When WFH Isn't an Option

A friend recently posted on social media a question along the lines of, "who are all these "essential" workers that can't work from home?" As an IT professional with family members that work in critical infrastructure, I felt a need to shed some light on what all those citizens are experiencing while the rest of us are sheltered-in-place. Additionally, some companies have realized that some of their workers are repeatedly making trips into the office/facility/datacenter to do work that cannot be performed remotely. If you've wondered the same, or are looking for ways to better protect your own workforce, read on!

In February, Edison Electric Institute, an association for electric companies whose members provide electricity for roughly 200 million Americans, warned that electric utilities might be impacted just like any other business: with up to 40% of the personnel out sick, quarantined, or out of work caring for sick family members. That includes power plant operators, line workers, call center representatives - everyone involved in the delivery of power to our homes and businesses.

While most businesses enact or expand “Work From Home” (WFH) policies, critical infrastructure such as power utilities, along with many others, may not have that luxury.

There are two categories that immediately come to my mind when facing “remote work” challenges:

1. Operational Technology (OT), such as industrial control systems in manufacturing, utilities, etc.
2. Highly sensitive and secure systems that may be intentionally “air gapped” from the Internet.

Operational Technology (OT) often can’t be managed remotely.

In many of our industrial and manufacturing clients, efforts have been made to carefully segment and isolate OT and IT networks. In fact, this connectivity gap is a major factor for many companies working to implement IIoT - the “Industrial Internet of Things”. Even in cases where connectivity is achieved, taking action in an industrial environment may still mean physically pulling a lever or opening a valve.

In cases where IT and OT have successfully converged, the ‘bridge’ between the two is justifiably tightly controlled. These restrictions create choke points for hackers and malicious actors trying to move between networks - but they also prevent or limit remote work. In one instance, these machines and appliances were configured such that only a single connection is allowed at a time - a reasonable precaution under normal circumstances. However, under these challenging times, it means IT administrators are ‘colliding’ with each other - one admin logging in to do work effectively kicks off a coworker right in the middle of their task.

In some instances, such as our critical infrastructure (power, gas, water, etc.), operations must remain continuous. It is common practice for essential engineers, operators, and technicians to be onsite and providing 24x7 coverage via multiple overlapping shifts. This means when you start your shift you’re sitting down at the same desk, and using the same keyboard, workstation, and phone, as the person who worked the shift before you. Additionally, maintenance is often only performed during a scheduled shutdown. Shutdowns are not scheduled frequently - and are never rescheduled. 

High security means less connected.

Many of us in IT have long recognized the compromise between security and connectivity. The more secure a system needs to be, the less likely it is to be connected to the Internet - much less able to be remotely controlled or managed over the World Wide Web.

Our nation’s intelligence agencies have policies that strictly forbid working from home. Plenty of corporate security personnel would cringe if intellectual property were being copied for at-home work, and we would all agree that it’s generally a bad idea for doctors to take medical records home. 

In other words, these are rules that exist for valid reasons, and those reasons haven't changed due to the current pandemic. 

So, what do you do?

In these cases, you must take measures to limit the biological exposure of your critical personnel and operations teams. Many companies are screening personnel before entering a facility - but let’s face it, if an employee is already running a fever, they’ve likely already exposed their peers to the contagion prior to symptoms emerging. 

In addition to screening for already sick employees, consider implementing ad-hoc physical barriers and temporary additional air handlers. Since some environments are ill-suited to “social distancing” and workers must be in close proximity to one another you should either enforce the use of personal protective equipment (PPEs) such as face masks, or erect temporary physical barriers if PPEs are not practical or available. A little clear acrylic and disinfectant spray could go a long way - and I’ve also seen “air dams” used as a creative solution. 

Company guidelines should also be in place to limit off-hours exposure. Consider offering positive incentives for adjustments to habits and lifestyle. After all, we do the same to encourage smoking cessation and more exercise - similar incentives can be applied in response to the pandemic.  

In extreme cases, an organization may even need to consider screening and then sequestering critical personnel. Hopefully, you’ve considered this and included it as part of a pre-existing crisis plan and employee agreement.

In all cases, I urge organizations to resist the temptation to create temporary connectivity or temporarily ease access restrictions. As a colleague often reminds me, “there’s nothing more permanent than a temporary solution.” Even though some hackers have made a promise not to attack our healthcare system during this time of crisis, there’s plenty of evidence that attacks are ramping up against our OT systems, and even our home networks and video meetings.

Bonus tip: provided by a CISO colleague, especially when participating in video meetings. 

Be aware of your surroundings when engaging in video meetings. Items in the field of view - documents, pictures, collectibles and memorabilia - can be leveraged by hackers to identify targets for physical theft or enable follow-up cyber crime. Remember, just like anything on the Internet, what is seen and heard in a video conference can live forever - recorded and stored on myriad distributed systems, waiting to be exploited for gain.