By Mille Gandelsman, CTO, Indegy
Insider threats — accidental and premeditated — have always dogged manufacturers. As far back as the dawn of the industrial age, workers deliberately sabotaged machines and manufacturing processes for various reasons, usually political or financial, but also out of pure malice. This gave rise to the famous phrase
"to throw a wrench in the works"
. Sometimes, of course, a clumsy or distracted worker dropped a wrench or other object into a machine by accident.
Since then, the reasons behind insider threats haven’t changed much, although social engineering tactics add new meaning to the idea of a wrench in the works. What has changed significantly is that manufacturers now face a bewildering range of threats — from simple physical acts on the plant floor (such as somebody accidentally or purposely flipping a switch) to malware to sophisticated hacking of the IT or OT network to social engineering.
Employee accidents can have devastating impacts on a production line and the bottom-line. Recently, a
programming error at Subaru
caused SUVsto be scrapped because the vehicles missed critical spot welds. The cost: millions of dollars and days of downtime. Back in the 1980s, misprogrammed robots at GM unleashed an expensive trail of disaster, including: robots painting one another instead of cars; smashing windshields instead of installing them; and spot welding car doors shut.
Since insider threats are hard to detect and prevent, they pose unique challenges for manufacturers.
Three Common Kinds of Insider Threat Payback
Typically, a disgruntled employee with access to privileged portions of the networkis able to extract information or cause damage to the organization.
- Unknowing Bystanders.
- This is an employee with privileged access who inadvertently creates a security breach.
- Outside-In Manipulators.
- In this case, an outsider uses social engineering to trick an employee into divulging confidential information or their credentials for accessing the IT or OT network.
- Malicious Insiders.
- They are behind most attacks.
This can happen in a variety of ways.
Scenarios include the sending confidential information to another employee or an outsider, or providing network access to someone who should not have it.
These can include a spoofed email, phishing scheme or a “fake call from IT” requesting a user’s ID and password.
Theseverity of threats posed by employees and contractors was quantified in the 2018 Verizon Data Breach Investigations Report, which notes that 28 percent of all data breaches involved insiders.
The report reveals that while malicious outsiders (72 percent) were the main source of data breaches, they were responsible for only 23 percent of all compromised data. On the other hand, insiders were behind 76 percent of all compromised records.
Unlike many industry verticals, in which the motivation is nearly always financial and carried out almost exclusively by organized crime, manufacturing shows a greater percentage of state-affiliated actors (53 percent) than it does organized crime (35 percent).
How to Detect and Prevent Insider Threats
Manufacturers can combat threats by improving their capabilities in three areas: visibility; security; and control.
Broader Visibility
Companies should implement capabilities that provide complete, real-time visibility across their IT and OT environments. This includes the ability to monitor and track all attempts to access automation controllers and auditall changes made — not just to identify malicious actions, but to drill into issues caused by human error.
Ideally, visibility should include an OT specific security and monitoring system that analyzes network traffic, and device behavior. Such visibility should be supported by a detailed alert system — so an organization is made aware of any change or questionable activityas it happens.
Tighter Security
The best way to improve security is to employ rules and heuristic analysis that are specific to the manufacturing process. Heuristic analysis is capable of detecting many previously unknown forms of malware and new variants of current versions.
Without such analysis, the detection and mitigation of a breach can take weeks or months — and result in a very expensive cleanup, as well as production stoppages and damage to the company’s brand and reputation.
In addition, manufacturers should implement control plane access management policies that specify who is permitted to make certain changes, when, and how.
Stronger Control
Finally, enforcing security controls over network assets and maintaining an up-to-date inventory of industrial controllers and their status, including firmware versions, patch levels, serial numbers, and other backplane information, is critical for fighting insider threats. This enables manufacturers to quickly address newly published vulnerabilities, and identify unintended changes andincidents before they can have a widespread impact on operations.
Though malicious insider attacks and human error have existed since the dawn of time, OT networks have become particularly vulnerable recently. Fortunately, with the right level visibility, security and control, manufacturers can defend and limit threats from both insiders as well has outsiders.
About the Author
Mille Gandelsman is CTO of Indegy, where he leads the company’s technology research and product development. Prior to Indegy, he led engineering efforts for Stratoscale and spent several years managing cybersecurity research for the elite 8200 intelligence unit of the Israel Defense Forces. Mille has more than 15 years of experience in ICS and cybersecurity.