At the recent ISA Water/Wastewater symposium, one common issue emerged about the security threats to water facilities. Cyberattacks are not the top concern — it’s insider threats that are keeping people up at night. Although cyberattacks are widely publicized, insider threats are far more common in industrial environments. Fortunately, the same tools used to combat cyberattacks can also be used to mitigate insider threats.
There are generally three types of insider threats: the malicious insider, the compromised insider and the negligent insider. A malicious insider is typically a trusted employee or partner who purposely takes steps to sabotage operations. These attacks are few and far between. One recent example involved a Georgia-Pacific system administrator who is currently serving a three-year sentence for hacking into the computer system of a company’s industrial facility to disrupt and damage its operations.
A compromised insider is typically someone whose access credentials have been stolen in a phishing or social engineering attack. In this situation, an outsider looks like an insider. For example, a consultant that uses a hotel Wi-Fi connection could have their device infected with malware. Later in the day when they connect to the plant network, the malware can spread across the human-machine interfaces (HMIs), as BlackEnergy did in 2014.
The most common type of insider threat is a negligent user. Human error is by far the leading threat to the water/wastewater industry.
There are generally three types of insider threats: the malicious insider, the compromised insider and the negligent insider.
Mitigating insider threats
The primary way to protect against insider threats begins by increasing visibility and control over operational technology (OT) systems and assets. Whether trying to defend against nation-state sponsored cyberattacks, infected laptops or overworked engineers prone to making mistakes, the tools are the same.
Undocumented assets cannot be protected. Plant managers don’t know what they don’t know. Fighting the insider threat should begin with establishing an automated process for gathering and maintaining a detailed asset inventory of the entire OT infrastructure, the network, the systems, how they are configured, what firmware is installed, what vulnerabilities are present and what hardware modules exist on the backplane of the industrial controllers (PLCs, RTUs, DCSs).
Automation is key, since collecting and keeping data up-to-date is labor-intensive and prone to error. This explains why many water facilities lack this basic asset visibility.
With asset inventory in place, monitoring and auditing network activity is required to detect insider threats. This includes communication between devices and changes made to devices. An audit trail of actions taken on the industrial control system is an invaluable tool for incident response, regulatory audits, forensic investigations, maintenance and threat hunting. This includes having visibility into the OT protocols.
Next, deeper-level monitoring is required to address both known and unknown threats.
Detecting known threats
Known threats can be addressed with security policies, while unknown threats can be detected using anomaly detection technologies. For example, a known threat would involve reprogramming a critical safety system — like fire suppression controls — over a VPN connection from a remote location. Having an engineer make changes to safety systems from their home is not a best practice.
Meanwhile, IT departments have long recognized a known threat as an infected laptop using a VPN connection to connect to the control network.
These are examples of insider risks that can be defined and protected against by creating policies to monitor and alert on VPN connections that show signs of malware.
Identifying unknown threats
Detecting unknown insider threats is more difficult. For example, an attacker hacking into a facility’s wireless network and compromising engineering workstations is difficult to anticipate. These type of scenarios can be detected with anomaly detection technologies.
In the above example, anomaly detection would not be used to generate an alert every time a plant operations worker connects to the network, but it would raise a red flag alert if someone reprograms a critical safety controller.
Physical insider threats, when OT infrastructure is modified directly via a device, cannot be detected using deterministic security policies and anomaly detection technologies. Instead, technologies that actively monitor device integrity for physical tampering are needed. This approach monitors the memory of controllers to ensure no unexpected changes, even from the physical plane (for example, using USB, Ethernet, Bluetooth, Wi-Fi, serial, etc.) have been made on the device.
This three-pronged approach, which combines device integrity, security policies and anomaly detection, can combat the risks posed by insiders and cyberattackers.
In all cases, the security controls used to mitigate insider threats will provide the necessary visibility to identify threats and ensure a robust response before damage can occur.
Chris Grove, CISSP, NSA-IAM, is the director of Industrial Security at Indegy and has more than 25 years of experience in cybersecurity. Previously, Grove managed large-scale data and application security projects at Imperva for government and defense agencies, law enforcement and the intelligence community. He has presented at Black Hat, RSA, InfoSec and Gartner conferences on cloud security, hacking, cyber-defense strategies and more.