As community spread of the Novel Coronavirus, or COVID-19, grows, businesses and governments around the globe are taking proactive measures to protect their employees and citizens. The virus has tested the global community’s capacity to adapt our everyday practices from ones that rely on in-person interactions to a posture of social distancing. Fortunately, the latter no longer precludes productivity thanks to modern communication tools like video conferencing.
However, there are unique implications for a largely remote workforce when it comes to securing an operational technology (OT) network. This is far-reaching given that every large organization, no matter its industry or business model, has OT assets.
Last week CISA published a guide on risk management in the wake of COVID-19, which included actions for infrastructure protection, as well as guidance for improving remote access. Now is a great time to refresh our thinking on best practices for protecting remote access connections—especially for industrial networks.
- Monitor All Connections First and foremost, organizations should take special care over these next several months to monitor all of their remote connections -- even the seemingly unimportant or inconsequential ones. Ideally, this means having the capability to observe remote sessions in real-time, actively manage user access requests based on purpose, length, and frequency, and terminate sessions with the click of a button. Doing so will markedly reduce the risk of both internal and external exploitation, including third parties, without introducing costly or burdensome barriers to productivity.
- Privileged Access Control Moreover, as organizations rely more and more on remote connectivity, it’s critical that they define and enforce granular access permissions for all remote users -- but especially those with privileged access. For industrial organizations, access control policies should reflect a layered network defense model (e.g. the Purdue model) to mitigate lateral movement in the event of a compromise and protect the most sensitive and critical process control assets.
- Authentication One of the biggest risks associated with the rapid adoption of remote access operations is the use, sharing, and management of passwords. If possible, organizations should seek to limit if not eliminate the use of passwords for third party users by requiring administrator approval for all remote access sessions. In other cases, businesses and governments should take advantage of password vaulting technology and always enforce multi-factor authentication to protect against account compromises.
- Auditing and Compliance Even though this period of flexible workplace arrangements will come to an end as the effect of the Coronavirus eventually wanes, it is important to maintain consistent and stringent audit requirements for remote access for the duration of its impact. Opportunistic hackers will undoubtedly attempt to take advantage of this opportunity to gain and maintain persistent access to critical networks. Despite organizations’ best efforts, some will be successful. For this reason, organizations should be keen to capture and document all remote access session activity and credential usage to meet compliance requirements and facilitate any future forensic analysis.
Unfortunately, hackers are not the only groups being opportunistic at this time. There is a lot of fear, uncertainty, and doubt (FUD) being spread about COVID-19 both as it relates to the health and safety of people as well as the protection of critical infrastructure. At Claroty we recognize that COVID-19 is testing businesses and governments in ways that they haven’t been tested before. Indeed, we are experiencing these tests, too. Our goal, therefore, is to continue to responsibly educate organizations on the cyber risks and opportunities to better secure their OT environments.