COVID-19's Other Viral Threat: Cyber
By Ian Bramson, Global Head of Cybersecurity
Latent cyber risk. That's what we in the cyber business call a cyber threat that is undetected, unplanned and unanticipated. These are the cyber risks that lurk in the dark places of your networks and the exposures that you didn't think about that come out when you least expect.
Maritime has a lot of examples of these, such as when companies start connecting systems, devices and networks that were never designed to be connected. As fleets become more automated and digitized, we are connecting all sorts of systems—ones where cybersecurity was never even a consideration. The legacy networks don't have the protection, updates or design to make them cyber resilient because no one thought they would be connected when they were built. Hook up an old system to the internet, and you run the risk of unintentionally exposing it to a whole host of new cyber risks that you never considered.
Snap-back cyber risk
COVID-19 has its own latent cyber risk. With the sudden and unexpected onslaught of the COVID-19 pandemic, companies had precious little time to convert to an almost fully remote working environment. They scramble to adapt expanded and stretched networks way beyond their normal limits. As entire workforces switched to working from home, work networks mingled with home networks, people emailed documents to personal accounts and USB drives were used to help move and share files like never before.
Most IT departments have done a great job reworking their systems and networks to accommodate an immediate and severe shift in how they operate. However, they exchanged a lot of control for operational flexibility. Work offices became home offices, that also became home schools, entertainment centers, online shopping and part of family daily life. For months, work computers have been sitting on home networks and are used to help people cope with the realities of safer-at-home restrictions.
As a result, the attack surface—the exposure points that attackers can exploit—exploded. Add to that the COVID-19 related cyber scams that have employees unintentionally clicking on bad links and you have a perfect environment for cyber malware and other exploitation to grow.
Now, many organizations are bringing everyone back to the workplace. Most are thoughtfully planning how to bring people back together. Temperatures will be taken, masks will be worn and social distances will be respected. However, few are considering how to reintegrate computers, devices and systems.
As networks snap back from their over-extension, they will bring back the cyber malware and exploits that could be infiltrating their over-extended networks. This is the latent cyber risk of COVID-19 and needs to be addressed.
You cannot socially distance a network
Once your systems and networks are interconnected, and connected to the Internet, malware and intruders can spread almost instantaneously. The most you can do is segment, protect and monitor those networks. Unfortunately, too many OT networks do none of these.
Contact tracing a cyber attack is very difficult. Once in, it can be extremely hard to see where malware or an attacker has spread. It can spread in nanoseconds and attackers can be very skilled at covering their tracks. This is much harder in the OT environment, where it takes very specialized expertise to even understand how an attack could spread.
No system is standalone. There is a perception that some systems are not connected to anything, thus they have an "air gap" and are not vulnerable. That is incorrect. From updates to operations, systems will have some form of connectivity, even if it is someone running an update from a disk. The general rule in cyber is, if someone can get to it, they will.
We are hoping the COVID-19 does not significantly mutate. Unfortunately, the nature of cyber is to hyper mutate. Every malware, every attack type and every mutation are being continuously adapted. Attackers are relentless at refining their attacks. Malware strains last months, weeks or days before new iterations come out. As we become more digital, we reshape the environment for cyber attacks. They respond by being in a constant state of change. You can't only consider the last attack; you need to anticipate the next one.
We change. They change. We change. Constant vigilance, flexibility and adaptation is the nature of cyber.
You need good cyber hygiene
What can you do? First, you need to account and plan for cybersecurity. It is now a business imperative. It needs to be a daily part of operational and safety risk management. You then need to proactively manage it. This means that you need to create a cyber program that accounts for the assessment, planning, protection, defense, detection and response needed to minimize your cyber risks.
There are a number of cyber technologies, services and solutions that can help you protect your networks. Find the right partners who have the deep expertise in IT and OT environments and work with them to build the program that fits your specific situation. Strong cyber hygiene can prevent most cyber infections. It can also help you handle a critical exploitation if you are unfortunate enough to have to face one.
As for the COVID-19 snap back, you need to make it an integral part of your restart program. This could mean everything from new policies and education, to enhanced scanning, monitoring and management of IT and OT networks.
Remember that COVID-19 is not the only virus that your employees can bring back into your workplace.