As a science fiction fan, I’ve always been fascinated with the concept of humans being able to safely get work done in dangerous or hard-to-reach areas. For instance, the film “Titanic” features a submersible that can retrieve or move objects in the remains of the sunken ship using hand controls to simulate the actual work (a character engages in the motions required to flip over a door to reveal a safe). This is something no deep-sea diver could ever hope to accomplish due to the extreme pressure below.
SEE: Identity theft protection policy (TechRepublic Premium)
Similarly, during the 1986 Chernobyl disaster when a nuclear reactor core overheated, teams of Russian technicians had rotating shifts in which they had seconds to dash into the danger zone to try to contain the radiation before having to retreat to safety.
Remote work is slowly but surely expanding into areas that once exclusively required hands-on access, in many situations for security-related reasons. I spoke about it with an expert on the topic; Mark Carrigan, COO at PAS Global, an asset/operations management provider.
Scott Matteson: What are the challenges in expanding remote work in traditionally “on-site” sectors like oil and gas, chemicals, power generation, and mining?
Mark Carrigan: Let’s talk first about why industrial organizations want to expand remote work. Pre-COVID, remote work was not new to the industrial sector, but it was moving at a slow and inconsistent pace with some organizations further ahead than others. These leading organizations were focused on remote work for three primary reasons. First, because they sought to centralize and communicate best practices across industrial sites via a Center of Excellence (COE) model as part of efforts to drive operational excellence.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
Second, because it is both hard and risky to put people at many remote industrial sites (e.g., rigs offshore in dangerous waters, mines or forests in the mountains or remote hinterland). This has also become more challenging with an aging industrial operations workforce (the younger generation is less willing to work in remote locations).
Third, because these organizations were focused on ensuring business resiliency and recognized that remote work gave them an advantage to deal with natural disasters like hurricanes and wildfires (but, honestly, none of our customers were thinking about remote work in the context of a pandemic—at least that we are aware of).
Now that we’ve talked about the positive side, the major challenges and obstacles to remote work have traditionally been of two types. First, a general belief that it just “can’t be done.” Call it organizational inertia to keep doing things the same way if you want, but it was also based on a belief that you needed more people on site to effectively operate the plant but also, somewhat paradoxically, to ensure operational safety. Second, because operational technology (OT) security practices had not developed far enough to enable secure remote access with effective policies to determine which systems should and shouldn’t be accessed remotely.
Scott Matteson: How are these challenges surmounted?
Mark Carrigan: As mentioned above, maturing security practices for OT environments is key to enabling safe and secure remote work for industrial operations. This includes not just traditional IT security practices such as least-privileged access, effective password management, network breach detection, and security event monitoring, but also specific OT security practices such as asset inventory management and vulnerability management.
SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)
Here’s an example. Consider an automation engineer who needs access to control system configuration data remotely to analyze and optimize an industrial process. Giving remote access directly to the engineering workstation for the control system increases cybersecurity risk for an industrial company. In many cases, these control systems are 20 or even 30 years old, so they weren’t built with cybersecurity in mind. Because of their critical nature in driving revenue for the business, they are shut down and upgraded very infrequently as compared to IT systems.
It is not uncommon to have these control systems run for five to 10 years between shutdown and maintenance routines. Therefore, they often contain known cybersecurity vulnerabilities that are unpatched even if those patches have been available for years. So, back to our example of the automation engineer, it would be very risky to enable direct access to the control system engineering workstation over the public internet even if the engineer connects to a corporate VPN first from their home office.
As a result, we recommend industrial customers maintain separate copies of their industrial control system configurations in an asset management system that the engineer can access remotely. There will still be cases where you may want to grant remote access to an engineer to deal with an emergency situation and then revoke the access once the work is done, but if you can limit this access and enable staff to complete their routine work while reducing direct access to the control system, you can minimize the risk of cybersecurity events that could cause safety and environmental incidents.
Scott Matteson: What type of technological infrastructures are critical to do so?
Mark Carrigan: Remote access can take on two flavors. We’ve previously discussed the case of remote access from home, but there is also remote access to site systems from another company office or facility. This is the common scenario for the COE model.
In the work-from-home scenario, remote access best practices like least-privileged access, VPNs and jump boxes, are critical along with identifying potential lateral attack vectors (i.e., if System A is breached what else does it connect to that could put the company at risk and how can that be mitigated?). The risks are reduced in remote access from another company office or facility because it means industrial systems do not need to be directly or even indirectly connected to the public internet. However, staff accounts can still be compromised and then used to traverse the company network to gain access to process control networks at industrial sites.
SEE: 6 enterprise security software options to keep your organization safe (TechRepublic)
There are documented cases where high-permission corporate credentials, such as Windows domain administrator accounts, have been spearphished and then used to gain access to the industrial environment (i.e., traversing from IT to OT networks). Use of a data diode is often employed to ensure traffic between IT and OT networks is one-way (i.e., you can read data from the OT network systems and not write to them). This reduces the risk of disrupting operations, but still exposes systems to IP theft risk.
Scott Matteson: What sort of repercussions are companies that weren’t prepared for this facing?
Mark Carrigan: Companies that hadn’t been working on their OT security practices for remote work pre-COVID very likely increased their risk in the spring of 2020 as they enabled remote access to keep the business up and running. We refer to this as COVID Phase 1. In the summer and fall we moved into Phase 2, where organizations revisited the list of industrial systems and software where remote access was provided and put in place greater restrictions on access and limited permissions where possible. However, we do believe that many organizations remain at an elevated risk as compared with the pre-COVID era.
Scott Matteson: Where are we seeing this heading?
Mark Carrigan: Many organizations still need to implement the fundamentals of OT cybersecurity—build a detailed and accurate OT asset inventory and network topology, categorize systems and applications by risk, discover and assess known vulnerabilities, configure least-privileged access, whitelist applications, restrict TCP/IP port access to the minimum necessary, and deploy network breach detection. Our assessment is that we are moving out of the early adopter phase for such security practices in OT and are now entering the early mainstream, but we are nowhere near at a high level of maturity across the industrial sector.
Scott Matteson: Any specific tips for businesses to weather 2021?
Mark Carrigan: First, get your security foundation in place as per the items listed above. Second, take a page from long-established IT best practices and assume you will be breached—now is the time to develop an effective OT incident response strategy so you aren’t responding in real time without a plan.
Scott Matteson: Any advice for IT administrators or end users?
Mark Carrigan: Yes, understand that OT systems are different from IT systems. Not only does downtime greatly impact revenue, but the risk to human life (safety) and the environment is particularly concerning, especially in hazardous industries like refining, chemicals, and power generation. Given the nature of industrial control systems, there is no such thing as “Patch Tuesday” where you can patch and reboot machines weekly. You’ve got to think ahead to upcoming shutdown and maintenance windows and prioritize remediating the vulnerabilities knowing that patching may not be the best short-term solution to reducing risk.