COVID-19's Other Viral Threat: Cyber

Latent cyber risk. That's what we in the cyber business call a cyber threat that is undetected, unplanned and unanticipated. These are the cyber risks that lurk in the dark places of your networks and the exposures that you didn't think about that come out when you least expect.

Maritime has a lot of examples of these, such as when companies start connecting systems, devices and networks that were never designed to be connected. As fleets become more automated and digitized, we are connecting all sorts of systems—ones where cyber security was never even a consideration. The legacy networks don't have the protection, updates or design to make them cyber resilient, because no one thought they would be connected when they were built. Hook up an old system to the internet, and you run the risk of unintentionally exposing it to a whole host of new cyber risks that you never considered.

Snap-back cyber risk
COVID-19 has its own latent cyber risk. With the sudden and unexpected onslaught of the COVID-19 pandemic, companies had precious little time to convert to an almost fully remote working environment. They scramble to adapt expanded and stretched networks way beyond their normal limits. As entire workforces switched to working from home, work networks mingled with home networks, people emailed documents to personal accounts and USB drives were used to help move and share files like never before.  

Most IT departments have done a great job reworking their systems and networks to accommodate an immediate and severe shift in how they operate. However, they exchanged a lot of control for operational flexibility. Work offices became home offices, that also became home schools, entertainment centers, online shopping and part of family daily life. For months, work computers have been sitting on home networks and are used to help people cope with the realities of safer-at-home restrictions.  

As a result, the attack surface – the exposure points that attackers can exploit – exploded. Add to that the COVID-19 related cyber scams that have employees unintentionally clicking on bad links, and you have a perfect environment for cyber malware and other exploitation to grow.

Now, many organizations are bringing everyone back to the workplace.  Most are thoughtfully planning how to bring people back together. Temperatures will be taken, masks will be worn and social distances will be respected. However, few are considering how to reintegrate computers, devices and systems.

As networks snap back from their over-extension, they will bring back the cyber malware and exploits that could be infiltrating their over-extended networks. This is the latent cyber risk of COVID-19 and needs to be addressed.

It's about safety
The snap-back risk of COVID-19 can have real-world consequences. Attackers are no longer only just interested in stealing data from corporate IT systems. They now are actively trying to understand how to take control of operational networks on-board vessels. This means they now want to take control of navigation systems, engines, valves, and anything else they can get their hands on. The operational networks that control these systems, called operational technology (OT), are uniquely exposed to these kinds of attacks. This is because, as you might guess, they were never designed to have the kind of connectivity we now have.

As attackers target OT systems, cyber security becomes a real-world cyber safety concern. Cyber risk impacts vessel, public, and environmental safety.

You cannot socially distance a network
Once your systems and networks are interconnected, and connected to the Internet, malware and intruders can spread almost instantaneously. The most you can do is segment, protect and monitor those networks. Unfortunately, too many OT networks do none of these.  

Contact tracing a cyber attack is very difficult. Once in, it can be extremely hard to see where malware or an attacker has spread. It can spread in nanoseconds and attackers can be very skilled at covering their tracks. This is much harder in the OT environment, where it takes very specialized expertise to even understand how attack could spread.

No system is stand-alone. There is a perception that some systems are not connected to anything, thus they have an "air gap" and are not vulnerable. That is incorrect. From updates to operations, systems will have some form of connectivity, even if it is someone running an update from a disk. The general rule in cyber is, if someone can get to it, they will.

Cyber hyper-mutates
We are hoping the COVID-19 does not significantly mutate. Unfortunately, the nature of cyber is to hyper mutate. Every malware, every attack type and every mutation is being continuously adapted. Attackers are relentless at refining their attacks. Malware strains last months, weeks or days before new iterations come out. As we become more digital, we reshape the environment for cyber attacks. They respond by being in a constant state of change. You can't only consider the last attack, you need to anticipate the next one.

We change. They change. We change. Constant vigilance, flexibility and adaptation is the nature of cyber.

You need good cyber hygiene
What can you do? First, you need to account and plan for cyber security. It is now a business imperative. It needs to be a daily part of operational and safety risk management. You then need to proactively manage it. This means that you need to create a cyber program that accounts for the assessment, planning, protection, defense, detection and response needed to minimize your cyber risks.

There are a number of cyber technologies, services and solutions that can help you protect your networks. Find the right partners who have the deep expertise in IT and OT environments, and work with them to build the program that fits your specific situation. Strong cyber hygiene can prevent most cyber infections. It can also help you handle a critical exploitation, if you are unfortunate enough to have to face one.

As for the COVID-19 snap back. You need to make it an integral part of your restart program. This could mean everything from new policies and education, to enhanced scanning, monitoring and management of IT and OT networks.

Remember that COVID-19 is not the only virus that your employees can bring back into your work place.