According to Edgard Capdevielle, CEO Nozomi Networks, remote access to critical assets could be putting utilities more at risk for a cyberattack than ever before.
It probably won’t come as a surprise to anyone who works on critical energy infrastructure that adding a layer of cybersecurity to the industrial network is not the same as adding cybersecurity to the traditional IT networks that protects our email servers and printers and the like.
So asking critical infrastructure workers to do their work remotely can be quite a radical proposition, said Nozomi Networks CEO Edgard Capdevielle in an interview.
“IT networks have always dealt with remote workers,” he said, but remote work “means something completely different for the industrial side of the house.”
Traditionally, the industrial network was only open to a few select employees who worked onsite. And most utilities believed that those industrial networks were safe and secure. “We didn’t monitor them because we thought they were disconnected and were never exposed,” he said.
But now with more people accessing the work they do remotely, that “attack surface” has been “expanded in a very significant and uncontrolled way,” he said.
Capdevielle explained that for many utilities, there is no way to granularly allow access to certain parts of the industrial network. He said one of his clients reported that he had to ‘open the floodgates’ and give access to all of his field workers so they could do their jobs during the COVID-19 pandemic.
“It’s a pretty bad situation,” he said.
What do they want and how do they get it?
Bad actors generally have one of three motives, according to Capdevielle. In its simplest form, a cyberattack is about money, which attackers get by encrypting assets and then demanding ransomware. “And those happen in industrial control networks because you do have a lot of windows machines,” he said.
But deeper more troubling attacks can come from those who wish to inflict harm on entities with whom they have ideological disagreements and/or from nation states that want to show dominance, he explained. This latter example is what many believe Russia did to the Ukraine electricity network in 2015, knocking out a significant portion of the grid for a short time. In a situation like that, Capdevielle said the nation state could be just “showing muscle,” in other words it is showing the victim what it *could do* if it wanted to.
To a grid operator, an attack might go unnoticed for a long time. He said cyberattacks begin when attackers gain access to a network and then do reconnaissance work, where they look around and see what they can find. They may move a file from point a to b, which didn’t hurt anything but just isn’t normal. So, protection begins by looking for those anomalies, he said.
“You look for activity that looks like reconnaissance,” he said. Perhaps the operator might see a scan of some kind taking place “and scans are not normal, especially in the industrial control network,” he added.
T/OT convergence means OT cybersecurity should be on par with IT cybersecurity
Capdevielle said it’s clear that cybersecurity of the OT network is lagging behind that of the IT network. In fact, within a utility itself, it might not even be clear who is responsible for the security of those industrial assets.
“It’s not maintenance, it’s not generation, or transmission, or safety,” he said, adding “it’s related to all of those” but one business unit doesn’t have oversight into it. He believes that Chief Information Security Officers (CISOs) should have that oversight.
“At the end of the day, you want one person responsible for the cybersecurity stance of the company and that tends to be the CISO,” he said, because “ultimately at the end of the day, we are all connected whether we like it or not.”
And as the world deals with COVID-19, the bad actors are not taking a break. Capdevielle said that a recent attack on the US Department of Health is a good example.
“The evil doers are not stopping.”
With more people working on laptops at home in response to shelter-in-place orders, that attack surface has grown larger than ever before. “So this is a time when we really need to pay attention to cybersecurity for anything that is supported by industrial control networks,” he said.
“Industrial control networks by definition support the most important processes of companies that have them,” he said. It is time to protect them. “There is no more delay,” he said.