Thomas Jefferson once said, “eternal vigilance is the price of liberty.” Eternal vigilance is also the price the United States must pay to ensure the power grid is protected. Over the last decade, managing threats to the nation’s power grid has become a part of everyday life for the US energy sector. Utilities are inundated with outside threats on a daily basis, often from angry customers, environmental groups, hacktivists, and criminals looking for targets of opportunity.
In fact, the energy sector’s critical infrastructure has been identified as a global target, and several countries, including the United States, have made its protection a legislative priority. In November 2014, the Federal Energy Regulatory Commission (FERC) approved a new mandatory Physical Security Reliability Standard (CIP-014-1) for industry to address physical security risks and vulnerabilities related to the reliable operation of the power grid. Then, in 2015, the Enhanced Grid Security Act was passed to provide for the modernization, security, and resiliency of the electric grid.
These cyber and physical threats often focus on interrupting services or destroying critical equipment for the purposes of inflicting damage and embarrassing the utility. But, in order to accomplish such an attack with any magnitude, the attacker needs knowledge of the equipment or system. Generally, they obtain this knowledge by conducting surveillance, probing, and reconnaissance of the potential target. This is a time intensive process which has a learning curve, and is risky in terms of the attackers getting noticed or caught by authorities.
As a result of numerous failed plots, criminal groups and terror organizations have turned to social engineering, baiting, and the use of insider resources to accomplish similar types of attacks. This insider threat could have significant access and provide a debilitating blow to a utility. An employee with true insider knowledge of the electric transmission or distribution system can cause significant damage and system failure.
This tactic is not new. Historically, one of the most effective ways governments used to gather data and information was by infiltrating the enemy’s ranks. This was the job of the spy or espionage agent, and in times of crisis, spies sabotaged the enemy by destroying critical equipment. According to a 2011 Intelligence Note from the Department of Homeland Security’s (DHS) Office of Intelligence and Analysis (I&A), officials cautioned that “violent extremists have, in fact, obtained insider positions,” and that “outsiders have attempted to solicit utility-sector employees” for damaging physical and cyber attacks.
Today, the term “spy” is not used to describe this type of espionage in the private sector; rather, the term "insider threat" is used to describe a security threat that originates from within the organization being attacked or targeted, often by an employee of the organization or enterprise. An insider threat does not have to be a current employee or stakeholder, but can also be a former employee or anyone who at one time had access to proprietary or confidential information from within the organization.
Insiders working with a foreign state or other high level threat actor pose an even greater threat because of their detailed knowledge of system operations and security practices. In addition, since they are in a position of trust, they often have legitimate physical and electronic access to key systems and the controls designed to protect them. Individuals with the highest level of access pose the greatest threat because they are already inside the organization, using legitimate credentials and permissions to access sensitive areas, thus evading detection from traditional security products.
Furthermore, an individual with access togrid infrastructure could purposely or inadvertently introduce malware into a system through portable media or by falling victim to social engineering e-mails or other forms of communication. Many utility organizations have a false sense of security because their employees are required to pass background checks before being hired. However, just because an employee passes a background check or has a security clearance does not mean they are not a risk.
Most utility companies use a national commercial crime database search as part of their pre-employment screening process because they are relatively quick and inexpensive, but they have also been known to have errors due to incorrect or missing information. Also, employees that have been hired more than five years ago should undergo a periodic background check to ensure they remain qualified for the position they hold, since they may have committed crimes after being hired that the employer is not aware of.
Recent events have demonstrated how people with legitimate access can produce substantial harm. These include Edward Snowden, who released classified information about national surveillance programs; US Army PFC Bradley Manning who provided classified documents to WikiLeaks; and contractor Aaron Alexis who killed 12 people during a shooting at the Washington Navy Yard in 2013 while holding a security clearance.
Insider threat events have also played out in the utility sector. In April 2011, a lone water treatment plant employee allegedly managed to manually shut down operating systems at a wastewater utility in Mesa, Arizona, in an attempt to cause a sewage backup to damage equipment and create a buildup of methane gas. Fortunately, automated safety features prevented the methane buildup and alerted authorities who apprehended the employee without incident. Additionally, in January 2011, an employee who was recently fired from a US natural gas company allegedly broke into a monitoring station of his former employer and manually closed a valve, disrupting gas service to nearly 3,000 customers for an hour.
While strong physical and cybersecurity measures typically are in place to deter and detect these types of events, similar measures have not been developed to address threats from insiders. The weakest link continues to be the people that are charged with operating and protecting the grid. Although many insider threats stem from human error and are not intentional, they can be devastating.
