As the novel coronavirus spreads throughout the United States, federal agencies and energy companies are calling on employees to work from home — a move that raises hacking risks, cybersecurity experts say.
The Department of Homeland Security, the Department of Energy, the Federal Energy Regulatory Commission and other agencies are stress-testing their information technology infrastructure as they prepare for an influx of remote workers. The White House on Friday urged federal agencies to start allowing employees most threatened by COVID-19, which the coronavirus causes, to work from home (Greenwire, March 13).
Utilities are following suit as the number of U.S. infections grows to over 1,600 confirmed cases and 41 deaths, according to the Centers for Disease Control and Prevention (see related story).
The rise in telework increases the number of possible avenues for a cyberattack as employees log in to sensitive networks from home, cybersecurity experts say. The virtual private networks, or VPNs, that enable remote access may not be kept up to date, adding to the risks as organizations begin to rely on "unpatched" software in the coming weeks.
Cybersecurity workers typically count among "nonessential" employees directed to work from home as energy companies act to curb the spread of the coronavirus, experts say.
That’s not a major issue for IT infrastructure, said Marco Ayala, senior life-cycle services manager with cybersecurity firm aeSolutions. But it would essentially halt all but the most critical security patches for the operational technology that manages the power grid, oil and gas facilities, and other infrastructure.
IT software can typically be fixed remotely, but OT system patching requires a lengthy process to ensure that the fix doesn’t bring down operations.
"That patch would have to be highly critical to safe operations" to be applied during the pandemic, Ayala said.
He added that an OT network engineer could be considered an "essential" employee but may still be asked to work from home.
Even in normal circumstances, many OT systems go unpatched because they use old software that can break if an update is applied.
"IT is definitely better off than OT here," said Nathan Brubaker, vice president of threat analysis at cybersecurity firm FireEye Inc. Some OT patches "just can’t be done remotely," he added.
Unpatched systems are more vulnerable to hackers, though energy companies typically try to eliminate or closely guard digital pathways between the most sensitive OT systems and the public internet.
‘A lot more traffic’
Cybersecurity firms have seen a drastic increase in "spear-phishing" and other cyberattacks from criminals and nation-states using the coronavirus as a lure to trick victims into clicking a malicious link.
Nation-state hacking groups could use the increased number of VPN connections as a cover to "blend in" with legitimate traffic, Brubaker said.
"Let’s say a company that’s typically maybe 20% remote is now over 90% remote. That’s a lot more traffic they have to watch out for," said Brubaker.
DHS’s Cybersecurity and Infrastructure Security Agency
released an advisory Friday providing guidance on the use of VPNs, saying that "more vulnerabilities are being found and targeted by malicious cyber actors."
CISA also warned that organizations are less likely to keep VPNs updated with the latest security patches.
VPNs have posed big problems for the electricity sector in the past. In 2015, Russia-linked hackers targeted three Ukrainian power companies, causing the first-ever blackout from a cyberattack. The hackers used a spear-phishing campaign to infiltrate the IT systems of the utilities and then used VPN connections to migrate from the IT infrastructure into the industrial control system network overseeing the flow of electricity. The grid operators did not have a "capable monitoring program" in place to spot the abnormal traffic, experts said at the time — something many U.S. utilities lack (Energywire, July 20, 2016).
Recently, energy-focused Iranian-linked hackers, variously known as APT33, Elfin or Refined Kitten, began a password-spraying campaign against U.S. electric utilities aimed at breaking into IT networks (Energywire, Jan. 10). There have been no indications that APT33 has slowed down or stopped that campaign, said Brubaker.
Unpatched VPNs have long been used by nation-states and financially motivated cybercriminals as an initial point of entry. In February, cybersecurity firm ClearSky said that APT33 frequently uses known vulnerabilities in VPNs and telework software such as Citrix to hack its victims.
Last week, the North American Electric Reliability Corp. called for electric companies to provide business continuity plans and answer questions on their readiness in case of a pandemic outbreak (Energywire, March 11).
Despite the warnings, Brubaker said he is not worried that the power will go out anytime soon.
"I’m pretty confident that we will keep our energy on," he said. "They’re definitely in a better position than lots of other organizations."