If cyber criminals pilfered data and money from companies in 2015 and American democracy was allegedly hacked in 2016, what's in store for this year? Entrepreneurs and cyber security insiders say 2017 will be the year that a big cyber attack will threaten U.S. national security by jumping from the online world to the physical world to deliver destruction.
Bringing down a public utility or power plant or critical infrastructure that runs our lives will be the target.
Barak Perelman, CEO of Indegy, which helps utilities, energy providers and critical infrastructure companies protect industrial control systems from cyber threats, says every world leader and business should be aware of how severe of a threat an attack on infrastructure poses to the lives of citizens, employees and population centers. Perelman, who served in the cyber command division of the Israeli Defense Force, says he knows first hand just how vulnerable public utilities are to hackers: his job while serving in the IDF was to protect the nation's infrastructure. During his service, he realized that most control systems did not have proper security protocols and after leaving the IDF he started his company.
Most infrastructure control systems were built in the 1980s and 1990s when cyber security was not a concern and therefore lacked any real defenses to intruders, Perelman says. Some control systems are connected to the internet without firewalls or other security protocols, he says, leaving the door open for nation states, terrorists and lone wolf hackers to shut down electrical grids or power plants.
"We are seeing indicators across many industry sectors that these threats are real," says Perelman. "This is reflected by the fact that many industrial organizations that were never concerned about external attacks in the past are now actively working to put defenses in place to protect their operational networks against cyber-physical threats."
Perelman says utilities and energy providers could also suffer collateral damage from malware that was not intended to attack a specific organization. Once malware is released online, it can spread across facilities, companies and industries, he says, because the same technology, made by just a few global equipment manufacturers, is in place at many different types of facilities. This means that if a piece of malware infects one piece of critical infrastructure through the control systems, other facilities with the same type of control system are also vulnerable to that piece of malware.
A cyber attack shutting down a power grid sounds like a far-away nightmare scenario, but it's happened before. According to the Reuters, cyber attacks have left some citizens in Kiev, Ukraine, without power over a weekend in December. The hack allegedly originated in Russia, Reuters reported.
While critical infrastructure doomsday scenarios are possible, entrepreneurs also have to worry about more direct cyber threats to their businesses.
Gary Steele, CEO of cyber security company Proofpoint, says that 2017 will bring "hyper-targeted" attacks -- cyber crooks or corporate competitors that will target individuals for very specific ends. Over the last couple of years, hackers have duped companies out of hundreds of millions of dollars via what the Federal Bureau of Investigation calls "business email compromise" in which a hacker sends an email posing as an employee's boss asking them to pay a vendor with a wire transfer. If the email is convincing enough, the employee will not call or approach the boss until it's too late. But Steele says hackers will start targeting specific people and use social media platforms like Facebook, Twitter and LinkedIn to spread malware via malicious links or other tricks.
Steele says that since nearly every employee has a smartphone, the risks to companies and customers has risen. He says hackers build fake apps that pose as popular apps for the purposes of stealing information or money. He says employees could jeopardize a company by downloading malicious apps and connecting to a company's wifi.
"Every company, no matter it's size, needs to take cyber security seriously," says Steele. "Cyber security has never been more important than it is now. Every business should be asking itself, 'How do we protect our employees and customers?'"