How a Crisis Impacts Industrial Control Systems: COVID-19
The recent novel coronavirus (COVID-19) outbreak is causing significant disruption to the global economy and changing how many companies operate day-to-day. As work-from-home protocols are implemented and shelter-in-place orders continue to propagate, companies need to evaluate and revise their preparedness and response strategies for cyber-incidents. This is particularly true for companies employing industrial control systems (ICS) (e.g., DCS, SCADA, or PLS) to monitor and control critical equipment and processes.
Such systems are vital to the operation of critical infrastructure like pipelines, power generation and transmission equipment, and chemical processing facilities, which are often highly interconnected and mutually dependent. From a cyber-vulnerability standpoint, ICSs differ from traditional information processing systems, in part, because they can have direct and immediate physical effects if compromised. Increased interconnectedness opens these systems to cyber-attacks that could lead to serious financial issues, such as production losses or compromised proprietary information, regulatory issues, and even worse, damage to the environment, human health and safety, and the community.
In the wake of COVID-19, operational and technological personnel are working with understaffed teams and new demands on resources, leaving ICS systems potentially (and uniquely) vulnerable. Such distractions create opportunities for cyber-criminals or other bad actors to leverage multiple avenues to exploit these vulnerabilities, including:
- Inadequate policies/procedures;
- Inappropriate remote access controls;
- Improper software maintenance;
- Improperly configured firewalls; or
- Failure to observe and/or respond to inappropriate activity in the system.
Cybercriminals are targeting critical infrastructure to take advantage of this disruption in normal business operations. A recent example includes the newly-discovered EKANS (a.k.a. “Snake”) ransomware encrypts files and can disrupt certain industrial control systems processes. The process kill list that it uses is like a variant of the MegaCortex ransomware that emerged as a threat in 2019. Previous ICS-specific malware attacks appear to have been conducted by or at the behest of state actors for geopolitical purposes. It is highly concerning that this new threat appears to be used by non-state actors purely pursuing financial gain. As a result, these non-state actors could be emboldened by the COVID-19 outbreak and corresponding security vulnerabilities.
Companies should take these and other cyber-threats seriously and ensure that personnel are observing and following general security guidelines and best practices, including particular diligence when it comes to:
- Scanning and filtering all electronic communications to thwart malicious campaigns;
- Employing refresher security awareness among all personnel;
- Applying a health-check on the network infrastructure (e.g., accurately configuring firewalls);
- Ensuring that all devices and services are patched with up-to-date known vulnerabilities;
- Ensuring that backup policies are in-place to support quick access to impacted files;
- Refreshing any incident response team on the company’s incident response action plan; and
- Reviewing your cyber-security policies and procedures to ensure they are well-documented, consistent with best practices, and will withstand scrutiny by regulators in the wake of an incident.
Finally, the National Institute of Standards and Technology’s guidelines and recommendations on the protection of ICS are good reminders to health-check the company’s overall infrastructure. Such guidelines include:
- Restricting logical access to ICS networks and network activity;
- Restricting physical access to ICS networks and devices;
- Restricting unauthorized modification of data;
- Monitoring, detecting, and responding to security events and incidents; and
- Maintaining functionality during adverse conditions.
Companies employing ICS should be increasingly vigilant about phishing schemes and encourage proper security hygiene from all employees. It is also important to remember that all companies are different, and varying controls and procedures may be appropriate depending on the size and complexity of the company, especially during such unusual and unexpected circumstances. The potential costs and follow-on effects from a cyber-intrusion are enormous, from regulatory sanction to securities or other litigation if the company has implemented sufficient safeguards or made adequate disclosures.
If you have any questions regarding these issues or how your organization can improve its security posture, please contact Matthew Baker, George Fibbe, or any member of Baker Botts’ Privacy and Data Security Team.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.