As a rule of thumb in cybersecurity, the more sensitive your system is, the less it should touch the Internet. However, as the United States huddles to limit the spread of Covid-19, cybersecurity measures pose a difficult technical challenge for remote employees working in critical infrastructures, intelligence agencies, and elsewhere with high-security networks. In some cases, working from home out of no option at all.
Organizations with particularly sensitive data or operations often restrict remote connections, segment networks to restrict hackers' access when they get in, and sometimes even completely disconnect their most important computers from the Internet. Late last week, the U.S. government's Cybersecurity and Infrastructure Security Agency issued a recommendation to critical infrastructure companies to prepare for remote work scenarios as Covid-19 spreads. That means verifying that your virtual private networks are patched, implementing multi-factor authentication, and testing remote access scenarios.
Cyber security consultants who actually work with these high-profile customers – including electricity suppliers, oil and gas companies, and manufacturing companies – say that it's not always that easy. For many of their most critical customers, and especially for intelligence agencies, remote work and security don't go together.
"Companies recognize that working from home is very difficult," said Joe Slowik, who previously led the computer emergency response team at the Department of Energy before moving to Dragos, a security-focused security company. "This should be a pretty good wake up call. You need to find a way how you can ensure that people who are in for a service that can't be stopped, such as electricity, water and sewage, or similar services, are not physically on the area around the house Control system, continuously ensure operation – even in an environment where you may risk the lives of your employees if they continue to commute to the office. "
For many industrial networks, the highest security standard is an "air gap", a physical separation between the inner sanctuary of software connected to physical devices and the less sensitive IT systems connected to the Internet. With the exception of the heavily regulated nuclear power plants, however, very few private sector companies have introduced actual air gaps. Instead, many companies have tried to limit the connections between their IT networks and their so-called OT or operating technology networks – the industrial control systems where the compromise of digital computers could have dangerous effects, e.g. For example, hackers have access to the circuit breakers of an electricity supplier or the robots in a production hall.
These restricted connections create choke points for hackers, but also for remote employees. Rendition InfoSec's founder and security consultant, Jake Williams, describes a manufacturing customer who has carefully separated his IT and OT systems. Only "jump boxes", servers that bridge the gap between sensitive production control systems and non-sensitive IT systems, connected them. Only a very limited amount of software is run on these jump boxes to prevent them from being used by hackers as in-road boxes. However, they only support one connection at a time, which means that the company's IT administrators vie for access.
"Administrators clink each other when they try to work and log in," says Williams. "These jump boxes, which were built to provide secure remote access in emergency situations, were not built to support this situation, in which everyone performs routine maintenance and operations remotely."
For the most critical and critical infrastructure, such as power plants and oil refineries, remote working does not only lead to technical snafus. This is often impossible for many employees, says Chris Sistrunk, security consultant at FireEye, who used to work as an electrical engineer for the energy supply company Entergy. "There is no way to fully operate some of these plants remotely," says Sistrunk. "You don't work from home. Important engineers and operators are always there for you around the clock."
In these scenarios, according to Slowik von Dragos, companies must instead try to limit the biological exposure of their most critical operational teams to prevent them from being quarantined – which is often easier said than done as they can mix with each other, infected People outside of their business hours. "It's a very sensitive issue," says Slowik. "You need them in the office and you can only limit them to a certain extent – because we are not China – how does that compensate?"
Utilities are already struggling with this balance. The Edison Electric Institute, a nonprofit that represents US utilities, warned in February that up to 40 percent of utility workers could be sick, quarantined, or at home to care for sick relatives. The news website UtilityDive reports that many energy providers across the country are restricting travel, switching as many employees as possible to remote work, scheduling meetings as video conferencing, and improving hygiene practices.
Secret services and other parts of the government that keep classified information off the Internet are an even bigger problem. NSA personnel are strictly prohibited from working from home, and intelligence sources tell WIRED that the NSA guidelines are in spite of themselves have not changed in the current pandemic. Employees have been asked to limit unnecessary travel, but have not received organization-wide instructions on how their remote work guidelines could change to accommodate Covid-19, even for older employees or those with health problems who may be at higher risk . Instead, they were asked to practice social distancing and were told they could take up to two weeks of paid administrative leave if they were forced to self-quarantine due to possible exposure to the virus.
The result could just be a much higher rate of virus transmission among government employees working in classified environments, says Jake Williams, himself a former NSA analyst. He describes his time at the NSA outpost in Fort Gordon, Georgia as an open-plan office. Employees have rarely reported sick due to the time sensitivity of their mission. Many worked in shifts and turned around the clock at the same desks. "They sit down at a desk where someone else was sitting, typing, and coughing," says Williams. "I have no idea what they're going to do, but I can't understand how it doesn't spread like wildfire."
This inescapable risk, as with so many other professions such as medicine, gastronomy, retail, transit, sanitation and factory workers, puts the problem into perspective: Remote work can pose some serious challenges for highly secure jobs. But for federal employees and electricity network operators in the most sensitive organizations of all – like so many others – it is an impossible luxury.
This story originally appeared on wired.com.