets his crystal ball out to predict what emergent trends are likely to take hold for the remainder of this decade.
So far, the roaring twenty-twenties have not disappointed. We have experienced a global pandemic that has dramatically altered the course of how and where we work, the death of a queen, and a regional war that has laid bare the darkest sides of human intent. During this era, cybersecurity initiatives have only increased in urgency. The stakes for protecting digital assets and critical infrastructure from cyberattacks continue to ratchet up.
So, what can we expect for the rest of the decade?
Battery Software Revolution
We are at the onset of a rapid change in battery software that will improve charging times, minimise power consumption, see the elimination of fossil fuels— and even protect against tampering and catastrophic events.
Charging your car or phone faster is not only dependent on having the proper power, but also on the method and algorithms to deliver and consume the power. Therefore, in the next decade, expect to see a larger focus on the software used for power management and the security of the software so tampering does not allow a threat actor to create a catastrophic event.
The smart storage and distribution of energy is a growing trend with a lot of potential for abuse. In the next decade, we’ll not only see a larger focus on software used for power management, but also on the security of the software to prevent tampering by a threat actor. Any place there is power, there stands a chance for power to be abused. Battery software, solar storage, electric cars, and the energy sector at large will all become common targets for threat actors.
Hackers take automobiles off-roading and off-line
Expect the hacking of automobiles to substantially increase.
While fossil-fuel-based vehicles will be around for a while, electric cars are on pace to be the norm in ten years. If you examine components within a new electric car, many have the same applications and base operating systems as our corporate devices. This means these automobiles are susceptible to vulnerabilities and exploits, just like any other computing device. If a threat actor were to target the controls in your car even now, they could disable or interfere with your display screens, entertainment, navigation, climate controls, and even the ability to call for help using the car’s system. Consider what this could represent when autonomous driving truly goes mainstream.
The hacking of automobiles will bring out the good (new functionality via software) and bad (malware) in our new electric cars.
Expect to see everything from custom displays to malware using car resources for crypto mining. Performance improvements that could void warranties and violate other governing regulations are another possibility. In the next decade, this will be a risk surface and viable commercial market no one should ignore.
More ‘Lights Out’ Cyberattacks
An increase in the number of cyberattacks on energy production and distribution will lead to power outages, fuel shortages, and heating or cooling resource depletion.
While a fault in any energy source can drive prices higher, the threat of an intentional disruption could leave people out in the cold, lead to under-delivered merchandise, or completely disrupt electronic transaction processing. If you can shut off the power, everything comes to a standstill. The repercussions will be measured in finances as well as in loss of life.
Governments are well-aware of the threats and repercussions of attacks on critical infrastructure; however, cyberattacks specifically targeting energy production will have the biggest impacts on society. Threat actors recognise this weakness, and we should expect nation-states and opportunistic cyber-organised crime syndicates to refine their methods to target energy sectors. This is a more focused prediction beyond ICS attacks because everything we use and operate today relies on energy.
Evolving from Technology Recycling to Upcycling
The recycling of technology will move away from the destruction of devices and towards new means of repurposing them.
Instead of simply recycling old working technology for its parts, just because it is obsolete or no longer supported, vendors will provide novel solutions to extend the life expectancy of devices.
Over the next decade, we expect new businesses to emerge that will specialise in the upcycling and the second life of technology. It will be much more than recycling or donations and focus more on sustainability and revitalisation to provide supportable and secure coverage for previous technology investments. The mantra, “just because it is old does not mean it should be thrown away”, will have new meaning.
The Emergence of ‘One You’
In the next 3-5 years, millions of people will start operating with a single, centralised digital identity. This will go far beyond legacy concepts, like a social security number.
We are seeing the first signs of this, and it’s increasingly being pushed by identity providers. Whether it is through a private organisation or a government-provisioned service, we are signing into and connecting more systems using fewer individual identities and existing authentications. Social media authentication mechanisms via Google, Amazon, and Facebook have been the first steps in this process. For most of us, in the short-term, this will resolve to two identities: one personal and one business.
