Given the focus on external threats to organizations by way of malware, ransomware, and the evil advanced persistent threats (APT), we cannot forget about insider threats. In 2017, CSO Online made it known that the highest repercussions come from insider threats, as opposed to external cyber security attacks (20% of cyber crime events, and 30% of respondents stated impacts).
In the SANS’ 2019 yearly review for Industrial Control System (ICS) security, the authors noted a surprising number of attacks or risks relating to configurations and insiders. Even though ransomware prevention is an important topic, let’s not forget about cyber security basics.
To kick off that idea, I’ll refer you to the sixth edition of the Common Sense Guide to Mitigating Insider Threats by Carnegie Mellon Universities’ CERT. It is traditional Informational Technology (IT) based, but as with any cyber security framework, it should be adapted for your environment and be situationally appropriate.
In operational technology, we must be vigilant of the environment, especially those pesky heirloom devices or “break-glass” conditions in the control room. Use caution, but as OT becomes increasingly converged into enterprise or IT, examine this before an incident occurs is certainly invaluable.
Two categories of an insider threat:
- A malicious insider is a current or former employee, contractor, or business partner who:
- Has or had authorized access to an organization’s network, system, or data
- Has intentionally exceeded or intentionally used that access in a manner that negatively affected the confidentiality, integrity availability, or physical well-being of the organization’s information, information systems, or workforce
- An unintentional insider is a current or former employee, contractor, or business partner who:
- Has or had authorized access to an organization’s network, system, or data
- And who, through their action or inaction, and without malicious intent, caused harm or substantially increased the probability of serious future harm to the confidentiality, integrity availability, or physical well-being of the organization’s information, information systems, or workforce
Given that cyber security is not a world of concrete absolutes, security to an industrial organization is focused on reducing the risk of a cyber event occurring, exposure, and overall impact. Whether a risk is sourced from an internal or external actor, it truly doesn’t matter. What does matter is a lingering risk caused by an individual with substantial information about your organization, or the ability to indirectly cause an incident by mistake, human attention deficits, or incompetency.
For the most part, humans believe attacks don’t originate from themselves or their tribe. With growing complexities of operating systems, social media, and increased connectivity comes increased negative cyber activity. And as such, reducing threats with relatively high risks of occurrence, and with higher impacts than typically noted from external actors, this would be considered a win to upper management and site operators.
To reduce insider threats, best practice is to implement strategies within their overall cyber security and risk management programs that provide value when dealing with malicious and unintentional insiders.
Reduce insider threats by:
- Defining system and data classification governance and policies
- Identifying and inventorying all assets (logical and physical)
- Defining user and application rights and policies
- Continuously reviewing and enforcing user/application accounts, rights and policies
- Performing regular and continuous reviews of third parties and monitoring user accounts, systems/networks/sites accessed by those organizations
- Defining frameworks for management, site overseers, and even team leads to review, and work with individuals to handled internal misgivings, challenges, and potential disgruntlement
- Practicing tabletop exercises or continued training for both unintentional and intentional insider situations as part of ongoing awareness and incident handling
Before locking down every system and implementing biometrics or gross collections of data on your employees and users, use caution with respect to principles such as privacy rights and related sensitive personal information. Insider threat is much more than theft, or fraud, but in an OT environment, it could prove disastrous for the insiders themselves, on-site individuals, the business, the environment, the organization, and even local communities and economies.
Using the above seven areas as a high-level overview, the Common Sense guide expands on them as defined twenty-one areas seen below. They work reasonably well as guidelines to drive your organization’s insider risk practice forward, but in OT, they need some adjustment by Best Practice area ( - denotes OK as is).
- Know and protect your critical assets (to the business, and with respect to safety-reliability-productivity)
- Develop a formalized insider threat program (that includes third parties and contractors)
- Consider threats from insiders, business partners (including joint-ventures, and acquired business units/sites) in enterprise risk assessments
- Be especially vigilant regarding social media (including third parties)
- Structure management and tasks to minimize insider stress and mistakes (by incorporating validation and verification as part of any process or work order)
- Implement strict password and account management policies and practices (as would be appropriate to OT environments)
- Institute stringent access controls, and monitoring policies on privileged users (as would be appropriate to OT environments)
- Monitor and control remote access from all endpoints, including mobile devices (and remote sites with respect to bi-directional communications)
- Define explicit security agreements for (any services third party or otherwise), especially access restrictions, monitoring capabilities, (and vulnerability management)
- Institutionalize system change controls (where appropriate to OT environments)
- Implement secure backup and recovery processes (where appropriate to OT environments, and include regular testing/validation of both backups, and the processes using them)
- Close the doors to unauthorized (data access, minimize removable media usage and physical access to systems)
- Develop a comprehensive employee termination procedure (that understands OT environments, and can adjust to situations where best practices cannot be followed due to environmental constraints)
Where to focus on OT practical aspects:
- Create a detailed asset inventorying management program for both physical and logical assets
- Augment the asset management program with technology to enhance vulnerability management and guide risk exposure investigation processes
- Harden systems, changing default passwords, and minimizing access/privileges to those systems and accounts within them
- Enforce change controls for software, devices and networks:
- Control changes by limiting interactions and reducing complexity
- Record changes in all forms (if possible)
- Validate all changes, and have documentation (that even includes how to roll-back)
- Add multiple sign-off authorities and supervision for activities
- Enforce best practices for physical security:
- Add cameras
- Lock PLC cabinets, and disabling write/programming modes
- Secure site perimeters and privileged locations
- Protect networking connectivity mediums
- Practice events and procedures relating to catastrophic failure, minor cyber security incidents, and insiders challenge the safe operation of a facility
Insider threat impacts in OT environments
Given that OT environments are less concerned about personally identifiable information or data such as financials, the site is largely physical. In the OT world, most sites and processes should be engineered for safety, reliability and productivity, and also understand the above noted items are key elements to be incorporated into any sufficiently engineered site (e.g., see ISA SIL standards or IEC-62443-x).
With considerations to incidents such as what occurred in 2006 at Maroochy Shire, where a disgruntled contractor attacked water treatment systems and caused massive environmental damage, most OT site owners would likely agree that in OT, an insider could cause massive damage or disruptions.
OT insider threats should be a huge concern for safety and risk management teams because it is those same individuals who run your plant who also have access to sensitive information of your operations. Great care should be taken to prevent, and manage issues, but also to double and triple check the work performed and response to potentially disastrous situation.
Insider threat accounts for a larger number of incidents compared to those from the dreaded APTs of the world. In many situations, reduction of insider threat is relatively easy. A hypothetical reduction of 10% of an organization’s overall incidents is feasible because they occur in a number of environments. Concrete value is easily found and communicated across the organization.