Whitepaper

Cybersecurity Trends 2015

Whitepaper

Cybersecurity Trends 2015

® T

ÜV,

TU

EV a

nd T

UV

are

regi

ster

ed tr

adem

arks

. Util

isat

ion

and

appl

icat

ion

requ

ires

prio

r app

rova

l.

1. Compliance: Pressure on Businesses is Mounting..................................................4

Content

2. APTs: More Businesses Calling on Outside Specialists..................................................5

3. The International Patient: Medical Device Cybersecurity..................................................7

4. The Internet of Things (IoT): A New Dimension in Security Risks................................................10

5. Industry 4.0: Security Enforcement is not optional................................................12

6. Connected Cars: To whom does the data belong?...............................................14

7. The Cloud: Expansion of Public and Private.

...............................................16

Dear Readers,

Many thanks for your interest in our “Cybersecurity Trends 2015” white paper.

The risk of cyberattacks is growing. The private and public sector will have to invest more in IT security in 2015.In addition, cyber attackers are increasingly focusing on suppliers and medical equipment. These are only two aspects of the developments that we expect to be dealing with in the cyber security industry in 2015.

The whitepaper is the result of a review of current market trends from the perspective of leading security analysts and consultants at TÜV Rheinland in Germany and at international locations, including the world’s biggest market for IT security, the United States.We´re looking forward to an open discussion with you.

Kind regards,

Björn HaanCEO, TÜV Rheinland i-sec GmbH

® T

ÜV,

TU

EV a

nd T

UV

are

regi

ster

ed tr

adem

arks

. Util

isat

ion

and

appl

icat

ion

requ

ires

prio

r app

rova

l.

Trend 1

IT security budgets will increase.

So will the costs of data breaches, fines and lawsuits for violations of data protection. This is because there are more and more regulatory requirements being placed on companies at the national and European levels.

These requirements include Germany‘s IT Security Act and the EU’s data protection reform, which contains reporting requirements for companies, stronger authority for national data protection agencies, and possible fines of up to five percent of a company‘s annual global revenue for any company that commits a violation.

Companies will be investing more and more in GRC systems.

Against the backdrop of compliance and the increasing risk of becoming a victim of cyberattacks (see also APT), companies will have to invest in information security governance systems that are effective and geared towards cyber risk and adapt their processes and tools accordingly if they want to be ready for the future.

More and more often, emergency management systems will be converted into business continuity management systems.

Mobile versus Privacy

Mobile platforms such as phones and tablets will raise security and privacy issues more often in the future, partially because of how they are designed.

People on the way accustomed to managing their lives and even families on the go using mobile devices are placing ever greater value on the protection of their personal information.

Organizations that do not take that problem into account will be penalized. In particular consumers will use social media for making leaks public and for venting their frustration.

Compliance: Pressure on Businesses is Mounting.

“Investments in information security will increase – above all because

the threat situation has escalated further and the regulatory requirements

regarding corporate security requirements are

rising at a national and European level.”

Michael Spreng, Director Consulting,

TÜV Rheinland i-sec GmbH

4

Trend 2 APTs: More Businesses Calling on Outside Specialists

Organizations – attacked, unsuspecting, and overwhelmed. Companies cannot successfully fend off targeted, sophisticated attacks using conventional tools and methods. Many organizations are compromised without even knowing it. That is why companies are increasingly resorting to innovative analytical tools and calling on outside specialists who have the skills to use cutting-edge technologies and up-to-date expertise to recognize APTs and mitigate their impact as quickly as possible. This includes detecting possible threats, recognizing and categorizing security incidents, prioritizing measures, adaptively defeating attacks, and reaching the decisions that are right for the company, for instance to redesign its emergency procedures. TÜV Rheinland expects that its security incident response team (SIRT) will be in higher demand in 2015 than ever before, not only for for small to medium-sized enterprises (SMEs) but also for major corporations.

The industries at greatest risk.

The risk of becoming a victim of targeted, sophisticated attacks (APT = Advanced Persistent Threats) will continue to grow. In the wake of current geopolitical conflicts and insecurities, hackers are engaging in new and innovative activities. Preferred targets include the retail, banking, financial markets and the energy sector; however, no industry will be excluded as targets for attacks. Hacking has become a powerful branch of the economy, with well-organized distribution to systematically promote attacks and security gaps.

“Traditional IT security systems can no longer

reliably stop attacks. Organizations have to take technical, operational and organizational measures

to prepare themselves for incident response cases.”

