It’s a rule of thumb in cybersecurity that the more sensitive your system, the less you want it to touch the internet. But as the US hunkers down to limit the spread of Covid-19, cybersecurity measures present a difficult technical challenge to working remotely for employees at critical infrastructure, intelligence agencies, and anywhere else with high-security networks. In some cases, working from home isn’t an option at all.
Companies with especially sensitive data or operations often limit remote connections, segment networks to limit a hacker’s access if they do get in, and sometimes even disconnect their most important machines from the internet altogether. Late last week, the US government’s Cybersecurity and Infrastructure Security Agency issued an advisory to critical infrastructure companies to prepare for remote work scenarios as Covid-19 spreads. That means checking that their virtual private networks are patched, implementing multifactor authentication, and testing out remote access scenarios.
But cybersecurity consultants who actually work with those high-stakes clients—including electric utilities, oil and gas firms, and manufacturing companies—say that it’s not always so simple. For many of their most critical customers, and even more so for intelligence agencies, remote work and security don’t mix.
“Organizations are realizing that work-from-home would be very difficult to execute,” says Joe Slowik, who previously led the computer emergency response team at the Department of Energy before joining the critical-infrastructure-focused security firm Dragos. “This should be a fairly good wake-up call. You need to figure out a way that if individuals cannot physically access the control system environment for a service that cannot stop, like electricity, water, and wastewater or similar services, you ensure continuous operation—even in the face of an environment where you might be risking your employees’ lives if they continue to commute into the office.”
For many industrial networks, the highest standard of security is an “air gap,” a physical disconnect between the inner sanctum of software connected to physical equipment and the less sensitive, internet-connected IT systems. But very few private-sector firms, with the exception of highly regulated nuclear power utilities, have implemented actual air gaps. Many companies have instead attempted to restrict the connections between their IT networks and their so-called OT or operational technology networks—the industrial control systems where the compromise of digital computers could have dangerous effects, such as giving hackers access to an electric utility’s circuit breakers or a manufacturing floor’s robots.
Those restricted connections create choke points for hackers, but also for remote workers. Rendition InfoSec founder and security consultant Jake Williams describes one manufacturing client that carefully separated its IT and OT systems. Only “jump boxes,” servers that bridge the divide between sensitive manufacturing control systems and nonsensitive IT systems, connected them. Those jump boxes run very limited software to prevent them from serving as in-roads for hackers. But they also only support one connection at a time, which means the company’s IT administrators have found themselves vying for access.
“Administrators are bumping each other off as they try to work and log in,” says Williams. “These jump boxes that were built to facilitate secure remote access in emergency situations weren’t built to support this situation where everyone is performing routine maintenance and operations remotely.”
For the most critical of critical infrastructure, however, like power plants and oil refineries, remote work isn’t just leading to technical snafus. It’s often impossible for many staffers, says Chris Sistrunk, a security consultant for FireEye who formerly worked as an electrical engineer for power utility Entergy. “There’s no way to fully remotely run some of those plants,” Sistrunk says. “You don’t work from home. Essential engineers and operators will always be there 24/7.”
In those scenarios, Dragos’ Slowik says, companies have to instead try to limit the biological exposure of their most critical operations teams to prevent them from being quarantined—which is often easier said than done, given that they’re free to mingle with potentially infected people during their off-hours. “It’s a real touchy subject,” says Slowik. “You need them available at the office, and you can only restrict them to a certain extent—because we’re not China–so how does that balance out?”