The Impact of COVID-19 on the Cybersecurity Landscape for Critical Infrastructure

Energize Ventures
April 9, 2020

Over the last few weeks, the global spread of COVID-19 and our collective social response have had profound impacts in the way we live and work. Shelter-in-place orders have resulted in a sudden and unprecedented shift to a global remote workforce. Industrial companies shuffling to transition to fully or almost fully remote operations are accelerating their digital adoption overnight, with heightened sensitivity to cybersecurity.

We view cybersecurity as an essential service for many essential industries, protecting both our physical and digital way of life.

In the context of critical infrastructure and industrial operations, the new “work from home” paradigm poses a unique set of cybersecurity challenges as businesses of all shapes and sizes refocus on resilience, continuity and preparedness to weather the storm.

What cyber risks is the market currently facing, and what resources are available for companies to efficiently monitor and secure assets now and in the long-term? To get answers, we spoke with two industrial cybersecurity experts and Energize CEOs — Edgard Capdevielle of Nozomi Networks and Rahul Kashyap of Awake Security.

What security challenges are top-of-mind for industrial companies right now, and how have you seen companies use technology to adapt to those challenges?

  • EDGARD: For industry and operational technology (OT), the attack surface has expanded very quickly as more sites have to be opened to allow for remote access. Whereas before roughly 9 percent of machines were accessible by remote workers in an operational facility, for example, we’re now seeing more than 50 percent with access in a matter of days. In other words, activities that used to be done by a few people, and frequently on-premise, are now being done by many and exclusively remote. There’s been an increased focus on remote connection monitoring for operating assets.
  • RAHUL: With more people working from home, we’ve observed an uptick in shadow IT (think personal/cloud-based file sharing services and remote access software) over the last few weeks — as much as a 75 percent increase. In this situation, ease of use often trumps security because people are just trying to get their jobs done in our new environment. In addition to employees using less secure platforms, it’s also more difficult for IT teams to monitor access especially when it might originate from an unmanaged or personal device. We’re in a scenario that was impossible to prepare for, and many companies lack specific rules or have guidelines that need to be updated.

With a vulnerable target base, phishing attacks are becoming more prevalent. What are some best practices to combat these threats?

  • EDGARD: We’ve seen an increase in the volume of threats specific to industrial verticals and OT networks, such as phishing attempts. Additionally, the attacks we’ve been receiving are extremely sophisticated. Employing basic cybersecurity hygiene — such as labeling external emails as external, enforcing DMARC, and similar measures — can address much of this problem. Nozomi has responded to this by implementing number of COVID-19-specific patterns and rules to our Threat Intelligence service, which we’re going to soon be making freely available for anyone to consume.
  • RAHUL: Cybercrime is skyrocketing as attackers are doubling down and leveraging vulnerability of a population that is worried and more reliant on the internet and network connections. Across our industrial customers, we are finding a significant resource constraint. For instance, we have seen thousands of new coronavirus-related domains registered since early March. Many of these are legitimate, but it can be difficult for an analyst to distinguish between those and the phishing lures promising to share an updated COVID-19 spread map, for example. Awake’s managed solution can help combat this because we are able to correlate malicious activities across the entire ecosystem, and the platform automatically uncovers active campaigns even when the threat actors attempt to blend into normal traffic.

Adapting to our “new normal” means anomaly detection-based solutions need to establish a new baseline of what legitimate activity looks like. How are you tackling this challenge?

  • EDGARD: Monitoring critical infrastructure has never been more important. The increase in volume of people that have remote access to a site makes it harder to detect abnormal activity since we cannot default to usual patterns or repetitions. Because of the unpredictability that comes with more people accessing connections remotely, you must integrate AI — behavior-based anomaly detection — on industrial control networks.
  • RAHUL: This raises a great point on why pure anomaly detection-based solutions really struggle. Right now, pretty much everything is an anomaly — but what is truly malicious? This is why visibility and entity context are critical. You need to have an awareness of what’s going in and what’s going out and most importantly who is involved in the network activity. We’ve seen instances of hackers moving laterally without clear boundaries between IT and OT networks, which can be very difficult to track. Awake’s platform addresses this problem and can be deployed and provide value very quickly, which is especially important right now. We’re currently offering free threat hunting expertise along with our platform for those responding to COVID-19, so if that applies to you please consider reaching out.

In a world overwhelmed by uncertainty, one thing is certain: Now is the time to make sure essential industries are resilient and prepared.