Frank Melber, Head of Business Development,

TÜV Rheinland i-sec GmbH

5

® T

ÜV,

TU

EV a

nd T

UV

are

regi

ster

ed tr

adem

arks

. Util

isat

ion

and

appl

icat

ion

requ

ires

prio

r app

rova

l.

Suppliers increasingly targeted by attackers.

Due to their increasing internationalization and structural networking, manufacturers, testing-service providers, and regulatory agencies will be asking more often about the vulnerability of third parties and their risk management. Attackers will be looking for the weakest link in the chain, chiefly among the smallest suppliers and medium-sized enterprises, but all are at risk. We can expect to see new zero-day vulnerabilities being exploited and further serious flaws discovered in Internet infrastructures, leading to a slew of emergency patch cycles.

Trend 3

A lot of room for improvement when it comes to effective security plans:

Once again, the main risks in 2015 include attacks on medical devices that cause them to work only intermittently, or prevent them from working altogether. For the theft and sale of patients’ sensitive information, limited regional markets remain, the US for instance. The drivers for attackers targeting patient information are insurance fraud, and gaining access to medical care or prescription drugs through stolen identities. In future, the healthcare industry will become more similar to the industrial manufacturing industry and will need to place as much emphasis on protecting patients’ sensitive information and on the areas of safety and security, and their harmonization. That is partly because the industry – both nationally and internationally – has a lot of catching up to do when it comes to deploying information management systems and investing in effective security plans.

The International Patient: Medical Device Cybersecurity.

Tighter regulation of medical equipment security – US as pioneer.

In view of the threat level, it is probable that the regional supervisory authorities tighten regulatory requirements as well. At present, there are extremely loud calls to make medical equipment more secure in the US. In late 2014, the US Food and Drug Administration (FDA) published guidance on medical device security, which will give added momentum to the area of security analysis as well as application security. It refers to planned and verified security of applications and security management from the beginning of a project, to the development phase, to acceptance and certification.

“We can assume that IT security for medical equipment will also

become a market admission feature in the

EU sooner or later.“Dr. Daniel Hamburg,

Head of Security Engineering, TÜV Rheinland i-sec GmbH

76

® T

ÜV,

TU

EV a

nd T

UV

are

regi

ster

ed tr

adem

arks

. Util

isat

ion

and

appl

icat

ion

requ

ires

prio

r app

rova

l.

Cybersecurity becomes a condition for market admission.

The FDA’s new guidance recommends that manufacturers address cybersecurity during the development of devices and, as part of their risk management, to identify possible threats and vulnerabilities and assess the likelihood of those vulnerabilities being exploited. Furthermore, manufactures are obligated to define suitable mitigration strategies.

Providers for information security like TÜV Rheinland and its US subsidiary, OpenSky, are helping more and more companies to perform security assessments during the medical device software development phase, especially with IT security analysis and penetrations tests. Again, in view of the high risk of cyberattacks and the growing links between medical facilities, mobile communication devices, and therapy devices that have a direct effect on people, it is becoming increasingly important to take IT security into account throughout the life cycles of products, systems, and software. In addition, suitable security architectures be established. The breakneck speed of growth of the Internet of Things (IoT) only heightens existing pressure to improve mitigation strategies. At present, it is virtually impossible to gauge with any accuracy the extent to which the IoT will impact information security in medical facilities of the future.

8 9

® T

ÜV,

TU

EV a

nd T

UV

are

regi

ster

ed tr

adem

arks

. Util

isat

ion

and

appl

icat

ion

requ

ires

prio

r app

rova

l.

Trend 4 The Internet of Things (IoT): A New Dimension in Security Risks.

“The standards for the security of information,

data and privacy are still want only lagging behind

the technological development of the IoT

and the threat due to cyberattacks.“

Branislav Pavlovic, Director Solutions,TÜV Rheinland i-sec GmbH

Rapid expansion.

The IoT is painting a clear picture of things to come. Market researchers like Gartner believe that in 2015, we will already be surrounded by 4.9 billion interconnected devices. By 2025, that number is expected to reach as many as 30 billion. The IoT is being driven by trends that include the optimization of existing business models, such as marketing, via geolocation services, smart homes, connected cars, and Germany’s Industry 4.0 project.

Progress is always a matter of security as well.

The debate about the security of information, data, and privacy has only just begun in many areas related to the IoT. Whether they are services designed for convenience in automobiles, intelligent surveillance systems, smart thermostats and light fixtures at home, or connected production plants, things that used to be protected by walls are now exposed to completely new threats, such as cyberattacks, because of increasing networks of sensors, cloud services, and mobile devices. Recent examples involve attacks using live feeds on the Internet, including Web security cameras, microphones, and motion detectors in apartment buildings and the interruption of the power supply to multiple homes through unauthorized, external access to smart grids.

