30 April 2020
Overview of recommendations on organizing secure remote work for critical infrastructure and other facilities
Due to the СOVID-19 pandemic, many organizations have had to switch to remote work. The sheer scale of the change has given rise to numerous discussions on the security of working remotely among information security experts, including those who focus on industrial cybersecurity.
Do issues related to the security of remote work affect critical infrastructure facilities? To what extent are the new working arrangements contributing to changes in the threat landscape? Should organizations take any additional security measures?
In search of answers to these questions, we turned to the recommendations of regulators in the sphere of information security, which have addressed security issues related to working remotely.
How does the issue of remote work security affect critical infrastructure enterprises?
In spite of the COVID-19 pandemic, most employees involved in the industrial processes of critical infrastructure enterprises are still working on-site (i.e., not remotely). This is required to ensure the continuity of operation at these enterprises. At the same time, administrative personnel that is not directly involved in maintaining industrial processes has in many cases gone remote.
Office employees going remote, combined with the overall anxiety levels of personnel growing due to the pandemic, could result in enterprise employees demonstrating lower alertness levels when it comes to information security threats. For example, the chances of an employee opening an attachment or clicking a link in a phishing email that takes advantage of the ‘hot’ topic of COVID-19 have increased. Consequently, the chances of the employee’s computer becoming infected have also grown. It should be kept in mind that many information security incidents on industrial networks that have resulted in industrial process disruptions started with infections of computers in enterprise networks’ corporate segments. We are already seeing attacks on the industrial sector using phishing emails that exploit the COVID-19 pandemic.
The risks associated with the remote administration of industrial automation systems are worthy of a separate mention.
Using remote administration tools was a sufficiently common practice before the pandemic. According to Kaspersky Security Network data, in the first half of 2018 remote access tools were used on 32% of ICS computers. Based on data from the Shodan system, in 2019 the number of industrial automation systems available through the internet became greater.
It is likely that during the pandemic, such tools will be used more often. We have already written in an article that remote administration tools pose a potential threat to industrial networks and that, if they are used, a special focus should be made on information security. This is also confirmed by the results of our research on various implementations of the Virtual Network Computing (VNC) remote access system, which is widely used in industrial automation systems.
In this situation, enterprises, particularly critical infrastructure facilities, must take measures to minimize possible risks. This is why regulators working in the area of information security, including critical infrastructure cybersecurity, have prepared recommendations on ensuring the security of remote work.
No doubt, critical infrastructure enterprises will continue to use remote access tools, so recommendations on ensuring the security of remote work will remain relevant when the pandemic is over.
What recommendations are there?
Key recommendations on ensuring secure remote access to industrial automation systems
Key recommendations on ensuring secure remote access to industrial automation systems can be found in the following documents:
- ICS-CERT recommendations: Configuring and Managing Remote Access for Industrial Control Systems
- Industrial control system security standard: NIST SP 800-82 Rev.2 “Guide to Industrial Control Systems (ICS) Security”
- ENISA recommendations: “Communication network dependencies for ICS/SCADA Systems”
Recommendations published in connection with the pandemic
- The SANS institute has put together a list of its materials that can be of use for training employees in working from home securely. The list was included in a document entitled “Security Awareness Deployment Guide – Securely Working at Home”. All materials are grouped into three main blocks:
- Social Engineering;
- Strong Passwords (authentication and password management);
- Updated Systems.
Additionally, materials on using VPN and Wi-Fi, as well as incident detection and response, are provided. - The US National Institute of Standards and Technology (NIST) released a bulletin with recommendations on secure remote access and remote work. The document is based on NIST Special Publication (SP) 800-46 Revision 2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security, which was published in 2016 and remains relevant today.
- The US Cybersecurity and Infrastructure Security Agency (CISA) published a document on ensuring the cybersecurity of enterprises as part of managing COVID-19 associated risks globally. Among other things, CISA recommends ensuring that business continuity plans are up to date and testing the capacity of remote access solutions, including with a view to increasing their capacity.
- The European Union Agency for Cybersecurity (ENISA) has published Top Tips for Cybersecurity when Working Remotely. In addition to the measures described in the above documents, ENISA reminds that data should be backed up periodically.
A comparison of recommendations on secure remote work during the COVID-19 pandemic is provided in the table below.
Comparison of recommendations on secure remote work during the COVID-19 pandemic
| Recommendations | SANS | NIST | ENISA | CISA |
|---|---|---|---|---|
| Briefing staff on the rules of secure remote work | + | – | – | + |
| Defining a list of devices to be provided to employees for remote work. Prohibiting personal devices from being used | – | + | – | – |
| Defining a list of resources that will be available remotely | – | + | – | – |
| Assigning the minimal privilege levels required by users when working remotely | – | + | + | – |
| Identifying remote devices and using whitelisting to grant access to them | – | + | – | – |
| Ensuring that unauthorized people cannot access remote workstations | + | – | – | – |
| Putting devices used for employees’ remote work on a separate domain | – | + | – | – |
| Using two-factor / multifactor authentication of employees | + | + | – | + |
| Providing secure encrypted remote access (VPN) | + | + | – | + |
| Using anti-malware protection with up-to-date and regularly updated databases | – | + | + | + |
| Monitoring system security, including logging and analyzing employee activity | – | – | – | + |
| Ensuring the ability to provide prompt incident response | – | – | + | + |
| Segmenting the network | – | + | – | |
| Updating all services and equipment used for remote access (VPN, network infrastructure devices) | + | + | + | – |
| Using WPA2 encryption for Wi-Fi internet connections | + | – | + | – |
| Using password management and enforcing strong passwords | + | – | – | – |
| Encrypting information on client devices | – | + | – | – |
| Ensuring that remote access servers can be managed only from trusted hosts by authorized administrators | – | + | – | – |
| Regularly backing up data | – | – | + | – |
| Testing the capacity of remote access solutions | – | – | – | + |
| Ensuring that business continuity plans are up to date | – | – | – | + |
Conclusion
It can be concluded from an analysis of recommendations on ensuring the security of remote work that having part of the workforce at industrial enterprises (as well as any other organizations) switch to working remotely does not require implementing any special security measures that are radically different from what the organization should already have in place. At the same time, making temporary changes to the way employees work requires additionally verifying the adequacy and effectiveness of existing security measures.
A special emphasis should be made on the security of communication channels (including attack detection and prevention), access control and the security of endpoints that employees will use to work remotely. In cases where it is not possible to provide people with devices that have protection (anti-malware solutions, firewalls, etc.) installed and configured on them, users should be provided with all the necessary security solutions and deploy them on their personal computers themselves.
It is also essential to work with employees, informing them of possible threats and providing them with additional instruction on the rules of remote work.
It can be concluded therefore that a set of technical measures taken in conjunction with administrative and training measures will ensure the level of cybersecurity that is necessary for enterprises to address existing threats, even with the increased use of remote access.