In the future, however, you will have one account (based on your identity) that is used for everything. This will be a personally managed account that will be attached to a company and detached when that relationship ends. The identity owner will be in control of who has access to each piece of data (attributes) within their identity and for what periods. This will allow extremely granular control over both the sharing of identity information—as well as the monetisation of it. Attributes will include everything from personally identifiable information (marital status, children, bank information, birth date, medical records, etc.) to benign information like the color of your car.
In the next decade, look for this consolidated online identity system to ubiquitously emerge and be your record of truth for everything about you. How you share and trade this information will become the source of the ‘one you’.
Default Accounts Go Extinct
By the end of this decade, we may finally witness the much overdue extinction of the default accounts and associated secrets.
Just about every system we work with has a default account (Administrator, root, admin, etc.). These accounts exist to provide the initial superuser access to create all other accesses. Then they persist (often disabled, renamed, or both), gathering metaphorical dust. Without effective password management, the credentials associated with these accounts become ripe for brute force and other attacks. Some of the earliest computer worms exploited default accounts, yet, decades later, we are still seeing this happen with IoT/smart devices. We need to tightly control access to those passwords and change them regularly, ideally after every use—or, preferably, get rid of default accounts all together!
By the end of the decade, authentication mechanisms will become more centralised. This will allow the first boot of a system to configure (or discover) the authentication provider, while also allowing for the assignment of one or more users (ideally groups of users) to the superuser role within the environment. This means no more default user accounts, although it will require some additional thought when removing users from the system.
The use of group assignments, rather than individual accounts, offers more options since control of group membership is outside the system itself. This is where many systems already end up, but, invariably, with the default account still hanging around because of basic flaws in legacy role-based access models. Using modern techniques for initial management and configuration will obviate these problems in the future.
ICS-based Attacks become more Cost-Effective
Ransomware attacks that target industrial control systems (ICS) could be devastating. In the past, we’ve seen human-led attacks that specifically targeted ICS to affect the operation of those systems deliver significant impacts. Examples include the attacks on the Oldsmar Water treatment plant and on JBS, the world’s largest meat packer, and Schreiber Foods, the largest cheese supplier in the US, which resulted in a national cream cheese shortage. Automated attacks could take that to a whole new level, potentially impacting multiple systems simultaneously.
Many ICS systems would be catastrophically impacted by stopping their operations. Those systems ‘tend’ to be carefully isolated and employ lots of redundancy to ensure they don’t go offline. For the other systems, an alteration that imperils the integrity of the data or output may be more damaging—such as changing the volume of a chemical flow as opposed to stopping the flow altogether.
As we see increasing interconnection between ICS and IT systems as a necessary move to improve efficiency, flexibility, and redundancy, it also increases the ROI on developing attacker tools that are more impactful in ICS scenarios. Rather than just stopping everything it finds it can access, ransomware could identify control systems and lock you out of them, while manipulating settings—either under predefined plans or dynamically through C2 (Command and Control) systems until you pay up. The increasing number of systems potentially accessible makes the effort of building the code more cost-effective for attackers.
The primary driver of this increase is recognition by threat actors of the fear they can instil. Developing targeted tools for ICS exploitation will become profitable for exactly these reasons.
The Arrival of the Unforeseen Attack Vector
In the next decade, expect at least one entirely new class of attack vectors to emerge and raise the bar for cybersecurity.
As we continue to embrace newer technologies at home and in the office, it is only a matter of time before a new, perhaps somewhat unforeseen, attack vector is discovered targeting next-generation technology.
What is the next technology we will all embrace? Is it an evolution of digital personal assistants into robots, the metaverse, personal quantum computing devices, or even next-generation web3 based on crypto currency? No technology is 100% hacker-proof, but the lessons we have learned today can help us mitigate the unknown risks of the future. Whatever comes next, we should prepare.
Thus, we should recognise there will be new attack vectors that are not predictable today. How we mitigate the risks will be guided by lessons learned from our past.