Countering the COVID-19 threat to critical infrastructure

cybersecurity

By Ghian Oberholzer, Regional Vice President of Technical Operations, Claroty

The impact of COVID-19 on the workforce presents a real threat to the operation of critical infrastructure and the services it provides; services on which society depends.

In response to the pandemic, many operators of critical infrastructure have moved to minimise direct contacts between workers, primarily by having as many as possible work remotely.

Critical infrastructure depends on operational technology (OT) networks. The move to remote working depends on these networks but, inevitably, makes them more vulnerable to an attack by greatly increasing the attack surface. Moreover, the task of setting up and managing remote working facilities leaves cyber security professions responsible for OT networks with less time to devote to their primary role.

(ISC)², the international organisation for cyber security professionals responsible for the Certified Information Systems Security Professional (CISSP) certification, surveyed members around the world on the impacts of COVID-19.

Remote working weakens cyber security

As reported by (ISC)², almost half of its members surveyed were being partially diverted to other duties such as equipping a mobile workforce, while struggling with ensuring secure remote working as a result of the pandemic.

The challenges cited by respondents included the lack of hardware to support a larger number of remote workers, difficulties quickly deploying technology for remote working with adequate security to protect systems, and users failing to understand and abide by security policies when outside the office.

To make matters worse, 23 per cent said cybersecurity incidents had increased since transitioning to remote work – with some tracking as many as double the number of incidents.

Cyber security professionals working to secure critical infrastructure would likely be facing similar challenges, and even before COVID-19 hit, many did not believe critical infrastructure to be well-secured from a cyber-attack.

Critical infrastructure security in doubt

In Q4 of 2019, Claroty commissioned a survey with 1000 IT security professionals from across the US, UK, Germany, France, and Australia. It was reported that only 60 per cent believed their country’s critical infrastructure to be properly secured against cyber-attacks.

More than 60 per cent of respondents also said there was an urgent need for protection against attacks on critical infrastructure: they expected a major attack to occur within the next five years. However, 90 per cent of respondents thought it was government’s responsibility to ensure critical infrastructure is properly protected from a cyber-attack.

All this was before the COVID-19 pandemic hit. Since then, some governments have taken the risk to the critical infrastructure workforce from COVID-19 seriously. In March the US Cybersecurity and Infrastructure Security Agency (CISA) released guidance to help government and private operators of critical infrastructure manage their essential workforce during the COVID-19 crisis.

The Australian Government’s plans to safeguard critical infrastructure are also set out in its Critical Infrastructure Resilience Strategy, which “aims to ensure the continued operation of critical infrastructure in the face of all hazards.” It contains no reference to a threat arising from a pandemic.

Industrial networks also critical

Industrial networks dependent on operational technology are certainly critical to the industries they support.

Every company in the world relies on industrial networks. For nearly half of the Fortune 2000 — in industries including oil and gas, energy, utilities, manufacturing, pharmaceuticals, and food and beverage — these industrial networks are critical components to their business. The rest rely on industrial networks for basic needs like transportation, HVAC systems, lights, elevators, and data centre infrastructure.

It is the responsibility of cyber security professionals to anticipate and ameliorate the potential impacts of COVID-19 on top of all the other threats those networks face.

OT security needs more focus

Unfortunately, Claroty’s survey found OT security playing second fiddle to IT security in the view of many respondents. Seventy-six per cent would prefer to work in IT cybersecurity and only 24 per cent gave OT cybersecurity as their first preference.

With COVID-19 putting greater demands on cybersecurity professionals, it is imperative that CISOs and IT security teams catch up on the importance of OT security, and how it absolutely is their responsibility.

With increasing OT/IT integration, IT security teams can no longer turn a blind eye to OT security. Comprehensive security requires a close co-ordination between OT and IT security teams. A focus on this will be particularly important with COVID-19 forcing many organisations to implement remote working as much as possible, inhibiting the interactions that normally occur in the workplace.

Ghian Oberholzer is Regional Vice President, Technical Operations at Claroty, an industrial cybersecurity company. He previously served as Global Principal Cyber Security OT at BHP and is based in Perth, Australia.