The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued a new guide for the manufacturing sector coinciding with National Insider Threat Awareness Month, emphasizing that continuous, active monitoring for threats must be practiced instead of passive response to keep critical operations safe.
Most insider threats “exhibit risky behavior prior to committing negative workplace events” and can be identified early before committing malicious acts that can include theft, sabotage, cyber espionage or attacks, and workplace violence. “Unwitting insiders may inadvertently disclose proprietary or other sensitive information, unknowingly download malware, or facilitate other cybersecurity events,” the guide adds.
“The critical manufacturing sector reports the highest number of attacks on industrial control systems of any critical infrastructure sector. Unmitigated insider risk is likely to increase the risk of attack.” The sector includes primary metals, machinery, electrical and appliance equipment, and transportation manufacturing.
Setting up an insider threat program should include a multidisciplinary team from within the organization — properly trained and operating within an appropriate risk-management framework — and take proactive measures to deter, detect, mitigate, and report threats.
“Insider threat hubs deter potential insider threats by instituting appropriate security countermeasures, including awareness programs,” states the CISA guide, stressing that the workforce must be properly trained in spotting and reporting indicators of insider threats, have set procedures by which to deal with such threats, and “consider the concept of organizational justice,” which “refers to employee perceptions of fairness in the workplace.”
User Activity Monitoring should be employed on networks to discover malicious cyber activity, log risk indicators and even head off workplace shootings. “Logging, monitoring, and auditing of information system activities can lead to early discovery and mitigation of behavior indicative of insider threat,” the guide continues. “UAM also plays a key role in prevention, assistance, and response to acts of violence. As such, UAM development should include consideration of potential acts of violence against organizational resources, including suicidal ideation.”
“…Once a ‘Normal Activity’ baseline is established, internal security controls help us identify deviations. For example, user activity monitoring could help identify a rash of IT system misuses that suggest an employee needs some re-training. Another example would be access control logs indicating an employee is working irregular hours or has unexplained absences from work.”
After an insider threat program is established, the organization then applies a risk-management strategy — in this case, tailored to the critical manufacturing sector. That includes identifying critical assets both physical and logical and pinpointing which users have the most access to those assets, conducting a risk assessment that includes the development of countermeasures, and planning responses that could include suspending access to information or changes in employment status.
“Insider threat program team members from the various security disciplines, whether cyber/IT, personnel, information, or physical, can assist with mitigation response options such as updating security protocols, adjusting UAM or other inspections, and providing basic security training and awareness to the workforce,” states the guide. “Some insider threat incidents may warrant external referrals to counterintelligence or law enforcement authorities. Have a plan in place for referring these actions and consult with your legal counsel to ensure that proper protocols are followed.”
CISA Assistant Director for Infrastructure Security Brian Harrell and Director of the Center for Development of Security Excellence Kevin Jones wrote in a letter accompanying the guide that programs must “serve to gather, monitor, and assess information for insider threat detection and mitigation strategies.”
“A more protected Critical Manufacturing Sector from insider threats is a stronger sector,” they added.