Human Factor in Critical Infrastructure Security: The Insider Threat | Prosecure Security Consulting

[*] Human factor, in other words, the threat of attack from insiders (personnel) of an organization is real and it can cause a great harm for critical infrastructure security. The consequences of a malicious insider incident could cause significant financial loss, reputational damage, operational impacts and harm to individuals.[1]

Despite various interpretations, one of the most common definitions of insider threat was made by National Infrastructure Advisory Council (NIAC): ‘The Insider Threat to Critical Infrastructure is one or more individuals with the access and/or insider knowledge of a company, organization and enterprise that would allow them to exploit the vulnerabilities of that entity’s security, systems, services, products or facilities with the intent to cause harm’.[2]

In this definition, ‘access’ is the key word to understand the severity of threat that insiders pose a great security risk due to their legitimate access to critical assets including information and knowledge. It is important to underline that this legitimate access allows insiders to achieve the greatest impact whilst leaving little evidence.[3] Also, insider threat has a multidimensional nature which combines physical and cyber-attacks. Thus it requires converged physical and IT security policies in mitigating cyber threats.

With the globalization process, corporate boundaries are becoming more global which makes them difficult to manage. Thus, the new macroeconomic forces introduced by globalization create new threats for critical infrastructure operators.[4] In such challenging context, preventing all insider threats is neither possible nor economically feasible[5] but this threat could be assessed and managed with good risk management strategies.

It should also be noted that alone technology will not be enough in mitigating insider threat where a holistic security approach should be implemented. Every organization should be aware that their people can be the greatest vulnerability and the final solution should combine technical-non technical and human factors.

In line with this growing risk, this analysis firstly aims to clarify that insider threat is real and it will continue to stay. Secondly, as a persistent risk, insider threat will be specially examined for utilities including energy sector. Finally, a sum of best practices against insider threats will try to be suggested for policy makers and industry professionals to develop effective mitigation strategies.

 

Understanding and Identifying the Insider Threat: Actors and Motivations

It is important to note that understanding the potential of insider threat is the first step in mitigation process. In order to develop effective mitigation strategies different types of risks and attack profiles should be assessed. A simple chart by NIAC was introduced for the categorization of type and motivation of insiders. (Figure-1)[6]

Figure 1: Type of Actors and Corresponding Motivation for Insiders

Type of Actors Corresponding Motivation
Disgruntled or Alienated Employees Revenge for a Perceived Wrong
Ideological or Religious Radicals Radicalization for Advancement of Religious or Ideological Objectives
Criminals Sımple Illicit Financial Gain

 

While the insider threat landscape is becoming more difficult to deal with, outsiders should be taken into consideration. As a result, today, potential insider threat actors is including business partners, suppliers and contractors, third party service providers who has the same access privileges. Besides these traditional threat actors, Carnegie Mellon’s study on ‘Common Sense Guide to Mitigating Insider Threats’ highlighted merger and acquisitions as a potential risk in insider threat assessment. The document clearly states that ‘organizations should recognize that the increased risk of insider threat both within the acquiring organization and in organization being acquired.’[7]

It should be noted that, unless properly controlled, all of these groups have the opportunity to reach inside corporate networks and steal unprotected data.[8] In line with the growing threat landscape, Vormetric Insider Threat Survey clearly shows that 89% of respondents feel vulnerable to insider attacks.[9]

Centre for the Protection of National Infrastructure (CPNI) categorized five main types of insider incidents. Unauthorized disclosure of sensitive information, process corruption, facilitation of third party access, physical sabotage, electronic or IT sabotage.[10] Also Figure 2 clearly demonstrates that financial gain was the single most common primary motivation with 47%. CPNI’s study also gives interesting information about personal and corporate demographics of insiders that the majority of insider acts were carried out by permanent staff and the majority of them are full-time![11]

‘Insider Threat Study’ published by Carnegie Mellon in 2005 also presents that 86% of insiders were employed in technical positions which included system administrators (38%), programmers (21%), engineers (14%) and IT Specialists (14%). (Figure 3)[12]

Figure 2: Main Motivations of Insiders

Source: CPNI, ‘Insider Data Collection Study: Report of Main Findings’, April 2013, pp. 10.

Figure 3: Most of the Insiders were employed in Technical Positions

 

In addition, Department of Homeland Security summarized the main characteristics of insiders at risk of becoming a threat. These characteristics could be reduced loyalty, ethical flexibility, lack of empathy etc. (Figure 4) DhS also reported that the best prevention measure against insider threat is to train employees to recognize and report behavioral indicators exhibited by peers and business partners.[1] Finally, DhS’s study shows consequences for targeted organizations that 81% of the organizations experienced a negative financial impact. As result of the insiders’ activities, losses reported are ranged from low of 500$ to tens of millions dollars.[2]

Figure 4: Characteristics of Insiders at Risk Becoming a Threat[3]

Introversion Minimizing their mistakes or faults
Greed/Financial need Inability to assume responsibility for their actions
Vulnerability to black mail Intolerance of criticism
Compulsive and destructive behavior Self-perceived value exceeds performance
Rebellious, passive aggressive Lack of empathy
Ethical “flexibility” Predisposition towards law enforcement
Reduced loyalty Pattern of frustration and disappointment
Entitlement – narcissism (ego/self-image) History of managing crises ineffectively

 

Why the Insider Threat Risk is Growing?

The Insider Threat Spotlight Report by Watchful Software highlighted the final trends in Insider Threat Landscape. According to this survey, 62% of security professionals say that insider threats have become more frequent in the last 12 months and these threats are becoming more difficult and detect.[4]

Despite of the fact that, all insider threats could not be eliminated, this risk is also manageable. In other words, most of the insider incidents are clearly linked to bad management practices. For example, CPNI noted the clear link between an insider act and an employer’s security and management process. Poor management practices, poor use of auditing functions, poor security culture and the lack of awareness are the most important mistakes in organizational management.

