Keeping critical infrastructure online is the paramount concern for those who work in industrial cybersecurity, but when consultants can no longer hop on a plane to go investigate an incident at a facility, that presents huge challenges. According to Lesley Carhart, Principal Industrial Incident Responder at Dragos, Inc., remote access to sites has become much more difficult for both operators of facilities and for consultants and contractors.
All the while, though, “attacks are up, and there is no geopolitical or economic evidence to say that cyberattacks are going to decrease,” Carhart said. In fact, from a human perspective, our adversaries are facing the same economic fears and pressures as the rest of the world. While it might seem strange to humanize them, Carhart said, “The reality is they are just trying to survive. Having a bunch of people who have no ethics and are willing to do almost anything in many cases to achieve their goals is a rather frightening concept.”
“So how does that reality impact the industrial cybersecurity sector? Well, let’s say there’s a cyberattack and someone has to go mitigate it. In a normal scenario, consultants would have remote access. Going through the steps of the incident response plan and trying to remedy it to make sure it doesn’t happen again in the future has always been a hands-on process, especially in industrial, where there’s not a lot of connectivity to the outside,” Carhart said.
“Now those responses—even in the most critical environments—will often have to be done remotely. There’s no way around it. There are curfews, travel restrictions, and perhaps no transportation methods and great risk to whoever goes in and whoever they are entering the facility with,” she added.
The solution then? Look at every incident response plan these facilities have and make sure it’s possible to do everything via remote connections. The catch there is that doing everything via remote connections (in some cases) requires adding in provisioning of those new connections, which can present an additional security risk.
Another solution, Carhart said, “is to figure an out-of-band method to walk site operators (who are also under intense pressure) through the incident response steps. But they aren’t trained for that. So, giving them the tools they need in advance and then having a consultant or an internal responder on the phone with them walking them through things step-by-step, is certainly not ideal.”
In addition to not having remote access at sites, there are other problems, including the number one concern of keeping critical infrastructure online, which requires drastic changes to the way these sites operate. “Critical infrastructure operators plan for every contingency and they have done a marvelous job of keeping the power on, the lights on, the water coming out of the pipes and manufacturing operations in place, but they are human too,” Carhart said.
Typically, an incident is a couple weeks or months, then it’s over. Given that industrial cybersecurity is inherently a stressful job, these professionals are well versed in managing the stress of critical incidents, but those incidents are not constant events. They happen in isolation.
The current reality has put every worker under multiple intense stresses, and Carhart said we can’t be naïve enough to expect that doesn’t impact people’s work. “It means even more checks on findings and detections. Maybe it’s two people check every task instead of one to make sure that both our analysts and incident responders aren’t missing things.”
It’s important to think about the human element of the attacker and understand that the challenges we are currently facing will inevitably give rise to a lot of desperate people in the world, which means now is not the time to get rid of your cybersecurity staff. It is time to create more monitoring on these remote connections and re-evaluate your incident response plans.