By Michael Rothschild
It was only a matter of time before what befell the Information Technology (IT) community was going to affect the Operational Technology (OT) community. Today, the OT C-suite is saddled with agenda items keeping them up at night.
It is the constant and unrelenting security threat that at any moment can land the organization on the front page of the daily newspaper for all the wrong reasons.
The blurring of lines between IT and OT has de-facto put industrial organizations in the cross hairs for security incidents, but not from where you think. The newest form of danger comes from within.
Threat from Within
A recent study performed by Indegy Labs found 86 percent of those polled rated insiders as the biggest security threat to their organizations.
Insider threats can be based on various motivations and circumstances, including:
• Malicious Intent – Typically a disgruntled employee or insider who is paid to exfiltrate information and/or cause damage to the organization
• Human Error – This occurs when is an employee unintentionally causes damage and/or downtime by making incorrect changes to industrial processes /equipment, or leaks confidential company information.
• Account Compromise – This is similar to the human error scenario, where an employee unintentionally creates a security incident. Typically, outsider through social engineering tricks an employee into divulging confidential information used to carry out an attack. Social engineering techniques phishing emails, a “call from IT” requesting the user’s ID and password, etc.
Protect Against Insider Threat
To protect OT environments from insider threats, industrial organizations should look no further than implementing three best practices developed over the years by the IT community:
• Perform a risk assessment to identify and address vulnerabilities such as over privileged accounts, insiders with access to resources they don’t need to do their jobs, orphaned accounts belonging to terminates employees, contractors, etc.
• Know and monitor attack vectors. There are two primary vectors for insider attacks: Using the network and targeting devices directly via serial ports. The latter occurs when a user plugs a device into an industrial controller to distribute malware, upload new code, etc. Serial attacks can quickly propagate and evade network based passive detection mechanisms. Monitoring both network activity and device integrity are required to detect these two types of threats.
• Unify IT and OT security. Since both environments are often interconnected, an attack that originates on the IT network can move laterally to the OT environment. Establishing visibility across IT and OT networks by integrating security tools and the data they generate can help detect lateral attack activity.
Implementing IT best practices for insider threat prevention in OT environments, and unifying controls and visibility across both infrastructures, represents the best recipe for protection and the best defense against the insider threat.
Michael Rothschild is a senior director at industrial cybersecurity provider, Indegy.