Staffers at power grids, intelligence agencies, and more often don’t have the option to work from home, even in light of Covid-19.
“Administrators are bumping each other off as they try to work and log in.”
Jake Williams, Rendition InfoSec
It’s a rule of thumb in cybersecurity that the more sensitive your system, the less you want it to touch the internet. But as the US hunkers down to limit the spread of Covid-19, cybersecurity measures present a difficult technical challenge to working remotely for employees at critical infrastructure, intelligence agencies, and anywhere else with high-security networks. In some cases, working from home isn’t an option at all.
Companies with especially sensitive data or operations often limit remote connections, segment networks to limit a hacker’s access if they do get in, and sometimes even disconnect their most important machines from the internet altogether. Late last week, the US government’s Cybersecurity and Infrastructure Security Agency issued an advisory to critical infrastructure companies to prepare for remote work scenarios as Covid-19 spreads. That means checking that their virtual private networks are patched, implementing multifactor authentication, and testing out remote access scenarios.
But cybersecurity consultants who actually work with those high-stakes clients—including electric utilities, oil and gas firms, and manufacturing companies—say that it’s not always so simple. For many of their most critical customers, and even more so for intelligence agencies, remote work and security don’t mix.
“Organizations are realizing that work-from-home would be very difficult to execute,” says Joe Slowik, who previously led the computer emergency response team at the Department of Energy before joining the critical-infrastructure-focused security firm Dragos. “This should be a fairly good wake-up call. You need to figure out a way that if individuals cannot physically access the control system environment for a service that cannot stop, like electricity, water, and wastewater or similar services, you ensure continuous operation—even in the face of an environment where you might be risking your employees’ lives if they continue to commute into the office.”
For many industrial networks, the highest standard of security is an “air gap,” a physical disconnect between the inner sanctum of software connected to physical equipment and the less sensitive, internet-connected IT systems. But very few private-sector firms, with the exception of highly regulated nuclear power utilities, have implemented actual air gaps. Many companies have instead attempted to restrict the connections between their IT networks and their so-called OT or operational technology networks—the industrial control systems where the compromise of digital computers could have dangerous effects, such as giving hackers access to an electric utility’s circuit breakers or a manufacturing floor’s robots.
Those restricted connections create choke points for hackers, but also for remote workers. Rendition InfoSec founder and security consultant Jake Williams describes one manufacturing client that carefully separated its IT and OT systems. Only “jump boxes,” servers that bridge the divide between sensitive manufacturing control systems and nonsensitive IT systems, connected them. Those jump boxes run very limited software to prevent them from serving as in-roads for hackers. But they also only support one connection at a time, which means the company’s IT administrators have found themselves vying for access.
“Administrators are bumping each other off as they try to work and log in,” says Williams. “These jump boxes that were built to facilitate secure remote access in emergency situations weren’t built to support this situation where everyone is performing routine maintenance and operations remotely.”
For the most critical of critical infrastructure, however, like power plants and oil refineries, remote work isn’t just leading to technical snafus. It’s often impossible for many staffers, says Chris Sistrunk, a security consultant for FireEye who formerly worked as an electrical engineer for power utility Entergy. “There’s no way to fully remotely run some of those plants,” Sistrunk says. “You don’t work from home. Essential engineers and operators will always be there 24/7.”
In those scenarios, Dragos’ Slowik says, companies have to instead try to limit the biological exposure of their most critical operations teams to prevent them from being quarantined—which is often easier said than done, given that they’re free to mingle with potentially infected people during their off-hours. “It’s a real touchy subject,” says Slowik. “You need them available at the office, and you can only restrict them to a certain extent—because we’re not China–so how does that balance out?”
Utilities have already been struggling with that balance. The Edison Electric Institute, a nonprofit that represents US electric utilities, warned in February that as many as 40 percent of utility workers could be home sick, quarantined or at home taking care of sick relatives. And electric utility news site UtilityDive reports that many utilities across the country are limiting travel, shifting as many staff as possible to remote work, scheduling meetings as videoconferences, and ramping up hygiene practices.
Intelligence agencies and other parts of the government that keep classified information locked away from the internet present an even starker problem. NSA staff are strictly forbidden to work from home, and intelligence community sources tell WIRED that NSA policy hasn’t changed in spite of the current pandemic. Staff have been asked to limit nonessential travel, but they’ve received no organization-wide instructions on how their remote work policy might shift to account for Covid-19, even for older employees or those with health conditions who might be more at risk. Instead, they’ve been asked to practice social distancing and told that if they’re forced to self-quarantine due to potential exposure to the virus, they’re free to take up to two weeks of paid administrative leave.
The result may simply be far higher rates of viral transmission among government staffers who work in classified environments, says Jake Williams, himself a former NSA analyst. He describes his time at the NSA’s outpost at Fort Gordon in Georgia as an open-floor-plan office. Staffers rarely called in sick, due to their mission’s time sensitivity. Many worked in shifts, rotating 24/7 at the same desks. “You’re sitting down at a desk someone else sat at, typed at, coughed at,” Williams says. “I have no idea what they’re going to do, but I cannot fathom how it won’t spread like wildfire.”
That inescapable risk, as with so many other professions like medical, food service, retail, transit, sanitation, and factory workers, puts the problem in perspective: Remote work may pose some serious challenges for highly secured workplaces. But for the federal staffers and power grid operators in the most sensitive organizations of all—like so many others—it’s an impossible luxury.
All Rights Reserved for Andy Greenberg