10

Safety & security by design.

Germany‘s Federal Ministry of Economics and Technology is working to turn the country into a key market for smart homes. Their attempts will be successful if they manage to impose tough security standards and testing methods for networks, mobile devices, and software to counter current threat scenarios. After all, the impact of uncorrected weaknesses will be seen on an entirely different scale. The place to start is not with networks or authorization management, but primarily by introducing safety and security by design.

It cannot be done without political pressure.

In the area of medical devices, the FDA is setting the example. Without regulatory pressure on makers of IoT devices, network operators, WiFi services, and cloud service providers, there will probably be no real progress in the area of cybersecurity on the IoT. As soon as the first significant security breaches occur, the hype will die down, and effective market potential will be wiped out. It will take massive effort and expense to rebuild the confidence of consumers and decision makers. Given the general threat level and the continued lack of regulations, security incidents are highly likely.

11

® T

ÜV,

TU

EV a

nd T

UV

are

regi

ster

ed tr

adem

arks

. Util

isat

ion

and

appl

icat

ion

requ

ires

prio

r app

rova

l.

Trend 5 Industry 4.0: Security Enforcement is not optional.

A revolution is on our doorstep – key security questions still unanswered.

IT solutions for remote maintenance of facilities and equipment, smart production plants and autonomous processes, even closer linking of administrative and production-related systems, high-tech automated solutions – the need for people inside production facilities is going to dwindle more and more. Machines and workpieces will soon be making many decisions themselves by exchanging data. With respect to the level of automation, Germany is already number one in Europe and number three in the world. Developments in innovation readiness for Industry 4.0 are being clearly driven by Germany’s automobile industry.

Yet, when production facilities organize themselves, when cars equipped with RFID chips roll down the assembly line themselves, communicating information about its current status and the next step in production to machines and transporters, that gives rise to new vulnerabilities. The associated security issues are unresolved, and Germany‘s SMEs and manufacturing industry still have little confidence in the security of innovative solutions. The German government’s establishment of a “Future of Industry” alliance is a step in the right direction, but it is still just one step.

“The future of Germany as a business location

depends on whether we can keep up with the

industrial revolution 4.0. But that will work if we can further boost confidence in the cybersecurity of basic technologies such as the Internet of things and the

cloud, on the basis of ‘Made in Germany’

information security.”Björn Haan, CEO,

TÜV Rheinland i-sec GmbH

12

Information Security `Made in Germany‘ to boost confidence.

Germany will be able to keep pace with the global economy during the fourth Industrial Revolution only if it manages to further strengthen confidence in the cybersecurity of fundamental technologies like the IoT and cloud computing, namely by selling its information security as “Made in Germany.” The creation and enforcement of reliable regulatory standards at the national and European levels, plus bold strategic initiatives on the part of private industry, are more important than ever. Yes, once more the rule is that there is no need to reinvent cybersecurity. Ideas and solutions already exist; they just need to be applied.

13

® T

ÜV,

TU

EV a

nd T

UV

are

regi

ster

ed tr

adem

arks

. Util

isat

ion

and

appl

icat

ion

requ

ires

prio

r app

rova

l.

Trend 6 Connected Cars: To whom does the data belong?

Connectivity more crucial than horsepower.

Real-time maintenance information, location-based recommendations, up-to-the-minute traffic advisories, and music streaming – in 2015 connected car features will become the main selling points for buyers. According to a recent study by McKinsey, a vehicle’s connectivity is becoming more important than its performance. That is only the beginning. By the year 2020, the global market for connected car components and services will grow more than fivefold, from 30 billion euros today to 170 billion euros then.

Four-wheeled data collectors.

Cars will serve as intelligent control centers for monitoring traffic conditions, weather, hazards, and infotainment. All the data collected can be analyzed and shared with other vehicles. Big Data is also being driven by car-to-X communication. Over the next five years, worldwide revenue is expected to quadruple to roughly 113 billion euros. Cars will be turned into data harvesters. Yet, some key questions concerning data protection remain unanswered. For instance, to whom does the data belong? The owner of the vehicle, the government, or the manufacturer who collects the data? There is talk of a voluntary commitment by manufacturers, but considering the overarching importance of privacy and data protection on the one hand and the safety of people and road traffic on the other, action is required on the part of legislators. They need to prevent vehicle movement profiles or the owner‘s information from being stored or processed. In addition, industry’s entire value chain needs to work hard to come up with solutions that make it impossible to stage dangerous attacks on vehicle IT from the outside.

