Information Security: The Dangers of Remote Access at Electric Co-ops

The COVID-19 pandemic has changed the way many electric co-ops operate. Prior to recent world events, remote access technology for team members wasn’t widely used by electric cooperatives. This made managing the co-op’s information security a bit easier.

Today, however, remote access for electric cooperative employees is widespread. While this allows co-ops to continue to operate in the current climate it also introduces some cybersecurity risks.

That said, remote access isn’t entirely new to electric co-ops. It’s been a key component of their operational technology for years. For example, IT workers use remote tools to support machines in another building or a device at a substation. A dispatch center might have a remote connection to control what they see on their screens. When electric co-ops install software or devices from another vendor, that vendor may install a remote access application on one of the cooperative’s servers. In some cases, the cooperative’s employees may not even realize that remote application is now part of their overall system and is now a potential vulnerability.

A Calculated Risk

It’s clear remote access, both for co-op operations and employees working from home, is here to stay. While no longer optional, it’s important to be aware of the risks remote access can introduce into your co-op’s system.

The more closed your co-operative’s network is, the better. Still, you also need to be able to access your network. Think of an automatic garage door. You could make it safer by disabling the remote and removing the outside handle. Now bad guys can’t clone your remote’s frequency or easily pull up the door to get in. But the garage will be much harder for you to use, too. Parking your car becomes a highly inefficient process that involves getting out of the car, struggling to pull the door up without a handle, getting back into your car, parking it, and then manually closing the garage door. Though your home’s security has improved, it’s come at a pretty high cost. That’s why when it comes to remote access you need to find a healthy balance between maintaining security but also granting access to the team members who need it. Understanding exactly what the risks are can help you do that.

Some remote access risks come from the devices people use, especially as they work from home. An IT-monitored device is constantly checked to ensure it is up-to-date, virus-free, and running all necessary software to keep itself and the cooperative protected. A personal laptop, on the other hand, could be crawling with viruses and malware. It may not have been updated in years and could be running out of date, exploitable software. Now that vulnerable device is connected to your cooperative’s network and could be putting the entire co-op’s system at risk.

Another risk factor is passwords. If a remote worker uses the same password for a work account and their personal account and gets hacked, your co-op’s network is potentially compromised. Or, an employee may not have updated the password to their personal device in years. When a remote worker has poor password management, that means your co-op now has poor password management, too.

There are also a lot of remote desktop (RDP) exploits. RDP exploits can be done in a number of ways but they all allow hackers to get into an organization’s system and have the same control and access as an authorized user. The attacker using an RDP exploit is essentially sitting in front of a user’s computer with the ability to wreak havoc on their system and there’s no way for your IT to know it’s happening until it is too late.

It’s important to note that RDP exploits are how hackers get into a system and gain administrator access to it. It’s the method of delivery, not necessarily the main attack itself. Once inside the system, hackers can wreak havoc in any number of ways, from using an organization’s legitimate email address to send out spam to denying access to a machine or committing identity theft.

For example, the primary method of ransomware transmission used to be phishing (sending malicious links or downloads in an email), but now RDP is the main way ransomware is deployed. That’s because we’ve gotten pretty good at telling users about spotting phishing attacks. Hackers have caught on to this and have found other ways to get their ransomware into systems.

That’s partly the reason for the rise in RDP exploits. An employee can opt not to click on a malicious link in an email because they’ve been taught to recognize it as suspicious. It’s much harder for them to prevent a bad actor from tagging along when they log onto their work desktop from home, especially when they have no idea someone else has gained access into the system.

Further, people don’t always update software, and those updates often have necessary security patches. For example, the remote connectivity software TeamViewer works and, if deployed correctly with multi-factor authentication, is safe and secure. But there have been exploits. So it’s important to make sure software such as TeamViewer and the like are always updated.

Even used internally, remote management tools can cause problems if you don’t keep them up to date. Somebody has to stay on top of every one of the remote tools being used and make sure they’re up to date at all times.

Mitigating Remote Risks

Despite these risks, remote work, and thus remote access, is here to stay. But there are ways you can mitigate the risks that come with remoting without hindering the productivity of the organization.

One way to achieve information security is to make sure you’re constantly and effectively monitoring your network. That means you track who’s logging in, what they’re logging into, and have a general sense of when and why. This isn’t something that a human can do by themselves, you need artificial intelligence combined with human investigation and monitoring.

Analytics should be running against your user account’s login behavior. That way, if you see a user trying to log in to several machines that they don’t usually log into, or if a user has tried to log into something an inhuman amount of times, it’s a red flag.

That’s what we do with TITAN, our purpose-built cybersecurity suite for electric cooperatives. We have artificial intelligence running and humans monitoring 24/7 so we have a baseline of your user behavior and accounts. If there’s a valid reason for unusual traffic, such as an employee who is traveling and logs in from a different state, that only takes a few minutes to verify.

Cooperatives typically operate in one territory, usually one state. We can set TITAN up to issue an alert if we see any activity outside of what we expect, such as logins from outside of the United States or even outside their territory. Or, there may be a login attempt from a user. This could be followed by a separate login attempt from the same user but a different location. If the location of the second login is too far for a person to have traveled within that time frame, TITAN will pick up on that and report the activity as suspect.

TITAN also does GeoIP blocking and reputation blocking. We can make sure the people accessing your internal network are the people you would expect to be accessing your system. We’re not going to allow connections from countries such as Iran or North Korea or internet addresses that have been known to be used by or are closely associated with those countries.

Related: How NWEC Improved Their Cybersecurity and Operational Efficiency

Shadow IT: An Enemy From Within

Shadow IT is when systems are set up and running in your network that an IT person didn’t necessarily approve or install. Shadow IT usually happens because users install something just to get a mission accomplished in the moment. This might include a remote application that lets them work from home. They may not have asked the IT person about it and just Googled “remote application.” Once they found a program that looked like it would work they installed it. The problem is months down the road the employee has probably forgotten about it. Now there’s a remote access application sitting un-updated on that machine, a definite security risk.

TITAN protects your co-op by detecting those kinds of applications. It can discover what’s running and then allow cooperatives to make informed decisions on whether or not they want to allow it. If you decide to allow it, TITAN makes sure you know if the program, app, or software is up-to-date.

Other Steps to Secure Your Information

In addition to having a security suite like TITAN to help your IT team stay on top of everything, there are reasonably simple steps both cooperatives and remote workers can take, too.

The key is having long passwords. That doesn’t necessarily mean an overly complex password. Complexity is good, but length should be your first priority. It doesn’t even have to be what most people consider to be a password; it could be a non-standard phrase or random set of words easy for you to remember. Nonsense as a phrase can be very effective, as long as it is lengthy.

Passwords should be combined with multi-factor authentication, too. It could be a security token. It could be an app on your device. It could be something that gives you push notification to make sure that you own the device and you approve of the login.

For electric cooperatives, limit your system to as few remote access systems as possible to help promote security. Segregate your network so devices are separated and if a cybercriminal does get access to a part of your network they haven’t breached your entire system.

Even though it comes with risks, remote work can be done safely. To learn more about how SkyHelm and TITAN can make your remote workforce safer, contact us today.

Keep Reading: How to Secure Your IT from Cyberattacks