It is a rule of thumb in cybersecurity that the extra delicate your system, the much less you need it to the touch the web. However because the US hunkers right down to restrict the unfold of Covid-19, cybersecurity measures current a tough technical problem to working remotely for workers at important infrastructure, intelligence businesses, and wherever else with high-security networks. In some instances, working from house is not an choice in any respect.

Corporations with particularly delicate information or operations usually restrict remote connections, phase networks to restrict a hacker’s entry in the event that they do get in, and generally even disconnect their most essential machines from the web altogether. Late final week, the US authorities’s Cybersecurity and Infrastructure Security Company issued an advisory to important infrastructure firms to organize for remote work situations as Covid-19 spreads. Meaning checking that their digital non-public networks are patched, implementing multifactor authentication, and testing out remote entry situations.

However cybersecurity consultants who really work with these high-stakes purchasers—together with electrical utilities, oil and fuel corporations, and manufacturing firms—say that it isn’t at all times so easy. For a lot of of their most crucial prospects, and much more so for intelligence businesses, remote work and security do not combine.

“Organizations are realizing that work-from-home could be very tough to execute,” says Joe Slowik, who beforehand led the pc emergency response workforce on the Division of Power earlier than becoming a member of the critical-infrastructure-focused security agency Dragos. “This ought to be a reasonably good wake-up name. That you must work out a manner that if people can’t bodily entry the management system setting for a service that can’t cease, like electrical energy, water, and wastewater or related companies, you guarantee steady operation—even within the face of an setting the place you could be risking your staff’ lives in the event that they proceed to commute into the workplace.”

For a lot of industrial networks, the best customary of security is an “air hole,” a bodily disconnect between the interior sanctum of software program related to bodily tools and the much less delicate, internet-connected IT methods. However only a few private-sector corporations, excluding extremely regulated nuclear energy utilities, have applied precise air gaps. Many firms have as an alternative tried to limit the connections between their IT networks and their so-called OT or operational know-how networks—the commercial management methods the place the compromise of digital computer systems might have harmful results, corresponding to giving hackers entry to an electrical utility’s circuit breakers or a producing flooring’s robots.

These restricted connections create choke factors for hackers, but in addition for remote staff. Rendition InfoSec founder and security guide Jake Williams describes one manufacturing shopper that rigorously separated its IT and OT methods. Solely “bounce containers,” servers that bridge the divide between delicate manufacturing management methods and nonsensitive IT methods, related them. These bounce containers run very restricted software program to stop them from serving as in-roads for hackers. However additionally they solely assist one connection at a time, which suggests the corporate’s IT directors have discovered themselves vying for entry.

“Directors are bumping one another off as they attempt to work and log in,” says Williams. “These bounce containers that have been constructed to facilitate safe remote entry in emergency conditions weren’t constructed to assist this example the place everyone seems to be performing routine upkeep and operations remotely.”

For probably the most important of important infrastructure, nevertheless, like energy vegetation and oil refineries, remote work is not simply resulting in technical snafus. It is usually impossible for a lot of staffers, says Chris Sistrunk, a security guide for FireEye who previously labored as {an electrical} engineer for energy utility Entergy. “There isn’t any solution to totally remotely run a few of these vegetation,” Sistrunk says. “You do not work from house. Important engineers and operators will at all times be there 24/7.”

In these situations, Dragos’ Slowik says, firms need to as an alternative attempt to restrict the organic publicity of their most crucial operations groups to stop them from being quarantined—which is usually simpler mentioned than finished, given that they are free to mingle with doubtlessly contaminated individuals throughout their off-hours. “It is an actual sensitive topic,” says Slowik. “You want them obtainable on the workplace, and you’ll solely prohibit them to a sure extent—as a result of we’re not China–so how does that steadiness out?”

Utilities have already been battling that steadiness. The Edison Electrical Institute, a nonprofit that represents US electrical utilities, warned in February that as many as 40 p.c of utility staff could possibly be house sick, quarantined or at house caring for sick family members. And electrical utility information website UtilityDive reviews that many utilities throughout the nation are limiting journey, shifting as many workers as doable to remote work, scheduling conferences as videoconferences, and ramping up hygiene practices.

Intelligence businesses and different components of the federal government that preserve labeled info locked away from the web current a fair starker drawback. NSA workers are strictly forbidden to work from house, and intelligence group sources inform WIRED that NSA coverage hasn’t modified in spite of the present pandemic. Workers have been requested to restrict nonessential journey, however they’ve obtained no organization-wide directions on how their remote work coverage may shift to account for Covid-19, even for older staff or these with well being situations who could be extra in danger. As a substitute, they have been requested to apply social distancing and instructed that in the event that they’re compelled to self-quarantine as a result of potential publicity to the virus, they’re free to take as much as two weeks of paid administrative depart.

The outcome might merely be far greater charges of viral transmission amongst authorities staffers who work in labeled environments, says Jake Williams, himself a former NSA analyst. He describes his time on the NSA’s outpost at Fort Gordon in Georgia as an open-floor-plan workplace. Staffers hardly ever known as in sick, as a result of their mission’s time sensitivity. Many labored in shifts, rotating 24/7 on the similar desks. “You’re sitting down at a desk another person sat at, typed at, coughed at,” Williams says. “I do not know what they are going to do, however I can’t fathom the way it received’t unfold like wildfire.”

That inescapable threat, as with so many different professions like medical, meals service, retail, transit, sanitation, and manufacturing unit staff, places the issue in perspective: Remote work might pose some critical challenges for extremely secured workplaces. However for the federal staffers and energy grid operators in probably the most delicate organizations of all—like so many others—it is an impossible luxurious.

This story initially appeared on wired.com.