Security Think Tank: The year of the work-from-home hangover

We know that working from home is causing a surge in demand for home improvement and DIY products, as people realise the flaws in their domestic setups that were never arranged for day-in, day-out telecommuting. 

Corporate IT security, likewise, is still slowly adjusting to the new reality. This falls into two main camps – cleaning up the mess created in haste and getting around to things that were overlooked.

The rush to work from home caught some organisations unprepared, and it showed. As Warren Buffet famously said, “you only find out who’s swimming naked when the tide goes out”. A few companies, mostly in tech, barely noticed the change, because they had supported a mobile workforce for years, including all of us workaholics who took our laptops home as soon as they weren’t chained to our desks and never stopped working.

For many others, however, it was a new and challenging transition to stand up remote working capabilities with essentially no notice. While that rush is over, the clean-up is far from it. Virtual private networks (VPNs) were built in haste, and shown to work, but working and being secure are two very different things.

Organisations built out the IT versions of shanty towns – whatever they could get up and running quickly. We saw single companies provision and deploy thousands of new devices in a matter of weeks, sometimes with basic errors in them that were replicated at scale. 

Like so much in IT, clean-up happens mañana, if it happens at all. The big winners in 2021 will be those who can help map out all this rapidly built infrastructure as companies realise the downsides of living with it long term.

The other major category for 2021 is to get back to the assets that couldn’t move, even though the operators did. Despite all the hype and hope around cloud-based transformation, most organisations still have a VPN of some sort, because they have some assets that couldn’t just up and move when the pandemic came along.

Chief among these are industrial and manufacturing businesses, with factories, plants and industrial control equipment. Of course, nobody seriously expected any of this to move into employees’ homes, but what is the alternative?

In some cases, exceptions and waivers to quarantine rules were used to allow people to tend machines in person, the way they always had. But increasingly, the pressure keeps building for the industrial internet of things (IIoT), which offers the promise (and curse) of remote access to industrial control systems.

“The next wave for security is to wake up, smell the coffee and get on with the hard work of securing armies of remote workers – and then ramp up the long-overdue attention to fragile industrial systems on the IoT”

Every chief financial officer is delighted at this prospect, but every experienced security professional is terrified – supervisory control and data acquisition (Scada) systems are old, critical, and were designed for resilience against some very specific kinds of threats.

The bad news is these old threats are nothing like the threats we encounter on the internet – the online world is full of wily, motivated, patient attackers, as opposed to the old enemies like natural disasters or the mechanical instability of physical machines.

Systems designed by people worrying about floods are physically strong, but digitally, they are incredibly weak – some of the weakest gear out there, using protocols designed years before we realised how scary a place the internet can be.

Simply put, Scada systems are not ready to be exposed to the internet, but the pandemic has redoubled the pressure to allow operators to do their work remotely. This unresolved tug-of-war will lead to increased spend in 2021 on defences designed for the IIoT, and for assessment technology that can tell whether the defences are sound without actually breaking the critical systems first.

Data diodes that can control what information goes where will be one aspect, helping create the “boy in the bubble” strategy needed to protect these devices and their compromised immune systems. 

The other aspect will be assessment and triage, identifying and mapping out defensive gaps so they can be plugged before someone takes all our critical systems offline.

In conclusion, the next wave for security, after the pandemic disrupted work patterns worldwide, is to wake up, smell the coffee and get on with the hard work of securing armies of remote workers – and then ramp up the long-overdue attention to fragile industrial systems on the IoT. These factories, utilities and physical assets need to be controlled remotely, but just aren’t ready for all the digital aggression they will meet once exposed to the internet.