The Insider Threat in OT Infrastructure

It was only a matter of time before what befell the Information Technology (IT) community was going to affect the Operational Technology (OT) community. Today, the OT C-suite is saddled with agenda items keeping them up at night.

It is the constant and unrelenting security threat that at any moment can land the organization on the front page of the daily newspaper for all the wrong reasons.

The blurring of lines between IT and OT has de-facto put industrial organizations in the cross hairs for security incidents, but not from where you think. The newest form of danger comes from within.

Industrial Control Systems & The Threat from Within

A recent study performed by Indegy Labs found that 86% of those polled rated insiders as the biggest security threat to their organizations.

Insider threats can be based on various motivations and circumstances, including:

    • Malicious Intent Typically a disgruntled employee or insider who is paid to exfiltrate information and/or cause damage to the organization. 
    • Insider Threats Blog ImageHuman Error  - This occurs when is an employee unintentionally causes damage and/or downtime by making incorrect changes to industrial processes /equipment, or leaks confidential company information. 
    • Account Compromise – This is similar to the human error scenario, where an employee unintentionally a create a security incident. Typically, outsider through social engineering tricks an employee into divulging confidential information that is used to carry out an attack.  Social engineering techniques phishing emails,  a “call from IT” requesting the user’s ID and password, etc.

Top 3 Ways to Protect OT Environments from Insider Threats

To protect OT environments from insider threats, industrial organizations should look no further than implementing three best practices developed over the years by the IT community:

    • Perform a risk assessment to identify and address vulnerabilities such as over privileged accounts, insiders with access to resources they don’t need to do their jobs, orphaned accounts belonging to terminates employees, contractors, etc. 
    • Know and monitor attack vectors. There are two primary vectors for insider attacks: Using the network and targeting devices directly via serial ports. The latter occurs when a user plugs a device into an industrial controller to distribute malware, upload new code, etc.  Serial attacks can quickly propagate and evade network based passive detection mechanisms. Monitoring both network activity and device integrity are required to detect these two types of threats.
    • Unify IT and OT security. Since both environments are often interconnected, an attack that originates on the IT network  can move laterally to the OT environment. Establishing visibility across both IT and OT networks by integrating security tools and the data they generate can help detect lateral attack activity.

Implementing IT best practices for insider threat prevention in OT environments, and unifying controls and visibility across both infrastructures, represents the best recipe for protection and the best defense against the insider threat.

ICS Insider Threat