As the coronavirus spreads around the world, organizations of all types have transitioned (or are planning to transition) to remote working. This poses great challenges, both operational and security-related.
The security implications of quickly moving a large number of employees to remote working are especially crucial in ICS-based enterprises (manufacturing and critical infrastructure). These implications can be divided into two aspects: organizational and technological.
Organizational implications of transitioning to remote working
- Remote working is more challenging for production floor workers than for IT workers: OT-based companies’ workers usually work on-premises, on the production floor (vs. IT-based companies’ employees whose work is done in front of a screen in an office). It’s important therefore to assure that production floor employees receive the correct training on how to securely connect and operate production systems. Furthermore, as it is common practice to use dedicated computers for performing OT maintenance, and taking into account that employees’ personal computers may be infected with malware, organizations should consider providing employees with dedicated, company-owned computers for remote access into the OT network.
[inject id=’code-47fd23f73a9caecab1e206306adae7f9′]
- Preparing the SOC and NOC: Since the number of external connections in OT networks is typically very low, transitioning to remote working will likely flood the SOC/NOC (Security/Network Operation Center) with log entries and alerts. To prevent this from happening, SOC operational routines and procedures (training, adjusting thresholds and escalation methods, etc.) should be adjusted to accommodate massive remote access from enterprise employees.
- Phishing is likely to increase: It’s fair to assume that hackers will take advantage of the situation in order to hit enterprises with ransomware, Trojans for sensitive data exfiltration and other types of malware (while typically use phishing emails to infiltrate the network). Employees should be informed about Corona-themed phishing attempts in the form of spoofed emails (impersonating management or the IT staff) requesting that the receiver take a certain action, e.g. change their password or install a remote access software
- On-site presence: OT organizations should have plans for allowing on-site presence for essential employees in the event of quarantine.
- Logging and auditing: Despite the tendency to quickly grant remote access to large numbers of employees just to alleviate pressure from management, access should be granted cautiously and each step taken should be logged and audited.
Technological implications of transitioning to remote working
- It’s time to review network access policies: The organization’s current remote access policies may not be suitable for en-masse remote access. There need to be defined policies for users, permissions, hours, allowed IP addresses, etc. In addition, the organizational identity management infrastructure should be revisited, including Radius/Active directory configuration and removal of ghost users and un-needed privileges.
- VPNs with MFA Authentication: Virtual private networks (VPNs) create a private, encrypted tunnel for off-site users to connect to the organizational network. However, organizations that provide users with just a username and password to log into their VPN connections could be exposed to data breaches if those credentials are stolen. What’s needed is an extra layer of authentication, to assure the identity of the VPN user. This is achieved using a multi-factor authentication (MFA) solution that prompts the user for an additional factor (such as emailing/texting the user a onetime pass-code (OTP).
- IT-OT segmentation: As IT workers will likely adapt to remote access easier and sooner than OT workers, flat network (no segmentation between IT and OT zones) will face an increasing risk of cross contamination from the IT to the OT Network. It is important to ensure proper segmentation between the two networks.
- Beef up monitoring: As part of exercising proper cyber risk management during this crisis, enterprises should increase their OT network visibility and network behaviour monitoring to compensate for losing other forms of control over the network, such as on-site employees that otherwise would have observed abnormal manufacturing behaviour through HMI’s and SCADA stations.
All of us at Radiflow wish you good health in these trying circumstances.
As the coronavirus spreads around the world, organizations of all types have transitioned (or are planning to transition) to remote working. This poses great challenges, both operational and security-related.