Bunn and Sagan’s paper on the ‘Worst Practices Guide’ also presents a number of mistakes and lessons learned from the past insider incidents. This ‘not to do’ list is presented with ten key advices as below.

– Do not assume that serious problems are not in my organization

– Do not assume that background checks will solve the insider problem

– Do not assume that Red Flags will be read properly

– Do not assume that insider conspiracies are impossible

– Do not rely on single protection measures

– Do not assume that organizational culture and employee disgruntlement don’t matter

– Do not forget that insiders may know about security measures and how to work around them

– Do not assume that security rules are followed

– Do not assume that only consciously malicious insider actions matter

– Do not focus only on prevention and miss opportunities for mitigation[5]

With respect this growing threat, security investments on insider threat mitigation seems as a crucial step. However, a recent survey conducted by SpectorSoft shows that 74% of respondents do not know how much they currently spends on solutions that mitigate insider threats.[6] Finally, overreliance on technology is another common mistake in insider threat mitigation. Experts often highlight that ‘a people problem doesn’t always have a technology solution’ and all stakeholders including human resources members, legal representatives and security team should be involved in the mitigation strategy.[7]

A Threat for Critical Energy Infrastructures

Supposing that, a disgruntled employee causes an explosion on an offshore drilling in the Gulf of Mexico or a foreign nation-state recruits an insider to carry out a cyber-attack to a nation’s electrical transmission line.[8] These are the possible insider threat scenarios described by DHS which targets critical energy infrastructures. Each of them could create huge economic, ecological and health-related consequences.

Despite this persistent threat, when the existing literature reviewed, it is seen that less is known about the vulnerability of critical infrastructures to insider threat and what is worse: insider threat to critical infrastructure is ‘underestimated’.[9] Nevertheless, many case studies and lessons learnt could be illustrated on this topic. DHS’s report on ‘Insider Threat to Utilities’ presented ‘true insider stories’ affected energy utilities. (Figure 5)

Key findings about the insider threat to utilities could be summarized as following:

– Disgruntled current and/or former sector employees could successfully use their insider knowledge to create damage

– Outsiders could solicit sector employees to reach specific information about critical operations

– Authorized access and knowledge allow insiders to conduct cyber-attacks which have the potential to cause significant damage.[10]

Figure 5: Insider Threat to Utilities: Case Studies[11]

Date Attack Type Actor Target Consequence
2011 Physical Sabotage

 

Former (fired) Employee A US Natural Gas Company Disruption of gas service to nearly 3000 customers for an hour
2009 Cyber Attack Disgruntled Former IT Employee Texas Power Plant $ 25.000 loss to company
2000 Cyber Attack A Contract Employee Australian Wastewater Services Company 800.000 liters of untreated sewage to spill into receiving waters

 

Besides these lessons learnt and ‘case studies; the report interpreted some key themes about the potential of future insider threat landscape. It could be summarized as:

-Traditional and ‘low-tech’ malicious insider techniques continue to remain viable

-Increasing dependence on technology providers significantly increase insider’s opportunities-digital insiders

-Blended attacks which includes cyber and physical attacks will be the trend threat topic and the threat will become more sophisticated

-Globalization and outsourcing continue to be challenge in insider threat mitigation[12]

How to Mitigate Insider Threat: Some Best Practices

Many institutions have long been working on insider threat mitigation ways and offering the best practices to policy makers and critical asset owners. As the first step, USA’ National Infrastructure Advisory Council suggests the guidance for the Education and Awareness Program of the Insider Threat.

According the Council, a sample of insider risk management strategy should control the nine basic levels in an organization.

  1. Hiring Practices
  2. Human Resources Management Policies and Practices
  3. Awareness Communications and Training
  4. Legal Policies and Practices
  5. Coordinated Insider Threat Controls Program
  6. Identity Management Controls
  7. Physical Security
  8. IT Systems and Cyber Security
  9. Contracting/Outsourcing Security Due Diligence

Finally, Carnegie Mellon University’s Guidance should be reviewed by all stakeholders. This guide clearly presents how and why to implement the best practices. Some important points could be outlined as:

– Threats from insiders and business partners should be included in the enterprise-wide risk assessment

– Documentation and enforcing policies is an important step

– Insider threat awareness should be a part of employees’ periodic security training

– Developing a formalized and well-structured insider threat program seems as a must[13]

Conclusion

Insider threat is a growing and persistent risk for critical infrastructures. In addition, increasing dependence to digital systems, globalization and outsourcing create new challenges in mitigating insider threat as well. Also, terrorist groups and other adversaries will continue to seek employment opportunities to obtain critical information from insiders.[14] Nevertheless, it should be kept in mind insider threat is also manageable and protective measures could reduce the risks. However, in managing these risks protecting both the privacy of employees and confidential corporate data is the most important job.[15]

Finally, it is important to underline that insider threat solutions are not always ‘technical’ and require a human-centric approach. In the simplest term, limiting the usage of USB devices or cloud service usage could considerably minimize the risks. By Ahyan Gücüyener

[*] Special thanks to Hasan Alsancak for his leading role in critical infrastructure security and encouraging me writing this article.

Background Screening and Verification is a critical tool in eliminating and reducing insider threat in the organizations. Please contact us to get further information on the topic and our capabilities. 

 

 

[1] National Cybersecurity and Communications Integration Center, ‘Combating The Insider Threat’, 02.05.2014, pp. 2.

[2] Carnegie Mellon Software Institute, ibid., pp. 20.

[3] National Cybersecurity and Communications Integration Center, pp. 2.

[4] DarkReading, ