The cybersecurity lessons of the COVID-19 pandemic must not be forgotten as industry stakeholders return to normal operations, representatives from Texas Reliability Entity warned in a webinar on Thursday.

Speaking at the regional entity’s regular Talk with Texas RE event, Jason Moehlman — the organization’s manager of internal cybersecurity and compliance — admitted that many organizations were caught flat-footed when COVID-19 “[came] in and [hit] us like a ton of bricks” in March 2020. While most entities had a business continuity plan for riding out relatively brief disruptions to normal operations, nobody had contemplated having to extend those emergency measures for a year or more.

“We had a two-week mindset when this decision was made, thinking we’d be back in the office within a month. … For most organizations that’s not quite how it worked [out],” Moehlman said. “In general a lot of [information technology] organizations weren’t quite ready to go fully remote, so there were a lot of on-the-fly decisions being made as to how those users who had never been remote and didn’t have laptops … [were] going to all of a sudden be 100% remote. … The security side of this process may have taken a bit of a backseat to the operational component.”

As the pandemic wore on, those ad hoc remote work arrangements have gradually come to feel permanent in some regards, with many employees coming to enjoy the convenience of working from home and entities even noting some efficiency benefits from not having to keep offices fully staffed.

But as managers consider allowing some of these arrangements to continue, they must be ready to put long-term cybersecurity measures in place as well.

Pandemic Highlighted Existing Issues

Cyber hygiene was viewed as a major risk early in the pandemic, with NERC, among other groups, observing that the expanded remote workforce posed an attractive “attack surface” for malicious actors. (See PPE, Testing Top Coronavirus Concerns for NERC.) Those concerns have borne out; Moehlman said security firms have seen “a real uptick in phishing campaigns” aimed at tricking users into giving up their credentials over the past year.

“It could be that threat actors are thinking it’s a good opportunity to go after these credentials when an organization’s security posture may be [weaker] than it would during non-pandemic times,” he said.

These campaigns can have real consequences, such as the cyber intrusion into a water treatment plant in Oldsmar, Fla., in early February, when an employee at the plant noticed the cursor on his screen apparently moving under its own control to set the levels of sodium hydroxide dispensed into the water to many times a safe amount.

The unauthorized user was quickly locked out and the changes were reversed before any water was affected. However, the incident highlights the danger of allowing unrestricted internet access by computers handling important processes, especially when coupled with a sudden rise in employees working remotely.

There is plenty of blame to go around in the case of the Oldsmar intrusion: The attacker appears to have gained access to the system via the remote access software TeamViewer — the password for which was shared between employees in violation of common cyber hygiene practices. Furthermore, all computers at the plant used an outdated version of Windows 7 with no firewall and were connected to the plant’s supervisory control and data acquisition (SCADA) system.

But Moehlman warned that focusing on the corners cut by a single entity misses the larger point that many utilities may be more vulnerable than they realize. The convenience of remote access requires organizations to compromise on security in ways that may not be visible but are just as potentially damaging as far more obvious breaches.

Too Much Trust Leaves Open Doors

Attempts to rethink cybersecurity in recent years have given rise to the “zero-trust” model, in which organizations treat all users, devices or traffic as inherently untrustworthy until proven otherwise. This is a fundamental change from traditional approaches in which communications were allowed by default with the primary goal of making business functions easier, and it marks a widespread recognition that malicious cyber actors are a growing threat for everyone.

One consequence of the trusting approach is that corporate networks allow the installation of third-party software products with the ability to conduct their own communications. This practice became a global disaster at the end of 2020 when the SolarWinds Orion network management software was found to have been compromised by outside hackers “likely Russian in origin,” according to U.S. security agencies. (See FERC Pushes Cybersecurity Incentives.)

About 18,000 public- and private-sector organizations are confirmed to have been impacted by the SolarWinds compromise, which took the form of a backdoor installed by the hackers into updates for the software as early as March 2020, if not before. Last month FERC’s Joseph McClelland told the National Association of Regulatory Utility Commissioners’ Winter Policy Summit that large-scale replacement of affected systems “may be the only option” for some organizations. (See SolarWinds Recovery May Require Extreme Actions.)

Moehlman said the SolarWinds breach was a perfect illustration of the risk of giving too much freedom to third-party software. IT staff may not have been able to avoid getting a compromised copy of the Orion software, but a healthy level of suspicion could have kept it from conducting the communication through which the hackers were able to exfiltrate additional information.

“Was there any reason or need for that SolarWinds server to be able to connect to anything on the internet other than its update service, and possibly a Windows update service if it was hosted on a Windows server? I would suggest not,” he said. “So why don’t we block that traffic? If that traffic was blocked, there’s a good chance that beacon would never be received and those attackers would never be aware that that server was infected.”

Moehlman acknowledged that zero-trust “is a relatively new concept in the IT world … [that] does require a leap of faith,” and that most organizations are in “stage zero or stage one” of the maturity curve as defined by security firm Okta. But he encouraged attendees to give it serious consideration as they chart an increasingly connected future in which outsiders gain ever more access to their internal operations — even with the best of intentions.

“It could be a third party that’s managing a portion of your IT infrastructure; it could be the … company that’s changing your air filters, or even the guy who’s stocking your vending machines,” Moehlman said. “You’ve given them some kind of access into your environment and created a possible threat vector that didn’t exist before.”