The COVID-19 outbreak has forced many companies to change the way they conduct operations. Leaders have had to divide employees into essential and non-essential categories. Essential employees must report to their worksites and perform required tasks to keep businesses in operation. Non-essential workers, while still important and needed for the continued success of companies, are often being allowed to perform their duties from home, at least in the short term, by working over an internet connection tied to their work computer or to a cloud-based system.
I think most people would agree that being able to work remotely is a blessing, especially during a pandemic. Many companies have been providing telework capability for years–it comes in handy whenever employees are traveling for work or personal reasons. Remote access also allows more flexible work schedules, which can improve morale and reduce employee turnover. According to Gallup's State of the American Workplace report, 43% of employees in 2016 worked remotely in some capacity. That was up 4% from 2012, and it has most likely climbed even more today.
A study published by the Boston Consulting Group (BCG) says more than 30 million office workers in the U.S., and up to 300 million globally, are expected to work from home due to COVID-19. However, the report says shifting work patterns on such a massive scale can have serious unanticipated cybersecurity implications. The authors recommend seven steps companies should take to safeguard systems from cyber attacks. The actions are somewhat general in nature and apply to all industries.
Cybersecurity: A Team Effort
To get a more power industry-focused perspective, I spoke to Leo Simonovich, Siemens Energy's global head of Industrial Cyber and Digital Security. On March 4, before strict COVID-19 lockdowns were widely enacted, Simonovich led a tabletop exercise at the 3rd annual Energy Cyber Security Group vendor/operator conference in London. Simonovich walked attendees through a simulated crisis in which a fictional city's main electric utility experienced a cyber attack-caused blackout.
"It's important that we make these exercises as realistic as possible, and involve all parts of the organization and its supply chain," Simonovich told me after the event. "If you look at the latest survey that we did with the Ponemon Institute, the majority of utilities can expect at least one major attack that will lead to a shutdown or a safety event. So, this is a new reality that utilities are facing. And today, one-third of them don't have an incident response plan."
The scenario Siemens devised drew on a set of recent incidents in which intruders entered systems through basic vulnerabilities, then took advantage of the high-tech, digitalized, distributed environment where some utilities frankly don't have great visibility. Simonovich said it's that lack of visibility that leads cyber-attack responders to search for more information about the event so they can put pieces of the puzzle together.
"It's something that they would undertake at different levels of the organization with different dimensions. So, for example, the utility would consider: Do I investigate my physical supply chain, at the same time as an employee that has gone missing, at the same time as I conduct forensic analysis of my networks? These pieces of information–are they relevant to me or are they not? And this is where being part of a multi-disciplinary team where you engage vendors to support you in identifying facts, and then acting on those facts, is really important," he said.
Simonovich said there were two big takeaways from the exercise. One was that trustworthiness is vitally important. "We as a community need to come together to respond to a crisis," he said. "Many utilities today do not even have the phone number of their suppliers that they can call in case there is a cyber event, let alone engaging them as part of a multi-disciplinary team."
The other was that utilities need to take a proactive approach, and quickly, yet thoroughly, identify what is likely to have an impact on availability, reliability, and safety. Simonovich said Siemens has been responding to cyber incidents for more than 30 years. It operates about 400 factories and 80 power plants for customers around the world, so the company's insight comes from practical experience.
"Every one of our customers needs to have a plan that involves us in helping them respond to attacks and vice versa, because we are increasingly interdependent on each other because of digitalization," said Simonovich. To learn more about Siemens' incident response playbook, visit: www.bit.ly/Siemens-Cyber.
I found one analogy from the BCG report particularly profound. The authors wrote, "Cyber attacks are like the COVID-19 virus itself. Patching your systems is like washing your hands. And not clicking on phishing emails is like not touching your face." I would take it a couple of steps further and suggest that maintaining good firewalls is akin to wearing a mask in public. And having air gaps in vital networks is similar to the now-common six-foot social distancing rule. Suddenly, it's obvious that the term "computer virus" was appropriately coined.
During this challenging time when so many people are working remotely, it's more important than ever to keep cybersecurity top of mind. Please do your part to stay safe and healthy, both physically and digitally. ■
–Aaron Larson is POWER's executive editor.