Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


COVID-19 Puts ICS Security Initiatives 'On Pause'

Security pros concerned that increased remote access to vulnerable operational technology and stalled efforts to harden OT environments puts critical infrastructure at greater risk.

Much has been said about attacks on enterprise IT as more remote desktops go online in the era of COVID-19. But security pros are growing increasingly alarmed by a lack of attention to industrial cybersecurity, and the operational technology (OT) used by everything from manufacturers making personal protective equipment to energy companies powering remote work.

The challenges to securing ICS in general are manifold: from a lack of visibility into OT, to legacy devices, to the mentality of the industry at large.

Still building a cybersecurity culture

"One of the tenets on the IT side of cybersecurity is that it's not a matter of if, but when" you’ll face a cyberattack, said Mark Carrigan, COO at PAS Global. "I don't think that mindset has totally sunk in on the industrial side. There's still a perception of, 'we can keep bad guys out.'"

"We have this mentality in the IT space that we keep things up to date, whether hardware or patching software. We have a plan to keep our cyber assets safe," said Marty Edwards, VP of OT Security at Tenable. "In the OT world, and in ICS, these systems are quite often just forgotten about for decades, in a steel locked electrical cabinet gathering dust. It’s not uncommon to find Windows XP and older legacy operating systems still in use just sitting there the way they were 15 years ago."

Indeed, adds Galina Antova, co-founder of industrial cybersecurity company Claroty, "Most systems are basically a black box to security teams in that organization."

Both Antova and Carrigan acknowledge that the industry has begun to demonstrate awareness over the last few years of the importance of OT security, and the need to view their systems holistically – not OT security as one thing, IT as another, and digital transformation another.

Cybersecurity 'on pause'

But Carrigan also notes that once COVID-19 hit, many companies put OT security plans on the backburner to attend to the immediate concern of keeping their processes running and employees safe.

"The pause button got hit by a couple of months relative to COVID-19. By the same token, in some cases organizations opened up more access points to operate remotely. They're going to have to go back and shore things up a little bit," he said.

As many critical entities found themselves needing to ramp up production, reduce staff on the ground, and set up more remote connections in a variety of locations, industrial organizations have inadvertently opened their OT networks to attack.

What's worse is compromised OT can go easily undetected.

"The challenge with those networks and devices is that adversaries can just be there," said Antova. "Once they're on the network, they don't need malware or hacking per se. They just need access to the engineering station that changes code."

"In some cases those changes are so subtle, you can't trace where they’re coming from."

The threat to OT is particularly concerning at a time when attackers have been capitalizing on vulnerabilities surrounding COVID-19, ramping up ransomware, phishing, and other malicious hacks on vulnerable networks and individuals.

Security pros believe there’s good reason to worry that OT networks are the next frontier for attackers.

"Adversaries across the board are realizing one simple thing: OT networks are very critical to the organization’s bottom line. Especially for those in manufacturing. The fact that those networks are critical and valuable to the organization means some money could be made out of it," said Antova.

“My particular concern is the criminal element,” Tenable’s Edwards says. “ICS, especially within critical infrastructure, is a highly critical function within a business. Once criminals figure out how to cripple and hold it for ransom, I believe they will try.”

The way forward

Going forward, in addition to reprioritizing ICS security projects, there are several considerations industrial organizations need to make as the initial rush to keep people safely working has settled and preparations are made on how to operate in a new world.

To start with, says Antova, organizations need to resolve security issues with any ad hoc connections they’ve set up. “We’re not going back to where we were. Remote access solutions are there to stay. It’s really important that security is taken into consideration.”

Edwards adds that it’s crucial to “build security in from the beginning. Don’t try to bolt it on at the end.” Further, he said, don’t allow access points to always be on: “You should be enabling remote access for specific individuals and tracking and logging everything they’re doing. Have a complete audit trail of what’s performed during a remote access session, and when they’re done turn it off.”

In addition to securing existing remote access points, Edwards is also concerned about workers returning to the office with compromised devices that they’ve been using at home. “I actually think companies need to be hypervigilant about the devices as they come back into their corporate environments,” he said.

If there’s one silver lining in all of this, the crisis has helped make the case for ICS security, says Matt Selheimer, CMO, PAS Global. Speaking of a PAS client described as a “leading pulp and paper company,” Selheimer points out that the company was further ahead in planning for resiliency and therefore better able to meet the challenge of suddenly needing to ramp up production to meet skyrocketing demand for paper products during the pandemic, while establishing secure remote access to data and operations for engineers.

A PAS case study about the pulp-and-paper company states: “Remote operations capabilities provided by PAS solutions enabled the company’s operational staff to demonstrate resilience in the face of COVID-19 and preparedness for future operational challenges. Prior digitalization investments were validated, and digitalization and remote operations sceptics within the company were able to see how the future of paper goods manufacturing will be more digital, automated, and efficient.”

Whether or not it’s wishful thinking that struggling organizations will soon reprioritize tighter budgets to properly secure their industrial control systems remains to be seen. But the consequences of not doing so could indeed be catastrophic.

“Generally speaking, in the IT world you’re worried about the loss of information. In the OT world, you’re more concerned about loss of control of the process itself,” said PAS’ Carrigan. “Best case scenario, you lose productivity. Worst case, there’s a smoking hole in the ground and people don’t go home.”

Related content:


Nicole Ferraro is a freelance writer, editor and storyteller based in New York City. She has worked across b2b and consumer tech media for over a decade, formerly as editor-in-chief of Internet Evolution and UBM's Future Cities; and as editorial director at The Webby Awards. ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/30/2020 | 8:34:33 PM
On Pause vs Stalled
I think this differentiation needs to be made. I would say "On Pause" refers to a company that has always been security conscious and this pandemic is halting them from unveiling any new security platforms. "Stalled" I would say is a company that never had security as a priority and are using the pandemic as an excuse to postpone it further. One is understandable, the other is unforgiveable.  
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-20
Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
PUBLISHED: 2020-10-20
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.
PUBLISHED: 2020-10-20
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.
PUBLISHED: 2020-10-20
The R-SeeNet webpage (1.5.1 through 2.4.10) suffers from SQL injection, which allows a remote attacker to invoke queries on the database and retrieve sensitive information.
PUBLISHED: 2020-10-20
A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw...