Insider threats remain underestimated by critical infrastructure owners and operators, the Department of Homeland Security (DHS) said.
On top of that, even if a manufacturer has “relatively robust” preventative programs in place, it’s nearly impossible to entirely eliminate the threat of a malicious insider, DHS said.
The unclassified/for official use only report published this past December, but projects risks to critical infrastructure through December 2018 and insider threat considerations for the next 20 years.
Security provider SCADAHacker.com obtained the report and posted it to the open source information site Public Intelligence Oct. 6.
Insider threats was a big topic of discussion at the 2014 Industrial Ethernet Infrastructure Design Seminar, Houston, TX, in September. Conference keynote speaker, Joel Langill, of SCADAhacker.com and RedHat Cyber, said if a manufacturer can protect itself against an inside attack, then that line of defense should be strong enough to withstand a chunk of outside attacks.
“I will ask what are the top threats: Terrorists, hacktivists or control engineers? The answer is control engineers. When you go into a site assessment, no one ever protects against the guy working inside. That is not to say he is a bad guy, he may just not know the right thing to do.”
“The control engineer is the greatest risk against the system,” Langill said. “The threat should not be running around with administrative privileges.”
The concept of protecting against the inside attack is a little bit different because what grabs the most headlines are the outside attacks like Stuxnet or the more recent Havex/Dragonfly. What most companies rely upon is short term or reactionary defense compared to a thought out comprehensive security program.
In the report, the DHS said given that most industrial sectors rely on vendors and contractors, many organizations do not understand the threat from “third-party insiders.” In addition to supply-chain vulnerabilities, the rise of networked industrial control systems makes critical infrastructure an attractive target for remote sabotage.
In a survey on Federal IT Reform, senior government IT executives laid out their vision for the coming year, detailing challenges and identifying priorities.
“Third-party insiders constitute an underestimated threat to U.S. critical infrastructure, particularly when their organizations are foreign-owned or are working under the auspices of foreign intelligence services,” the report said.
DHS said this group is extremely problematic because they have specialized knowledge of systems and the line between traditional insiders and external adversaries has blurred thanks to globalization and outsourcing.
By understanding the breadth of these threats, critical infrastructure owners and operators can craft mitigation plans, and develop policies and programs that focus on “high-impact” attacks, the report said.
However, two major challenges are complicating their ability to assess the likelihood of malicious insider attacks. First, the triggers that can cause a trusted employee to become a malicious actor are difficult to identify and predict. Second, DHS said it lacks detailed and reliable empirical data on insider breaches and attacks.
The report’s authors recommend private and public sectors should collaborate on developing standards that critical infrastructure owners and operators can use for their insider threat programs. This should include guidance on long-term employee monitoring policies, background checks and re-investigations, and training and termination policies, the report said.
Organizations also need a clearer picture of their workforce to better identify anomalies. DHS recommends they establish “workforce behavioral and access baselines” – including an understanding of hiring, oversight, access and security – to spot anomalies. Employees responsible for monitoring malicious insiders also must have periodic training, the report adds.
DHS said if organizations obtain and analyze threat data from the workforce, especially from social media or behavioral monitoring, then it’s critical for them to balance risk-based security procedures with legal and employee-rights.