Given the focus on external threats to organizations by way of malware, ransomware, and the evil advanced persistent threats (APT), we cannot forget about insider threats. In 2017, CSO Online made it known that the highest repercussions come from insider threats, as opposed to external cyber security attacks (20% of cyber crime events, and 30% of respondents stated impacts).
In the SANS’ 2019 yearly review for Industrial Control System (ICS) security, the authors noted a surprising number of attacks or risks relating to configurations and insiders. Even though ransomware prevention is an important topic, let’s not forget about cyber security basics.
In operational technology, we must be vigilant of the environment, especially those pesky heirloom devices or “break-glass” conditions in the control room. Use caution, but as OT becomes increasingly converged into enterprise or IT, examine this before an incident occurs is certainly invaluable.
Two categories of an insider threat:
A malicious insider is a current or former employee, contractor, or business partner who:
Has or had authorized access to an organization’s network, system, or data
Has intentionally exceeded or intentionally used that access in a manner that negatively affected the confidentiality, integrity availability, or physical well-being of the organization’s information, information systems, or workforce
An unintentional insider is a current or former employee, contractor, or business partner who:
Has or had authorized access to an organization’s network, system, or data
And who, through their action or inaction, and without malicious intent, caused harm or substantially increased the probability of serious future harm to the confidentiality, integrity availability, or physical well-being of the organization’s information, information systems, or workforce
Given that cyber security is not a world of concrete absolutes, security to an industrial organization is focused on reducing the risk of a cyber event occurring, exposure, and overall impact. Whether a risk is sourced from an internal or external actor, it truly doesn’t matter. What does matter is a lingering risk caused by an individual with substantial information about your organization, or the ability to indirectly cause an incident by mistake, human attention deficits, or incompetency.
For the most part, humans believe attacks don’t originate from themselves or their tribe. With growing complexities of operating systems, social media, and increased connectivity comes increased negative cyber activity. And as such, reducing threats with relatively high risks of occurrence, and with higher impacts than typically noted from external actors, this would be considered a win to upper management and site operators.
To reduce insider threats, best practice is to implement strategies within their overall cyber security and risk management programs that provide value when dealing with malicious and unintentional insiders.
Reduce insider threats by:
Defining system and data classification governance and policies
Identifying and inventorying all assets (logical and physical)
Defining user and application rights and policies
Continuously reviewing and enforcing user/application accounts, rights and policies
Performing regular and continuous reviews of third parties and monitoring user accounts, systems/networks/sites accessed by those organizations
Defining frameworks for management, site overseers, and even team leads to review, and work with individuals to handled internal misgivings, challenges, and potential disgruntlement
Practicing tabletop exercises or continued training for both unintentional and intentional insider situations as part of ongoing awareness and incident handling
Before locking down every system and implementing biometrics or gross collections of data on your employees and users, use caution with respect to principles such as privacy rights and related sensitive personal information. Insider threat is much more than theft, or fraud, but in an OT environment, it could prove disastrous for the insiders themselves, on-site individuals, the business, the environment, the organization, and even local communities and economies.
Using the above seven areas as a high-level overview, the Common Sense guide expands on them as defined twenty-one areas seen below. They work reasonably well as guidelines to drive your organization’s insider risk practice forward, but in OT, they need some adjustment by Best Practice area ( – denotes OK as is).
Know and protect your critical assets (to the business, and with respect to safety-reliability-productivity)
Develop a formalized insider threat program (that includes third parties and contractors)
Consider threats from insiders, business partners (including joint-ventures, and acquired business units/sites) in enterprise risk assessments
Be especially vigilant regarding social media (including third parties)
Structure management and tasks to minimize insider stress and mistakes (by incorporating validation and verification as part of any process or work order)
Implement strict password and account management policies and practices (as would be appropriate to OT environments)
Institute stringent access controls, and monitoring policies on privileged users (as would be appropriate to OT environments)
Monitor and control remote access from all endpoints, including mobile devices (and remote sites with respect to bi-directional communications)
Define explicit security agreements for (any services third party or otherwise), especially access restrictions, monitoring capabilities, (and vulnerability management)
Institutionalize system change controls (where appropriate to OT environments)
Implement secure backup and recovery processes (where appropriate to OT environments, and include regular testing/validation of both backups, and the processes using them)
Close the doors to unauthorized (data access, minimize removable media usage and physical access to systems)
Develop a comprehensive employee termination procedure (that understands OT environments, and can adjust to situations where best practices cannot be followed due to environmental constraints)
Where to focus on OT practical aspects:
Create a detailed asset inventorying management program for both physical and logical assets
Harden systems, changing default passwords, and minimizing access/privileges to those systems and accounts within them
Enforce change controls for software, devices and networks:
Control changes by limiting interactions and reducing complexity
Record changes in all forms (if possible)
Validate all changes, and have documentation (that even includes how to roll-back)
Add multiple sign-off authorities and supervision for activities
Enforce best practices for physical security:
Lock PLC cabinets, and disabling write/programming modes
Secure site perimeters and privileged locations
Protect networking connectivity mediums
Practice events and procedures relating to catastrophic failure, minor cyber security incidents, and insiders challenge the safe operation of a facility
Insider threat impacts in OT environments
Given that OT environments are less concerned about personally identifiable information or data such as financials, the site is largely physical. In the OT world, most sites and processes should be engineered for safety, reliability and productivity, and also understand the above noted items are key elements to be incorporated into any sufficiently engineered site (e.g., see ISA SIL standards or IEC-62443-x).
With considerations to incidents such as what occurred in 2006 at Maroochy Shire, where a disgruntled contractor attacked water treatment systems and caused massive environmental damage, most OT site owners would likely agree that in OT, an insider could cause massive damage or disruptions.
OT insider threats should be a huge concern for safety and risk management teams because it is those same individuals who run your plant who also have access to sensitive information of your operations. Great care should be taken to prevent, and manage issues, but also to double and triple check the work performed and response to potentially disastrous situation.
Insider threat accounts for a larger number of incidents compared to those from the dreaded APTs of the world. In many situations, reduction of insider threat is relatively easy. A hypothetical reduction of 10% of an organization’s overall incidents is feasible because they occur in a number of environments. Concrete value is easily found and communicated across the organization.
Verve Value Prop
This document outlines how the Verve Security Center (VSC) platform provides far greater insights and coverage for asset awareness and system monitoring through our superior architecture and also includes patch management, configuration management, incident response, and other requirements of the NIST CSF. The following sections walk through the origin and philosophy of Verve and examine how our solution works and offers comparatives to other technology options often seen in the market.
Get Ready for CMMC: Improve OT Cyber Maturity in 30 Days
Prepare for CMMC compliance by creating a roadmap that improves OT cybersecurity maturity quickly, demonstrates action for your executives, and provides a long-term strategy for effective risk management.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.