According to the 2014 IBM Cyber Security Intelligence Index, over 95 percent of all incidents investigated involved human error. This is the equivalent of building a castle around one’s assets to protect it all, but forgetting to leave the keys in the front door. Cyber criminals use a variety of methods to trick insiders into handing over the keys to the castle. Oftentimes, they will trick employees into ignoring security safeguards by disguising links or emails as legitimate, so that when the employee clicks on the link they open up an infected document or download a virus to the system.
Insiders, including employees, contingent workers, visitors and trusted third parties, often have unfettered access to sensitive and critical information, systems, and facilities for which there is minimal oversight or monitoring. Cyber attackers also try to unwittingly convince employees into giving them their credentials by posing as a supervisor (or other senior leader from within the organization) so they can gain access to the network by duping the employee into believing they are following orders from above.
A 2008 report by DHS identified that many critical infrastructure and key resources (CIKR) operators lack an appropriate awareness of the threat insiders pose to their operations. Education and awareness presents the biggest potential return for policy by motivating CIKR operators and focusing their efforts to address the insider threat. Appropriate awareness will help to shape the insider threat policies and programs needed to address the unique insider risk profile of each CIKR operator.
The reason security awareness is so important in mitigating the risk associated with an insider threat is that employees are the last line of defense. Even with the best cyber and physical security protections in place, there is still no complete guarantee that it will protect everything. As Clint Eastwood once said, “If you want a guarantee, buy a toaster." Since secure systems are only secure if they are unplugged or turned off, organizations must constantly be prepared and vigilant to defend against an insider threat because operating the bulk power system is a 24/7 job. In order for utilities to be prepared, they must first train their employees to be aware of what the risks are.
An insider threat program seeks to deter, detect, and mitigate the risk associated with insider threats. As of November 2013, government agencies are required to develop insider threat programs to mitigate the risk of an insider attack. However, since 85 percent of the energy sector is privately owned, utility organizations, while not required to do so, should establish their own insider threat program. With increased legislation around grid security, it is likely just a matter of time before this becomes a requirement. In the meantime, it remains a best practice.
Developing a risk-informed, responsive insider threat program that includes security awareness, personnel surety, current threat assessments, workplace violence training, and forward leaning behavioral policies requires a strong commitment from senior management and those actively engaged in program development.
A successful insider threat program must include active participation from a company’s physical security, personnel security, information technology, and human resources. Once an organization has executive buy-in, the following high-level items should be considered:
- Establish a company culture that is threat-aware. Provide regular insider threat awareness training, as well as realistic training exercises. Create a safe environment in which to self-report actions that jeopardize security. Regular briefings by security department personnel on security policies, procedures, and emergency response will familiarize employees and set expectations.
- Create clear procedures for reporting violent or suspicious behavior. While working with your company’s General Council and Human Resources department, provide easy to understand procedures for alerting supervisors and security personnel. The program should seek to prevent insider attacks by capturing observable indicators of potential activity before insiders act. Intelligence on the insider threat generally comes from within the enterprise through either technical data or behavioral indicators.
- Train on indicators of an inside threat. Employees should be trained on the potential indicators that could signal something is wrong, such as employees seeking to gain a higher clearance than required and possibly trying to enter areas they do not have access to. Or, they may attempt to engage other employees in confidential conversations without their need to know. Not every employee who exhibits these indicators is guilty of a crime, but most of the persons who have been involved in workplace espionage were later found to have displayed one or more of these indicators.
- Clear lines of communication with law enforcement agencies and intelligence partners. Often times, employees who pose an internal threat to a company have been approached by known criminals and terrorists from the outside that law enforcement is already aware of. By maintaining constant dialogue and known relationships with law enforcement, utilities may add value to existing investigations and receive useful intelligence.
- Conduct a risk assessment. The organization should analyze the operational environment in orderto discern the likelihood of an insider driven event and the impact that the event could have on the organization. Determine, analyze, and prioritize gaps.
Organizations are just beginning to acknowledge the importance of detecting and preventing insider threats. Just as it is vital to have methods to detect external threats, so is it also important to protect an organization’s assets and systems from unauthorized insider misuse or destruction. Insider threats are an ongoing and evolving issue that require organizations to constantly update policies and learn from security events. The lights will only stay on if constant vigilance is exercised.
Brian Harrell, CPP is the Director of Security and Risk Management at Navigant Consulting, Inc. (NCI) and is a former security executive at the North American Electric Reliability Corporation (NERC).
Bruce Barnes, CPP is an Executive Director at Wayne Solutions, LLC. and is the former head of Infrastructure Security and Emergency Management for NV Energy.
