COVID-19: Remote Access to Operational Technology Environments

The Australian Cyber Security Centre (ACSC) has produced advice to help critical infrastructure providers protect themselves from cyber attack as key staff work remotely during the COVID-19 pandemic.

Critical infrastructure facilities such as power and water distribution networks, as well as transport and communications grids, are potential targets for malicious cyber adversaries in Australia and elsewhere.

“Securing Australia’s critical infrastructure, and systems that control our essential services, is a major priority for the Australian Cyber Security Centre and our partners in the sector,” said ACSC Head Abigail Bradshaw CSC.

“We are continuing to see attempts to compromise Australia’s critical infrastructure. It is reprehensible that cyber criminals would seek to disrupt or conduct ransomware attacks against our essential services during a major health crisis,” Ms Bradshaw said.

“A cyber incident involving critical infrastructure can have serious impacts on the safety, and social and economic wellbeing of many Australians. If these systems are damaged or made unavailable for any length of time, it can cause significant disruption to our lives.”

Many critical infrastructure operators are making decisions on how to safely keep businesses running while allowing access to sensitive operational technology assets by staff working remotely – staff who would normally be located in control rooms or worksites protected by effective cyber and physical security barriers that restrict outside access.

While social distancing is safer for health reasons during the pandemic, working from home can create cyber security risks that malicious actors are actively working to exploit.

The ACSC advice provides guidance on technical controls that organisations can use to respond to challenges associated with COVID-19, as well as to support operations staff working remotely, some for the first time.

The guidance outlines general cyber security practices for remote working, as well as specific advice for infrastructure operations including:

• consideration of a secondary or tertiary operations control room that may offer better security controls than home or remote access;
• using the key technical control of two communications ‘jumps’ to reach the operations environment, combined with unique accounts, passphrases, and multi-factor authentication;
• maintaining a detailed logical diagram of the operations network; and
• having a rapid disconnect plan that can be deployed quickly at any time if malicious activity is identified.