Cyber crime affects every sector
The famous criminal Willie Sutton was once asked “Why do you rob banks?” and his reply was simply “that’s where the money is!”.
This is now known as Sutton’s law and is a fairly common principle extended to many fields of human endeavour. The basis of medical diagnosis for example, is to check for obvious/common things before reaching for anything exotic: “When you hear hoof-beats, think horses, not zebras”.
Applying this to cyber security in today’s world though has an alternate interpretation. Traditional criminals rob banks because that’s where the money is, and it used to be the case that cyber attackers or cyber criminals would do the same.
Cyber crime is everywhere
However, today there is information everywhere and all of it has value. The target for a financially motivated crime might not just be a bank holding information or customer account credentials. Any data can have value: personal data, sensitive IP, M&A intentions, data encrypted by ransomware, data that impacts on share prices, distributed denial of service outages and even political mischief.
This can all be monetised by a cyber criminal or used to generate economic advantage for a rival business.
If the cyber criminal wants hoof beats, he doesn’t care if it’s a horse or a zebra – so a Stable or a Zoo is an equally attractive target.
So, what are the biggest challenges facing various industries? There is no way to list out all sectors and all challenges, so the examples below are the ones we feel are most interesting to consider.
As we highlighted above, the banks will always be a target of cyber criminals due to the fact they hold “real money” and large amounts of personal and identification data.
All industries experience disruption and financial services is no exception. The move towards the adoption of “open banking” in the UK and Australia, and the enforcement of the PSD2 payment services directive in the EU has meant that banks have had to change some of the ways they operate; with interesting implications for security.
In a nutshell open banking requires banks to allow other providers to offer services to customers, so rather than have the customer interact directly with the bank who holds their account, the customer interacts with the service providers who then access the bank systems through an API.
This has a number of implications for fraud detection, authentication, encryption and for security as the actions of a service provider will look very different to the way a customer interacts. Anything relying on customer locations or usage patterns becomes a less meaningful security indicator; and of course, a service provider could be a target of cyber crime themselves which could expose a large number of accounts and a significant amount of money to cyber theft.
Retailers are similar to banks in that they have a large amount of personal data, financial data as well as real goods with real value.
On top of this they now have a high volume of customer data on shopping habits, purchase history, preferences and product peer reviews. This data has value if it can be accessed and sold, so confidentiality is important – but also the integrity of review/feedback systems now matters.
One thing that is becoming evident is that the fulfilment side of retail is changing. Shopping has migrated from people buying things in shops, to people ordering on-line and goods being despatched by post or courier, to much more complex supply networks comprising the operation of vendor marketplaces, in-house logistics (e.g. Amazon) operations and sub-contractor delivery networks (e.g. Deliveroo). In the future the retail sector is increasingly looking like it will utilise drone technology more and more. Many larger retailers are already researching or piloting these schemes and they are not that far away.
This opens retailers and/or delivery companies to new families of attacks, like goods being hijacked and stolen, drones being re-routed or disrupted (possibly as part of a ransom-based attack) or warehouse and inventory systems being used to steal goods.
Much has been written about the cyber security risks faced by utilities and CNI (critical national infrastructure) companies – whether that be power generation and distribution, water and sewage, telecoms, oil and gas or transportation.
These risks chiefly arise from the fact that there used to be an IT network and then a separate set of systems that operated the plant, machinery, pumps, safety valves and control systems – but these are now running on regular computers and IT platforms and hooked up to a standard network and hence exposed to the same range of network-based and IT-based attacks as the rest of the corporate infrastructure. For the most part these are not systems that are very easy to maintain (in terms of say applying patches or changing passwords) and they weren’t really designed to have to defend themselves.
There have already been a number of cases where these critical systems have been attacked or just failed. Standards such as C2M2 in the States and the NIS directive in the EU, as well as the UK guidance from NCSC aim to encourage or enforce better cyber security for these companies that we rely on so heavily, so that the systems they rely on in turn are sufficiently trustworthy and resistant to attack.
As an opportunity for cyber criminals, there are routes of attack such as denial of service, ransom, theft of power (e.g. for bitcoin mining) or the creation of widespread chaos in which to hide other types of criminal activity. And that’s without considering the more insidious aims of a state-sponsored or terrorist attack.
Obviously patient data and other personal data is held, processed and transmitted routinely by, and across, all healthcare providers – patient records, prescriptions, test results, allergies – and the confidentiality, integrity and availability requirements are well known and obvious.
The trend in medicine, as in other industries, is towards greater reliance on digitally connected systems – so test results, patient monitoring, scanner and diagnostic machines and (perhaps more so in the future) robotic treatment machines and automated systems that perform surgery will become more commonplace.
Today this might be limited to a connected IV drip or insulin pump. In a few years’ time it might be a networked system performing or assisting in surgical procedures with a variable degree of human intervention. The technology is here now and will continue to expand its footprint.
With this comes an increased need to secure systems and networks that control these devices in networked environments where there is significant and necessary public access and physical openness. This means there is an inherent and considerable vulnerability and an opportunity for cyber criminals to hold individuals or organisations to ransom (as we have already seen with WannaCry’s impact on the UK’s NHS).
Clearly, the consequences of future attacks on increasingly digital hospitals and treatment systems are potentially life-threatening, rather than just disruptive and embarrassing.
There have already been many reports of shipping control systems coming under attack when ships are in port or near land, or port systems themselves being targets. In some cases this has been to facilitate smuggling and more traditional crimes or to avoid other customers/immigration/safety checks.
When ships are at sea, they are heavily dependent on IT systems and will be to an ever-increasing degree as autonomous shipping and remotely controlled/unmanned boats appear on the horizon J.
The fact that ship-board systems may not often be hooked up to networks where they can be easily managed, coupled with the age of some of the hardware in use, means that these control and navigation systems are inherently likely to contain vulnerabilities.
Cyber criminals might use this to gain access to planned route information (for piracy), cargo information (for theft), navigational system information (to divert the course of a ship). There is also the possibility of attacks focussed on the nature of the cargo that might mean getting shipments through customs that ought to be held up or inspected or have duties imposed.
Again, there is no shortage of stories (and independent research) on how these kinds of cyber crimes could be perpetrated. You can read one here.
The automotive sector is already in the middle of massive disruption. The switch from fossil fuels to electric power and the associated infrastructure and the rise of ride sharing services like Uber are the tip of the iceberg. These changes are already are giving car makers, dealers, buyers and users much to think about.
From a security point of view there have been numerous stories about keyless entry systems being attacked, and the remote interfaces between cars and car owner’s apps being a vector.
The future of self-driving cars will disrupt this sector much more than just allowing people to sit back and put their feet up on a long journey. Why have taxi drivers (cabs or Uber) if you could summon a driverless car; why even own a car if you could hire a driverless one when you need one, having it turn up at your house ready to go and possibly even allowing you to book a regular slot in advance, like your daily drive to work. What does this mean for car dealers, service stations, taxi drivers, van drivers, salesmen, chauffeurs and the like.
However, for cyber criminals it might mean all sorts of lucrative opportunities; stealing vehicles, causing accidents to disrupt/mask other crimes, getting transportation for free, causing damage to property, misrouting cars to kidnap or rob occupants, disrupting physical events, bringing cities to their knees, stealing shipments in vans/lorries…
For car owners there is almost too much going on to keep track of in terms of the future trends and risks. No one seems to be controlling the speed of progress. These risks are very real, even today.
Agriculture is a sector that one might think is less reliant on technology; but in fact given the growing need for more food and greater efficiency, the tightness of margins and the need to deal with the unpredictability of weather, soil, irrigation, plants and animals means that technology is pivotal to the successful production of the food we all need.
The automated harvesting machines seen in the film Interstellar might have appeared futuristic in that dystopian world, but they are actually very close to being normal, especially on larger farms as outlined here.
The farming of animals likewise is being made more efficient with technology to track not only the locations of herds, but also their condition and any looming health problems, as described in this example.
Interconnectedness, remote monitoring and automation makes for a rich attack surface – and while a cyber criminal is unlikely to want to steal a crop of barley by rerouting a tractor and trailer full of grain, it doesn’t mean that those with a malicious or destructive bent wouldn’t find security vulnerabilities in the systems useful to cause damage or raise the prospect of using malware to disrupt harvests or food supplies.
One only has to look at the effort put into disrupting food shipments during World War 2 to see how much of a target a population’s food source can be.
The challenge in sectors like this (and industries like utilities and shipping etc. are similar in many respects) is that while investment in new technology continues apace, putting controls and protections in place to defend systems is often given much less attention. In some cases simply because they are not perceived to be at risk in the same way as an ATM might be.
Cyber criminals want all the systems
This is not an exhaustive list of sectors (far from it) and neither is it an exhaustive list of risks, vulnerabilities or attacks (barely a scratch on the surface). It is merely a taster of some of the innovations and disruptive technologies that are out there and some early indications of the ways they can be the target of cyber criminals.
What these examples do show is that cyber crime can, and will, affect all organisations of all sizes in all sectors. The data and systems have value to cyber criminals even if it is not directly money (from banks) or personal information (from retailers).
Cyber criminals will target anything and everything that allows them to access funds, monetise access to IT resources, steal data, facilitate or conceal other crimes, cause disruption, hold companies or even populations to ransom, access intellectual property or defraud users, customers and companies.
Simply put, all systems, technologies and data are targets; and cyber criminals want to, and will, go after any and all of them. It is no longer true to say that there are “low risk” industries or businesses that are “too small” or obscure to be targets. To reuse our horse/zebra analogy, the cyber criminal doesn’t care whether or not you have stripes if it is the sound of hooves they are after.
Concluding then, every organisation needs to understand the risks they face and have basic “cyber hygiene” controls in place and operating effectively to protect their systems. On top of this they also need to make sure they have specific defences and controls in place to protect against the most relevant and serious risks that they face.