Smart technologies’ home presence grows with each passing day. The work-from-home (WFH) migrations for many workers seeking convenience while coping with “covid-19 encouraged isolation” have spurred this transformation to new levels of ready adoption. Smart thermostats, lights, home security cameras, front doorbells, automobile integration, automated window shades and curtains, TV’s and more, all managed through smart home controllers employing technologies like Zigbee, Z-Wave, Alexa, Google Assistant, HomeKit, and SmartThings, to name some, have created a cyber risk challenge far in excess of past concerns over using personal portable, mobile, or home printing devices over wifi. They all represent potential access points for malicious actors seeking more than a way into remote worker’s homes. They are seeking access through them to the richer prizes within your infrastructure. That footprint, which once was defined by the boundaries of a dedicated datacenter, now may extend to the vastly more flexible and encompassing resources in the cloud.
Additionally, some traditional control systems that were not exposed to the internet, now have front end remote controls into those systems too. Does your risk program embrace consideration for all these risks? Are you even certain your footprint is clearly identified? How well does your TPRM (Third Party Risk Management) process integrate into these matters?
Here’s the Situation
Let’s back up a bit. Until recently ICS (Industrial Control Systems) and SCADA (Supervisory Control & Data Acquisition) systems were completely air gapped from the internet. They had their own hard-wired interfaces through consoles and were managed onsite by skilled personnel. This class of technologies represents OT (Operational Technology), the core technologies of industrial systems. Today, it’s increasingly common and even operationally necessary to connect these systems to the internet, so remote staff can continue to manage them. There are many factors that may cause an increase in the number of vulnerabilities in such OT systems. The introduction of new technologies increases the attack surface of these systems, potentially introducing vulnerabilities. Old systems that were previously difficult for an attacker to access, are now visible through Internet and cloud connectivity, exposing vulnerabilities that were always present, but may not have been discovered. And some, known but disregarded because access hurdles presented the appearance of “safe boundaries”, now are much more attractive to malicious actors.
A major influence on the number of vulnerabilities discovered is the increasing maturity of the industry, with bug bounty programs (where security researchers are encouraged to research and discover vulnerabilities) and defensive frameworks being developed, ICS and SCADA technologies are drawing much more attention from security researchers— again, meaning preexisting vulnerabilities are now being identified at a higher rate. For an example of the potential vulnerability of one OT resource to hacking, here’s a link to a Wired.com article on an electrical power system taken down by a file smaller than the typical .gif (https://www.wired.com/story/how-30-lines-of-code-blew-up-27-ton-generator/ ).
Then there’s the cloud. The cloud, for all its potential for flexible allocation of resources, dynamic sizing, operating and cost savings offers some unique cyber challenges too. In many configurations, cloud content is housed in a multitenant environment. So, several unique entities may have account presence on a single instance (device) or across multiple instances of shared hardware and software. Logical access and cyber security service product configurations aside, that makes some cloud instances appear very tempting to threat actors. This is compounded by how access to the cloud is handled—through the internet using a browser. Internet-based access, part of what makes the cloud efficient and useful, opens the door to all the cyber risks and threats inherit to web-based services. Established cloud providers offer extensive inventories of virtualized security tools, and the best of them can be deployed virtually for a fraction of traditional data center cost.
The design of security for your cloud implementations must be an important consideration at the onset. Studies over the recent past have noted that some of the biggest threats to cloud services included such familiar web-centric beasties as stack-based buffer overflows, cross-site scripting, failure to validate input, and weak access controls. Social engineering threats from malicious actors are now an even greater concern to the extended footprint of cyber risk. With these cyber threats in play, third party access to your cloud based services, however they present themselves, can obviously become a real opportunity for threat actors; perhaps a larger one than in the past. Assessing their access needs, methods, security practices and governance through your own risk management program is a critical best practice.
And, let’s not forget that internet of things (IoT). Could the browser being used by your remote staff now be present on a tablet? Or a smart watch? Or a smart phone? To access and operate your critical operating systems? Or to manage your cloud configurations and access controls? Are they using a public, unsecured wifi service? Is the hardware yours, or their personal devices? Are they secure? And how, exactly, are those devices being updated, patched, and managed? And then there’s all those other home-based smart devices—do you know how they are configured? How can you have assurance of their security? IoT devices often lack automated update routines, and sometimes still use unsecure services like ftp and http. Security coding or feature provisions within their operating systems are not always found to be a development priority. Smartphone based app developers are also know to subscribe to a “function first, security later” approach that once was the bedrock of mainframe software developers. But once upon a time infrastructure was a datacenter facility with tight physical controls. Security was once thought to be an infrastructure duty. Today, infrastructure is almost anything, and everywhere.
