Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


COVID-19 Puts ICS Security Initiatives 'On Pause'

Security pros concerned that increased remote access to vulnerable operational technology and stalled efforts to harden OT environments puts critical infrastructure at greater risk.

Much has been said about attacks on enterprise IT as more remote desktops go online in the era of COVID-19. But security pros are growing increasingly alarmed by a lack of attention to industrial cybersecurity, and the operational technology (OT) used by everything from manufacturers making personal protective equipment to energy companies powering remote work.

The challenges to securing ICS in general are manifold: from a lack of visibility into OT, to legacy devices, to the mentality of the industry at large.

Still building a cybersecurity culture

"One of the tenets on the IT side of cybersecurity is that it's not a matter of if, but when" you’ll face a cyberattack, said Mark Carrigan, COO at PAS Global. "I don't think that mindset has totally sunk in on the industrial side. There's still a perception of, 'we can keep bad guys out.'"

"We have this mentality in the IT space that we keep things up to date, whether hardware or patching software. We have a plan to keep our cyber assets safe," said Marty Edwards, VP of OT Security at Tenable. "In the OT world, and in ICS, these systems are quite often just forgotten about for decades, in a steel locked electrical cabinet gathering dust. It’s not uncommon to find Windows XP and older legacy operating systems still in use just sitting there the way they were 15 years ago."

Indeed, adds Galina Antova, co-founder of industrial cybersecurity company Claroty, "Most systems are basically a black box to security teams in that organization."

Both Antova and Carrigan acknowledge that the industry has begun to demonstrate awareness over the last few years of the importance of OT security, and the need to view their systems holistically – not OT security as one thing, IT as another, and digital transformation another.

Cybersecurity 'on pause'

But Carrigan also notes that once COVID-19 hit, many companies put OT security plans on the backburner to attend to the immediate concern of keeping their processes running and employees safe.

"The pause button got hit by a couple of months relative to COVID-19. By the same token, in some cases organizations opened up more access points to operate remotely. They're going to have to go back and shore things up a little bit," he said.

As many critical entities found themselves needing to ramp up production, reduce staff on the ground, and set up more remote connections in a variety of locations, industrial organizations have inadvertently opened their OT networks to attack.

What's worse is compromised OT can go easily undetected.

"The challenge with those networks and devices is that adversaries can just be there," said Antova. "Once they're on the network, they don't need malware or hacking per se. They just need access to the engineering station that changes code."

"In some cases those changes are so subtle, you can't trace where they’re coming from."

The threat to OT is particularly concerning at a time when attackers have been capitalizing on vulnerabilities surrounding COVID-19, ramping up ransomware, phishing, and other malicious hacks on vulnerable networks and individuals.

Security pros believe there’s good reason to worry that OT networks are the next frontier for attackers.

"Adversaries across the board are realizing one simple thing: OT networks are very critical to the organization’s bottom line. Especially for those in manufacturing. The fact that those networks are critical and valuable to the organization means some money could be made out of it," said Antova.

“My particular concern is the criminal element,” Tenable’s Edwards says. “ICS, especially within critical infrastructure, is a highly critical function within a business. Once criminals figure out how to cripple and hold it for ransom, I believe they will try.”

The way forward

Going forward, in addition to reprioritizing ICS security projects, there are several considerations industrial organizations need to make as the initial rush to keep people safely working has settled and preparations are made on how to operate in a new world.

To start with, says Antova, organizations need to resolve security issues with any ad hoc connections they’ve set up. “We’re not going back to where we were. Remote access solutions are there to stay. It’s really important that security is taken into consideration.”

Edwards adds that it’s crucial to “build security in from the beginning. Don’t try to bolt it on at the end.” Further, he said, don’t allow access points to always be on: “You should be enabling remote access for specific individuals and tracking and logging everything they’re doing. Have a complete audit trail of what’s performed during a remote access session, and when they’re done turn it off.”

In addition to securing existing remote access points, Edwards is also concerned about workers returning to the office with compromised devices that they’ve been using at home. “I actually think companies need to be hypervigilant about the devices as they come back into their corporate environments,” he said.

If there’s one silver lining in all of this, the crisis has helped make the case for ICS security, says Matt Selheimer, CMO, PAS Global. Speaking of a PAS client described as a “leading pulp and paper company,” Selheimer points out that the company was further ahead in planning for resiliency and therefore better able to meet the challenge of suddenly needing to ramp up production to meet skyrocketing demand for paper products during the pandemic, while establishing secure remote access to data and operations for engineers.

A PAS case study about the pulp-and-paper company states: “Remote operations capabilities provided by PAS solutions enabled the company’s operational staff to demonstrate resilience in the face of COVID-19 and preparedness for future operational challenges. Prior digitalization investments were validated, and digitalization and remote operations sceptics within the company were able to see how the future of paper goods manufacturing will be more digital, automated, and efficient.”

Whether or not it’s wishful thinking that struggling organizations will soon reprioritize tighter budgets to properly secure their industrial control systems remains to be seen. But the consequences of not doing so could indeed be catastrophic.

“Generally speaking, in the IT world you’re worried about the loss of information. In the OT world, you’re more concerned about loss of control of the process itself,” said PAS’ Carrigan. “Best case scenario, you lose productivity. Worst case, there’s a smoking hole in the ground and people don’t go home.”

Related content:


Nicole Ferraro is a freelance writer, editor and storyteller based in New York City. She has worked across b2b and consumer tech media for over a decade, formerly as editor-in-chief of Internet Evolution and UBM's Future Cities; and as editorial director at The Webby Awards. ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/30/2020 | 8:34:33 PM
On Pause vs Stalled
I think this differentiation needs to be made. I would say "On Pause" refers to a company that has always been security conscious and this pandemic is halting them from unveiling any new security platforms. "Stalled" I would say is a company that never had security as a priority and are using the pandemic as an excuse to postpone it further. One is understandable, the other is unforgiveable.  
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-12
Deskpro Cloud Platform and on-premise 2020.2.3.48207 from 2020-07-30 contains a cross-site scripting (XSS) vulnerability that can lead to an account takeover via custom email templates.
PUBLISHED: 2021-05-12
Cross Site Scripting (XSS) in LAOBANCMS v2.0 allows remote attackers to execute arbitrary code by injecting commands into the "Website SEO Keywords" field on the page "admin/info.php?shuyu".
PUBLISHED: 2021-05-12
An Information Disclosure vulnerability exists in dhcms 2017-09-18 when entering invalid characters after the normal interface, which causes an error that will leak the physical path.
PUBLISHED: 2021-05-12
evm is a pure Rust implementation of Ethereum Virtual Machine. Prior to the patch, when executing specific EVM opcodes related to memory operations that use `evm_core::Memory::copy_large`, the `evm` crate can over-allocate memory when it is not needed, making it possible for an attacker to perform d...
PUBLISHED: 2021-05-12
A Cross SIte Scripting (XSS) vulnerability exists in Dhcms 2017-09-18 in guestbook via the message board, which could let a remote malicious user execute arbitrary code.