“The entire industrial value chain must work hard to

find solutions that prevent dangerous outside

intrusion into vehicle IT from even being a

possibility.”Alexander Behnke, Principal Consultant,

TÜV Rheinland i-sec GmbH

14

All partners need to pitch in.

No integrated solutions to the issue of end-to-end security for connected cars can be expected in 2015. Intelligent vehicles are vulnerable, whether through attacks on the in-car WiFi or interference with engine control via Bluetooth or malware downloaded through communication interfaces. The challenge of constantly keeping security up to date throughout the vehicle’s lifetime is certainly not trivial and requires intelligent solutions that will take the combined, interdisciplinary efforts of all parties along the value chain: automobile manufacturers and suppliers, as well as experts on the IoT and cybersecurity.

15

® T

ÜV,

TU

EV a

nd T

UV

are

regi

ster

ed tr

adem

arks

. Util

isat

ion

and

appl

icat

ion

requ

ires

prio

r app

rova

l.

Trend 7 The Cloud: Expansion of Public and Private.

Progress requires security.

Today, users want round-the-clock access to their data. The Cloud is not only a key pillar of ubiquitous computing, but also of the IoT, new forms of collaboration, Industry 4.0, technological advancements in medicine, Big Data, and for processing huge amounts of data. In a nutshell: The trend toward cloud computing is irreversible. Simply because of its purported indispensability, discussion about its security will continue. Cloud service providers will increasingly have to face the question of how resilient their own cloud-based security architectures actually are against cyberattacks.

Businesses focusing on private clouds.

The cloud promises innovation and progress, but the two are only possible with the trust of cloud users. However, trust can only grow when solutions are secure. In 2015, the debate over cloud security will mature. Users will learn to tell more precisely what services the public cloud can be used for and what guides the market offers to the security of cloud-based services (certificates). Besides the ever growing market for public cloud computing, private clouds are also on the rise since companies are realizing that they need to migrate in business-critical areas in order to protect their digital valuables.

“The trend toward the data cloud is irreversible.

Dialog within companies is very much shaped

by different generations and functions.

To ensure appropriate implementation, it is

essential that the security debate be conducted in a less polarizing and more

fact-based manner.“Hendrik Reese,

Principal Consultant, TÜV Rheinland i-sec GmbH

16

Revolution in business models thanks to social login.

The more and more frequent combination of consumer cloud solutions with mobile access and social authentication (social login via social networking sites) leads to further challenges. If consumer cloud services are used more often at work, then it will also raise security issues concerning the intellectual property of the companies concerned. That’s because digital natives in particular draw hardly any connection between matters of security and freely available Internet services. At the same time, there are already indications that this trend is causing a change in thinking among companies with more traditional market access. In the competition for new markets and customers, introducing proprietary value-added services connected with social media activities may be a path to the future. It will be essential for those companies to actually leverage the leap of faith in their security that they enjoy compared to social platforms and can document, for example, through certification.

17

© 2015 TÜV Rheinland. All rights reserved.

In-depth information security for companies and organisations

As the leading, independent service provider for information security in Germany, TÜV Rheinland provides companies and organisations with holistic information

security - from strategic consultation, conceptual planning and process optimisation through to the implementation, operation and certification of systems. State-of-the-art

technological expertise, comprehensive industry know-how and partnerships with market leaders all make possible the development of standardised and customised security

solutions. At the heart of the business in strategic information security, quality and security for applications and portals, mobile and network security and IT security

in industrial plants and critical infrastructure.

® T

ÜV,

TU

EV a

nd T

UV

are

regi

ster

ed tr

adem

arks

. Util

isat

ion

and

appl

icat

ion

requ

ires

prio

r app

rova

l.

For more information visit www.tuv.com/informationsecurity

Credits: © Scriblr - Fotolia.com; © T. Michel - Fotolia.com; © Scriblr - Fotolia.com; © T. Michel - Fotolia.com, © miceking - Fotolia.com; © markus_marb - Fotolia.com; © pigmentum - Fotolia.com; © Julien Eichinger - Fotolia.com, © Anterovium - Fotolia.com; © mikkolem - Fotolia.com; © Gina Sanders - Fotolia.com; © Sergey Nivens - Fotolia.com, © WBP - Fotolia.com, © TÜV Rheinland