Responding with Resilience
There are no obvious, simple bromides to apply. You need to establish methods and practices that allow all your key players to collaborate and contribute as close to real time as your resources can enable.
Organizationally, this means your risk teams, IT (hardware, developers, network, and support), front line managers, HR (yes, you need their help to shape and disseminate training, policy, and promotion of best practices), and of course management across all levels must participate. There are no sidelines, no uninvolved spectators. This needs to be a full company effort to achieve success. Since so much of what you do is now exposed to online activity generated by WFH staff, there are several disabling threats we’ve discussed before but rise in their potential impact now:
- Distributed Denial-of-Service attacks (DDoS)
- Ransomware threats
- Phishing
- Social Engineering
- Third Party Risk Management (TPRM)
Denials of service were always a risk, but with an extended WFH infrastructure, cloud-based services and some newer web consoles into OT, it can elevate to an existential rather than merely disruptive event. Work with your IT leaders and service providers now to plan responses to this enhanced risk. Often, phishing attacks are a lead into ransomware. Your new environment expands opportunity. User education is key to success here. And it needs to be refreshed often as new methods and means of approach by creative threat actors emerge. And do not forget your key third party partners and suppliers. Now, more than ever, it’s paramount to sustain diligence in their oversight, collaboration methods, and compliance with your security and cyber risk needs. TPRM was never more important than now.
In a prior article I mentioned some actions to take for addressing risks associated with a remote working organization (https://www.doublechecksoftware.com/managing-cyber-risk-in-a-remote-organization/) I’ve updated those recommendations to focus upon the expanded risk footprint discussed here.
Near Term:
- Expand any mobile device management software possibly in place, or the acquisition of such software for enterprises of over 50 remote devices
- Expand use of VPN for all work from home (WFH) staff
- Expansion of VPN resource capacity
- Tightening of VPN configuration guidelines to minimize potential DNS leakage
- Communication and education for WFH staff on how to engage and manage VPN services
- Replace all default passwords in home connected devices, including vendor provided routers or repeaters
- Tune and configure infrastructure monitoring technology to scan the extended perimeter and activities resulting from increased volume and nature of remote access activity; leverage any cloud-based security operations center (SOC) services you may have
- Explore viability of split-tunneling configurations for VPN to manage costs and monitoring flow
- Watch for signs of a DDOS attack and have a plan to address them
- Enable remote support for clients and customers
- Communicate regularly to staff, client, customers, and partners; be transparent about challenges, timelines, delays, and efforts to provide services
- Leverage online video and collaboration sessions to deliver end user training and security awareness throughout extended remote operation. Follow-up with exercises and testing to measure learning
- Review and enable layered security service across all cloud-based data stores, operation, and services. Review and monitor configurations and activity in real time.
- Instruct all remote staff to actively monitor home devices for patch and security updates and to apply them promptly when made available.
Longer Term:
- Develop and implement a work-from-home policy detailing best practices for device security hygiene and maintenance, including implementation of mobile device management (MDM) security solutions, and address best practices for smart home device configuration
- Migrate technology resources, data, history, SOC, perimeter monitoring and threat detection to the cloud
- Acquire, configure, and distribute company managed hardware to key operating staff to support turn-key remote operation on demand that supports active remote management policies
- Establish ongoing staff training to inform policies, remote operating practices, tools, resources, and methods; continue to leverage online video and collaboration sessions to deliver end user and security awareness training on a regular basis
- Strengthen authentication practices to incorporate multifactor authentication for users and devices
- Migrate key backup resources to the cloud, employing geographic zone separations wherever feasible
The Expanded Role for GRC
As your risk perimeter expands and your footprint with it, the need to manage cyber risk grows in complexity and volume. Coordinating the gathering, accumulation, organizing and analyzing of risk data from WFH users, online monitoring, cloud services, OT and other systems, third parties, auditors, and regulators far exceeds the list, sort, and data manipulation of traditional office management tools like spreadsheets and tables.
Comprehensive risk assessment processes are essential. So too, are the means to track remediation efforts tied to key risk findings that are mapped to primary company goals and objectives. Metrics, leading and training indicators, and trends require regular monitoring. The need for a comprehensive GRC tool to support these processes, with imbedded functionality that integrates with external data sources and can provide rich reporting services to inform non-technical people so clear, decisive, timely action may be taken when necessary is now much more of a demand and reality. GRC solutions provide the operating tools to help thriving companies manage risk efficiently and economically.
Proactive risk management, incorporating cyber, operating, financial, brand, and third party risk is becoming a core competency in the second decade of the 21st century. This is unlikely to change. The companies that will be best positioned for survival, sustaining growth, and success will be ones who embrace this reality and imbed it into their culture. The rest may become artifacts of our economic history.
About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.