Last summer I discovered just how bad work-from-home (WFH) tech can be for remote workers during our five-plus-weeks hotel stays. My husband and I were forced to evacuate, fleeing one of the devastating wildfires that hit California and destroyed tens of thousands of homes and millions of mostly forested acres.
You might think by now that’s all behind us, and we’re “back to normal.” It’s not and we aren’t. Since we’re still in a drought and hot, dry high winds picked up residual embers from the CZU fires, there were some local wildfires in January. In our area, the outages they produced in power, internet and water lasted “only” for several days.
A prediction for the following week of an “atmospheric river” storm prompted a widespread evacuation order and back we went to our home-away-from-home hotel. That’s because of what happens when intense rainfall hits burn scars: “debris flows,” potentially deadly avalanches of mud, rocks, boulders, and entire trees that can come down mountain watercourses at 30 mph and destroy anything in their path.
While some local memes encouragingly tell us mountain dwellers “Only the Strong Survive” and “Santa Cruz Mountains Strong,” we may have to do this again multiple times this winter and next, producing “evacuation-weariness.” In any case, last month I had an opportunity to find out how much WFH security tech for remote workers has, or hasn’t, changed.
Just turn it all off
While evacuated, we didn’t know how intense the storm would get, how long it would last, whether debris flows were happening anywhere near our house, if it would still be accessible or cut off by rivers of mud and boulders, or even if it was still standing.
But at least this time we were in better shape to cope with getting online access to banks and utilities, having brought the right financial records and all those carefully harvested, secret voice phone numbers for reaching actual humans.
This time our hotel stay lasted five days, not five weeks. Day 1 was consumed by getting remote access to voicemail for our essential-in-the-mountains landline, setting up voicemail and adding minutes for our only-used-when-traveling cell phone, and exchanging information with neighbors and friends. On Day 2, I started doing actual work.
This time I didn’t even bother trying to use our consumer-grade, cheapo VPN. We’d already discovered last summer that it, and nearly every other third-party VPN, makes almost everything inoperable — from email to Zoom conferences to two-factor authorization (2FA) logins — effectively disabling security technology. It’s also a potential security risk in itself.
While disabling our consumer VPN gives my husband hives, I can’t deal with the frustration of not getting anything done. This time I had fewer login problems, and essentially no 2FA or multi-factor authorization (MFA) problems. As I concluded last summer, the best approach is to just turn off the security software. All of it. Well, except for the firewall.
But not for remotely accessing corporate networks or industrial control systems
But I had it pretty easy compared to employees who must remotely access their companies’ internal networks: enterprise VPNs aren’t always so secure, either, and 2FA data can be stolen or faked.
Last August, the FBI and the U.S. Department of Homeland Security (DHS)’s Cybersecurity and Infrastructure Security Agency (CISA) issued a joint warning about an ongoing, major voice phishing, or “vishing,” campaign. It included stealing VPN credentials from remote employees to register domains and set up fake VPN login pages that looked like real internal company pages. Attackers also stole SSL certificates for the domains they registered, along with 2FA data and one-time passwords.
This type of vulnerability can be especially damaging for companies with employees remotely accessing critical operational technology (OT) infrastructure, such as industrial control systems (ICS). Like small town water treatment plants. Like the one in Oldsmar, Florida, which made international news on February 8.
On the previous Friday, employees watched in horror as someone took control of the plant’s supervisory control and data acquisition (SCADA) system in real time. The attackers altered the plant’s chemical feed system to increase the amount of lye (sodium hydroxide) in the city’s drinking water from 100 parts per million to 11,100 ppm. Although plant operators fixed this quickly before the water could be poisoned, it turns out that multiple failures in basic security hygiene and inadequate technology were to blame.
Attackers used the well-known TeamViewer remote access/remote desktop software installed on plant employees’ computers and connected to the SCADA system. So far, assuming TeamViewer was properly configured, that’s standard operating procedure, but what comes next isn’t and shouldn’t be.
All employee computers in the plant were running on the no-longer-supported 32-bit Windows 7, all employees shared the same password for remote access login, and all were connected to the internet directly, with no firewall. While these gaps in basic security hygiene may sound incredible for critical infrastructure operating in 2021, they are still found in an uncomfortably high percentage of companies and public facilities.
For example, a survey published in October by OT cybersecurity provider PAS Global found that 85% of respondents were not highly prepared for a possible cyberattack on their OT systems. In particular, cyberattacks on critical infrastructure such as water systems are increasing as witnessed by last year’s cyberattack on Israel’s water systems.
Oldsmar officials have since disabled the plant’s remote access system. The FBI is investigating, and has issued a joint advisory with the DHS, CISA and EPA, which includes recommendations for improving the Oldsmar plant’s cybersecurity hygiene.
As for me? I didn’t get hacked this time, either.