Earlier today, the Australian Cyber Security Centre released new COVID-19 guidelines for operational technology environments. The guidelines are designed to aid critical infrastructure providers who are deploying business continuity plans. The COVID-19 guidelines are designed to aid critical infrastructure providers deploying business continuity plans.
“Modifying cyber security defences to the OTE is not a decision you should take lightly,” the guidance says. “Physical worksites such as control rooms and operations floors provide inherent security benefits by restricting physical and cyber access to the OTE. Corporate information technology provides an additional defensive layer.”
As a result of the COVID-19 pandemic, many critical infrastructure providers have been forced to operate with a remote workforce. This has emphasized the need for secure remote access in OT environments.
“Many critical infrastructure providers are moving to remote working arrangements in line with social distancing guidelines,” the COVID-19 guidelines say. “An increase in remote working significantly increases opportunities for adversaries to gain unauthorised access to systems and may cause real world physical harm. Critical infrastructure providers need to balance the risks and opportunities of moving staff offsite and document those considerations for senior managers to make informed risk-based decisions on sustaining business continuity.
The ACSC advises minimizing overall exposure by considering whether alternate physical sites can provide sufficient business continuity. A secondary control room with dedicated communication links to the OT environments could provide better security than remote access.
The ACSC also recommends establishing a human resource plan to manage the increased workload for telecommunications and cybersecurity specialists. In some cases, adding additional personnel might be necessary to manage this increased workload.
“OTE personnel may have to compete with corporate personnel for network bandwidth when accessing the OTE,” the guidance suggests. “In this case, attempts to gain OTE access may receive a denial of service during a critical time, such as when people’s safety is at risk. Ideally, OTE personnel requiring access to the OTE should have a separate logical path than corporate personnel who need access to the corporate environment. If a dedicated path is unavailable, prioritise the remote access sessions OTE personnel will use.”
According to the ACSC, increasing reliance on remote access requires increased automated monitoring and auditing of account logins, login failures, deviations from baseline traffic and anomalous network access. Operators should produce daily reports that identify abnormal logins and ensure they have the audit trail to support incident response and protective monitoring.
“Automate potentially hostile abnormalities with priority notifications (such as an email or SMS) to your security operations team. Limit notification fatigue by restricting numbers to only those that require urgent investigation, and write targeted, specific and context-appropriate messages,” the COVID-19 guidelines say. “Consider full packet capture on key data choke points both inside the OTE and at the boundary. As the OTE network traffic is often unencrypted, it is difficult for an adversary to remain hidden in a full packet capture.”
To further secure OT environments during the pandemic, the ACSC says critical infrastructure providers should configure a minimum of two jumps for remote access. The first jump should go to a jump host in a demilitarised zone outside the OT environment and the second jump then moves to the second jump host within the environment.
“Preferably, the first jump should be from a device supplied and controlled by your organisation, with a Virtual Private Network connection. If using personal devices, use corporate Virtual Desktop Infrastructure,” the guidance says. “Each remote worker should have a unique account, strong passphrase and individual MFA for each jump. This means it will take a minimum of two unique account names, two unique passphrases and two MFA tokens to reach the OTE.”
Critical infrastructure providers are also advised to document all proposed changes and develop a run-sheet to record both planned and unplanned configuration changes, deployment, and rollback decision points. Device configurations should be backed up before interfaces between corporate and OT environments are changed.
Additionally, the ACSC recommends maintaining a detailed logical diagram of networks throughout the duration of the business continuity plan. Operators should also develop a rapid disconnection plan for 24-hour deployment to disconnect remote access if malicious activity is identified.
To read the full guidance, click here.