Many point to 2013 as the year when the general public got its first glimpse of the impact of insider threats, when Edward Snowden, a government employee, used his security credentials for nefarious purposes against his employer, the NSA. The highly publicized incident revealed to the average person that an organization’s most valuable asset, its employees, could also be its biggest vulnerability. How can insiders be prevented from doing damage to the organization or national security?
Whether it’s homeland security or the industrial sector, the insider threat is not new. For example, the well-known phrase “throwing a wrench in the works” comes from factory workers who quite literally used to throw a wrench into a manufacturing machine to shut down production. Insiders have always been around, and the threat of rogue behavior is something that organizations need to monitor. When it comes to Industrial Control Systems and operational technology (OT) environments, the insider threat has never been greater or more concerning.
Defining the insider
A recent study performed by Indegy Labs found that 86 percent of those polled rated insiders as the biggest security threat to their organizations. Fifty-seven percent said they were not confident that their organization, and other infrastructure companies, are in control of OT security. To understand these numbers, let’s consider the three leading insider threat scenarios, which are based on the following motivations and circumstances:
- Malicious Intent:Typically a disgruntled employee or insider who is paid to exfiltrate information and/or cause damage to the organization. The Edward Snowden case is a textbook example.
- Human Error: This occurs when an employee incorrectly modifies or reveals something that inadvertently causes damage and/or downtime. The September natural gas line explosions in Boston, for example, were caused by accidental over-pressurization in the system.
- Account Compromise: This is similar to the human error scenario, in which an employee unintentionally creates a security incident. Typically, an outsider through social engineering tricks an employee into divulging confidential information that is used to carry out an attack. Social engineering techniques include phishing emails or a “call from IT” requesting the user’s ID and password, etc. A US CERT advisory issued in March indicated that much of the Russian probing into U.S. critical infrastructure used social engineering and spear phishing to steal insider credentials.
The perfect storm
The focal point for attacks on industrial operations and critical infrastructure has centered on industrial controllers. Depending on the type of industry, they may be referred to as PLCs, RTUs or DCSs. These devices control everything from cooling stations to turbines, electrical grids, oil and gas and much more. Industrial Control Systems (ICS) literally keep the lights on. Because of their reliability, many of these devices have been in place for years. They are the workhorses of modern society and have become ground zero for nation-state attacks like the power grid shut down in Ukraine by Russia.
When Industrial Controllers were first deployed in the 1950s, they were not connected and interconnected. Today’s advances in technology have put these devices online and exposed them to external threats. Furthermore, controllers were not designed with built-in security controls. Meanwhile, industrial and critical infrastructure operations often span complex IT and OT networks. In a standard environment, thousands of devices exist and are increasingly being connected via the Industrial Internet of Things (IIoT). This creates new challenges and makes cybersecurity threats even more difficult to detect, investigate and remediate.
To complicate matters, responsibility for IT and OT is assigned to different parts of the organization – and with good reason. Until very recently, security concerns were primarily focused on IT infrastructures, since they were the primary attack vector. Times have changed.
In an increasingly interconnected world, OT is becoming a lightning rod for new attacks. In fact, lateral movement is a preferred attack method because of the relative ease of finding a weak link in the system and using it as the point of entry to compromise the network. Many attacks are now being carried out by well-funded and highly motivated organizations and nation-states. A carefully executed cyber attack can accomplish as much, if not more, than physical warfare.
Securing industrial operations from insider threats
Combating these new and complex threats can be accomplished by improving key capabilities in three areas: visibility; security; and control.
Industrial and critical infrastructure operations should implement capabilities that provide complete, real-time visibility across their IT and OT environments. This includes the ability to monitor and track all attempts to access automation controllers and audit all changes made – rather than just trying to identify malicious activity.
Comprehensive visibility should include an OT-specific security and monitoring system that analyzes network traffic and device behavior. Such visibility should be supported by a detailed alerting system – so an organization is made aware of any change or questionable activity as it happens. In addition, maintaining an audit trail with drill-down capabilities to gain needed context when an incident occurs is essential.
Improving ICS security can be accomplished by employing policies and heuristic analysis that are specific to the manufacturing process. Heuristic analysis can detect many previously unknown forms of malware and new variants of current versions for which signatures have not yet been developed. It can be particularly helpful against zero day and targeted attacks.
Network detection is not enough. Many insider threats never occur over the network because the user has physical access to the device. As a result, security should be implemented on the network and devices. A hybrid security architecture that is specifically designed for OT environments will detect most attacks before damage can be done.
Enforcing security controls over network assets and maintaining an up-to-date inventory of industrial controllers and their status, including firmware versions, patch levels, serial numbers, and other backplane information, is critical for fighting insider threats. This enables an organization to quickly address newly published vulnerabilities and identify unintended changes before they can propagate and impact operations.
Implementing tried and true IT security best practices in OT environments, and unifying controls and visibility across both infrastructures, represent the best recipe for protecting against the insider threat. This approach will also help ensure that when an incident occurs, the organization can detect and mitigate the threat before it can cause widespread problems.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email HSTodayMag@gtscoalition.com. Our editorial guidelines can be found here.