Three Ways to Reduce Insider Cyberattacks on Industrial Control Systems

Author: Michael Pyle Schneider Electric Blog

When power grids, water networks and gas utility systems are targeted by cyberattacks, systems that are essential to our everyday lives are affected. While the damage potential due to external attack sources is alarming, insider threats also exist and constitute an attack vector that is difficult to monitor and control.

Sources of insider threats can include current and former employees, partners, vendors or anyone else who at one time was granted access to proprietary or confidential information from within the organization. Although not all of these insider attacks are intentional, any such attack on an OT (Operational Technology) system can result in loss of data / trade secrets, equipment damage, lost revenues, and even personal injury.

The number of insider-related breaches rises every year. The Verizon 2019 Data Breach Investigations report states that 34% of all breaches in 2018 were caused by insiders (as compared to 24% in 2016). As the incidents increase, so do the costs. A 2018 Ponemon Institute Cost of Insider Threats study shows that the average cost of an insider-related incident is around $ 513,000.

Motivation for such attacks includes financial gain, political ideology, a desire for recognition or public attention, fanatical loyalty to country, or a simple act of revenge. Unfortunately, many infrastructure organizations today have yet to implement proactive security controls to monitor areas that govern unauthorized access.

How key infrastructure systems can be affected

Consider how these threats can manifest themselves on industrial control systems. An individual with an engineering background and insider knowledge of electric transmission or distribution systems could induce blackouts or destroy equipment. In a publicly released intelligence note from the US Department of Homeland Security, officials caution that “violent extremists have, in fact, obtained insider positions,” and that “outsiders have attempted to solicit utility-sector employees” for damaging physical and cyberattacks.

That same Homeland Security Office of Intelligence and Analysis report points out that water systems and natural gas infrastructures are also at risk. In 2011, a lone water treatment plant employee is alleged to have shut down operating systems at a US wastewater utility, in an attempt to cause a sewage backup for the purpose of damaging equipment and creating a buildup of methane gas. Fortunately, automated safety features prevented the methane buildup and alerted authorities who apprehended the employee without incident. Another employee, recently fired from a US natural gas company, allegedly broke into a monitoring station of his former employer and closed a valve, disrupting gas service to nearly 3,000 customers.

Three precautions for reducing risk

Protection against insider threats requires an organization to first adapt a paradigm of deterrence as opposed to detection. Detection, which is a common tool in combatting external cyberattacks, can, in the case of an insider threat, sometimes occur long after the threat has been executed, resulting in business disruption losses. Deterrence is strengthened when the following three strategies are executed:

1. Pursue appropriate protection technologies – Technologies have been created to control access rights, privileges, and policies, but these technologies are only as good as the people who configure, deploy, and monitor them. Controls that prevent people from circumnavigating the technologies implemented should be enforced across critical systems. If exceptions are made for various reasons, then these control technologies will no longer work reliably.

2. Create baselines for identifying high risk individuals / situations – It is important for organizations to create a baseline to gain understanding into personalities and to assess abnormal behavior of those who could potentially become threat to the organization. This will provide security officers with the ability to discern changes in behavior that could raise the potential of an insider threat.

3. Control and monitor the actions of vendors and contractors – The presence of onsite outside vendors and contractors can also pose a potential insider threat. Therefore, organizations should impose strict controls surrounding on-site access to information and to sensitive areas within the company.

A best practice to counteract these insider threats, is to conduct a mandatory training program for all employees. Proper training will assist employees in recognizing and flagging possible trigger behaviors (introversion, intolerance of criticism, lack of empathy, reduced loyalty, excessive greed, to name a few) that may be demonstrated by high risk individuals.

To learn more about how Schneider Electric security experts can help you to lower the risk of potential insider cyberattacks, download the “Strategies for Recognizing and Preventing Insider Attacks on Industrial Control Systems” white paper.