The pandemic has highlighted security vulnerabilities in critical infrastructure, says a veteran of the US government’s cyber emergency response team.
The shift to widespread working from home has opened up new opportunities for cyber crime, warns critical infrastructure security expert Marty Edwards.
“In the move to a home office type environment, now you’ve got people interacting with online banking, online shopping. They’re doing non-work things on work computers and vice-versa,” says Edwards, who was previously director of the United States Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team.
Sample and save 50% on a yearly subscription.
Offer ends 08/12/2020.
He is now vice president at Tenable, and says the security tech company has received an uptick in requests from organisations wanting to analyse the vulnerabilities in their systems with staff working from home.
The risks range from everything from cyber crime to kids using unlocked computers.
“Whenever there’s any kind of disaster or emergency, the criminal element tends to pick up on it really fast. So after a hurricane, or the wildfires [in Australia], there was no shortage of phishing emails or fake campaigns,” he explains to The Mandarin.
“The same thing is happening with COVID-19. There’s an uptick in the ransomware campaigns, phishing campaigns.”
Governments and critical infrastructure, much of which sits in the private sector, are particular targets for things like tech-enabled extortion.
Yet many organisations won’t have prepared for the shift. There may be a policy, but often it sits unused on the shelf.
These risks mean plenty of government and critical infrastructure work can’t be done off-site for security reasons, but needs to continue despite the pandemic.
“I have heard of situations, for example, where they’ve basically self-quarantined the operators of these facilities inside the facility,” Edwards says.
“The workers are living, sleeping, cooking there. They’re almost quarantined as a family, and keep that plant operational and working. I think that’s often an angle to this story that often doesn’t get told, that there are these essential workers that have essentially sequestered themselves in these industrial type facilities, and in certain government facilities as well.”
The three elements of security
Cyber risk is made up of three main components, he explains: process, technology and people.
On process, organisations should first make sure there are appropriate rules in place.
“Have written guidelines: this is what you’re allowed to do with your work computer while it’s home and this is what you’re not allowed to do with it,” he says.
“If you need to go shopping on your favourite website to get groceries or things like that, use your personal computer. Don’t do that from your work computer unless your work has a methodology to allow you to do that.”
On technology, it’s important the organisation understands their exposure to risk.
“Look at what the risk is to your systems and then prioritise fixing it,” he says.
The people aspect is perhaps the hardest to control — if even one person in a large organisation clicks on a phishing link, it can cause huge damage.
“We should be giving refresher-type training: saying hey, we know you’re working from home, here are some additional risks you should think about.
“The people part is critical, you have to trust that your people are doing the right thing. You have to provide them with the tools and technologies to help them along.”
It’s important to avoid taking a punitive approach, he argues. Here he recalls his time working in industry, which often is more sensible about managing risk.
“Say somebody notices the guard is missing on a piece of rotating machinery, so it’s a hazard. In safety they call that a near miss. They document it, and they use it to train people that you should be observant and look for these things.
“It’s a positive thing that somebody reported that and we were able to learn from it in a safety culture.”
But many organisations’ approach to cyber security encourages staff to hide breaches.
“I find that in security for some crazy reason we have this tendency to be punitive,” Edwards argues.
He’s heard of companies sending out emails designed to look like a phishing attack, with a ‘three strikes and you’re out’ policy for those who click.
“You actually get fired.
“If a person accidentally clicked on it, or didn’t know better and clicked on it, well that’s an opportunity them understand and train them through that, so that culturally we get better. We need to move from a punitive frame of reference to a better safety culture I think.”
Outdated critical infrastructure
Both government and the private sector need to get better at planning for ongoing security in critical infrastructure, Edwards believes.
“If you take a typical power grid or water treatment facility, the equipment was intended to last decades. It’s not like a laptop that you issue every five years,” he explains.
But that long time-span means they are often forgotten about until something goes wrong.
“We need to get better at getting real-time visibility of the security posture of those systems,” he says.
Traditionally it has been difficult to scan these old, purpose-built technologies for security vulnerabilities, with testing interrupting vital functions. But improvements in technology have allowed companies like Edwards’ to be able to perform these analyses safely.
It doesn’t help that as education and technology change, the programming skills needed to rejig many of these systems are in short supply. In light of the coronavirus, for example, governments in the United States have been forced to bring in contractors to adjust welfare systems written in COBOL, a programming language understood by few on the public payroll today.
“If we’re relying on systems that are written in decades-old programming languages nobody learns in university anymore, should we have foreseen the fact that there was going to be an end of life for that technology and shouldn’t we have invested in that technology?” asks Edwards.
It’s no different from upkeep on physical infrastructure like roads, he argues.
“You actually have to have a cyber-maintenance program to maintain these environments over time. And if you don’t, you get into a situation where you run into failure when it breaks.”
Subscribe today and save $220 on an annual subscription
Because we are reader funded, we’d love you to join Mandarin Premium. Without your support, we simply can’t do what we do. And we’re looking forward to doing a whole lot more in 2021.
If you subscribe now, you can save 50% ($220) on an annual subscription*. Just enter promo code PREMIUM50 when you subscribe.
*Offer ends 08/12/2020.