The electric grid, oil and gas refineries and water facilities could top the list of targets by cyberterrorists hell bent on causing destruction or chaos in 2011, according to IBM, which issued a list of cybersecurity predictions for 2011. Cybercriminals can target embedded devices found in a number of critical infrastructure systems to cause harm or societal conflict, said Kristin Lovejoy, vice president of strategy for IBM Security Solutions. IBM is also predicting an increase in mobile threats posed by smartphones and tablet devices, an increase in global compliance mandates making business across borders more complex and a renewed emphasis on security being built into software and systems, rather than being bolted on. In this interview, Lovejoy addresses mobile and virtualization security, and the government's role in securing critical infrastructure.
An IBM prediction for 2011 is that attacks on critical infrastructures, such as electric grids, water systems, etc. will become top targets for cybercriminals looking to make a big impact with little effort. Isn't it a big leap to say that suddenly cybercriminals are not going to be motivated by money and they will be targeting these critical infrastructure facilities to cause harm?Security must be an intrinsic element of the service that is being delivered and to that extent these critical infrastructure industries need to think about it.
vide president of strategy for security solutionsIBM
Kristin Lovejoy: Obviously we can only speculate about the motivation, but when it comes to the embedded devices, there's two things we're worried about. We're worried about people using those devices to cause some sort of harm or to cause societal conflict. Alternatively, we're seeing the use of those devices to enable support for some form of financial gain. For example, in early December there was a report made on a car keyless entry. It was hacked by a couple of people in Ohio. This was used in a number of different cases. We're beginning to see some real basic things going on. I don't know if you can characterize a car as an embedded device, but you can certainly characterize the car's keyless entry system as an embedded device.
With the discussion about critical infrastructure facilities we often hear about the government stepping in. Do you think there will be legislative efforts to force some of these private infrastructure facilities to do more when it comes to security?
Lovejoy: We do a lot of work with various national governments and one fact that is weighing heavily on their minds is that over 90% of critical infrastructure is owned and operated by the private sector. Although this is particularly relevant to the U.S., this is a worldwide statistic. A lawmaker that realizes their citizens are dependent on the delivery of critical services via these increasingly digitized devices will ask the question: "What is the government's responsibility or capacity to mandate security in and around those systems?" The pattern I'm seeing arising in the marketplace is very close to our concept of "secure by design." Security must be an intrinsic element of the service that is being delivered and to that extent these critical infrastructure industries need to think about it. They are going to be mandating that this happens less through direct prescriptive legislation and more through the procurement process. If I'm a utilities provider and I want a contract with a local government to provide utility services, in order for me to do so, I need to adhere to a number of security principles before I can respond.
IBM predicts that securing mobile devices will become an increased priority. Are organizations having a difficult time securing mobile devices? Why will this be an issue in 2011?
Lovejoy: I think it's going to become an issue because historically mobile devices have been part of the telecom infrastructure and the telecom infrastructure has not been managed by the IT security function. Where our customers seem to be struggling is not with answering the question "How do I secure these devices?" It's "how do I manage the security of these devices?" It may be a nuance but it's an important nuance because many enterprises today are just now beginning to think about the management of traditional endpoints -- workstations and laptops -- using the management technologies that allow them to both manage security as well as the device lifecycle. Now all of a sudden they're being asked to bring your own IT concept. So the struggle is how to take the new platforms that are used to manage traditional devices and extend them to incorporate mobile devices. Finally, how do enterprises support a security model when they don't actually own the end asset. Unlike a workstation and a laptop where I can enforce the security controls because I own the device, now it's a new paradigm because these devices are being brought in by the end user.
We have heard so much about the threats posed to mobile devices, but we haven't seen any major attacks targeting them. Do you think that cybercriminals will begin to target smartphones?
Lovejoy: When I talk to CSOs it's not so much that they're worried about malware, they're worried about the device loss and the recognition that sensitive data is getting to those endpoints. So the question for enterprises is, "When my user looses this thing, which they're going to do, or this thing is stolen, what happens to the data that is my property?" So malware is a concern, but more of a concern is data loss.
IBM is predicting it will see real exploits emerge targeting the hypervisor layer of virtual machines. So far, attacks have been proof-of-concept; what changes can we expect to see in 2011 that make real exploits more likely?
Lovejoy: I think the real issue for cloud is failure to appropriately manage cloud images. Because we started thinking that hypervisor security was most important, I think the market has done a good job of developing out the technologies, like our virtual network service provider capabilities, which are essentially an IDS/IPS at the hypervisor layer. I wonder if the reason why we haven't seen more attacks is because our controls are pretty effective. I think the real risk today is image management. I tend to think of images as being endpoints. We've got the traditional endpoints, the mobile endpoints, the embedded endpoints and we've got customers trying to manage all of those endpoints centrally and now you've also got the images that are involved in that. IBM's perspective is that all of these things are intrinsically interwoven. … When it comes to image management, a lot of the integrity checking and policy management can be driven through these horizontal management platforms like BigFix.