Building a Resilient World:

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

Work From Home Automation Professionals: Cybersecurity Exposure

One of the commonly targeted pathways into an industrial automation and control system (IACS) is through compromised remote access such as virtual private networks (VPNs) and remote desktop protocol (RDP). During the stay-at-home orders and other self-quarantining measures around the globe to combat the COVID-19 pandemic, many automation engineers for industrial facilities have increased their use of remote connections to provide support for their sites from home. Remote access has allowed for essential support to maintain the operations for critical facilities, but also results in increased cybersecurity exposure for IACS.

Last year, Microsoft released an advisory for known vulnerabilities in remote desktop services that, when exploited, allow attackers to gain remote control of legacy Microsoft systems such as Windows 7, Windows Server 2008/2008R2, and older systems like Windows 2003 and Windows XP using RDP.1 Because many industrial control networks contain a mixture of legacy and updated systems for operator and engineering workstations, as well as other network devices, these vulnerabilities can pose a significant risk. If targeted malware is executed on one of these outdated devices, there is the potential for it to affect other devices (even more recent devices) on the compromised network. This has already happened in the past with the NotPetya attack, where vulnerable devices were used as an entry point before the wiper worm quickly moved to patched devices in the affected system, resulting in approximately $10 billion in damages.2

Even when updated devices are used, if authorized users can legitimately establish access remotely, there exists a potential for threat agents to do so as well. For remote access endpoints with weak or unused security features, especially those that are exposed to the internet, attackers can easily use common attack methods to compromise the entry point and use it as a stepping stone for further attacks on the network. This is exactly what happened in a Sodinokibi ransomware attack on an IACS, where attackers used brute force to compromise the RDP endpoint and gain access to the system, ultimately resulting in loss of availability of three systems required for operation.3

The first step in reducing cybersecurity exposure is to identify the highest risk parts of the network. Conducting an IACS cybersecurity gap assessment considering the current network, system vulnerabilities, and personnel security provides a clearer picture of the current exposure, as well as actionable guidance for reducing this exposure and fortifying existing protection measures. With the current level of remote access for many IACS, the need for a clear understanding of cybersecurity exposure and risk has never been more pressing.


1. Prevent a worm by updating remote desktop services (CVE-2019-0708), Microsoft Security Response Center, Microsoft, 2019

2. Andy Greenberg, The Untold Story of NotPetya, The Most Devastating Cyberattack in History, Wired, 2018

3. Year in Review: The ICS Landscape and Threat Activity Groups, Dragos, 2019

A version of this post can also be found on the exida blog. It appears on the ISAGCA blog with adjustments made by the author.

Patrick O'Brien, exida
Patrick O'Brien, exida
Patrick O'Brien, CFSP, CACS, is a safety and cybersecurity engineer at exida.

Related Posts

Securing Industrial Networks Can–And Should–Be Simple

A version of this blog originally appeared on Cisco
Andrew McPhee Jan 24, 2023 5:30:00 AM

Double Extortion Ransomware: What It Is and How to Respond

New attack methods in the cybersecurity landscape continue to emerge in the digitally driven world. One t...
Zac Amos Jan 17, 2023 5:30:00 AM

Defending Remote-Friendly Environments from Cyberattacks

This blog has been repurposed from the December 2022 issue of InTech
Damon Purvis Jan 10, 2023 5:30:00 AM