The Coronavirus outbreak has left authorities with no choice but to limit personal movement to slow down the spread of the disease. Many countries have shut down all non-essential workplaces and businesses, forcing their employees to work from home. But in order to keep the country running, some services have been deemed essential, and the staff providing those services are exempt from the state order to stay home.
In the US, the Cybersecurity and Infrastructure Security Agency (CISA) released Guidance on the Essential Critical Infrastructure Workforce.
CISA developed a list of “Essential Critical Infrastructure Workers” to help State and local officials as they work to protect their communities, while ensuring continuity of functions critical to public health and safety, as well as business continuity and national security.
CISA defines an essential worker as: “workers who conduct a range of operations and services that are essential to continued critical infrastructure viability, including staffing operations centers, maintaining and repairing critical infrastructure, operating call centers, working construction, and performing management functions, among others”.
The logic behind this is clear: for these critical sectors to continue operating, they need to be secured. If hospitals suffer from cyber attacks – as they frequently do – the effectiveness of all the medical and supporting staff (also considered essential) is greatly reduced.
Here are the main industries identified by CISA and the associated cybersecurity roles highlighted as “essential”.
Workers performing cybersecurity functions at healthcare and public health facilities who cannot practically work remotely.
Workers performing security, incident management, and emergency operations functions at or on behalf of healthcare entities including healthcare coalitions, who cannot practically work remotely.
Petroleum security operations center employees and workers who support emergency response services.
Natural gas security operations center operators.
IT and OT technology staff – for EMS (Energy Management Systems) and Supervisory Control and Data Acquisition (SCADA) systems, and utility data centers; Cybersecurity engineers; Cybersecurity risk management.
Workers who support command centers including, but not limited to, Network Operations Command Center, Broadcast Operations Control Center and Security Operations Command Center.
Workers responding to cyber incidents involving critical infrastructure, including medical facilities, SLTT governments and federal facilities, energy and utilities, and banks and financial institutions, and other critical infrastructure categories and personnel.
Data center operators, including system administrators, HVAC & electrical engineers, security personnel, IT managers, data transfer solutions engineers, software and hardware engineers, and database administrators.
Customer service and support staff, including managed and professional services as well as remote providers of support to transitioning employees to set up and maintain home offices, who interface with customers to manage or support service environments and security issues, including payroll, billing, fraud, and troubleshooting.
Workers who support financial operations, such as those staffing data and security operations centers.
Adoption of CISA’s Recommendations
Some states were quick to follow CISA’s recommendations. In California, many businesses, jobs and operations were exempt from the governors’ order to stay home to prevent the spread of the coronavirus. Governor Newsom’s action orders “all individuals living in the state of California to stay home or at their place of residence, except as needed to maintain continuity of operation of the federal critical infrastructure sectors”. Among these are cybersecurity professionals who work in critical infrastructure, as stipulated in the CISA guidance.
The CISA guidance focuses on two cyber “roles”: SOC operator and incident responders, mostly working in on-prem settings where no remote connection is possible or feasible. In the future, we think this should be extended to include MSSPs, who themselves secure thousands of smaller and medium businesses. MSSPs do this with a small number of operators, so the risks of mass infection due to their continued operation is small, and the security benefits are great. This is one case where decision makers should look at the “Infection Vs. Protection” ratio, where the likelihood of infection (for example, people working in a crowded environment) in comparison to the level of protection these individuals provide to society in general is taken into account.
We can hope that this crisis will help elevate the status of cybersecurity professionals among the general public, perhaps even to the same status as firefighters, police and emergency service providers.
We owe it to them.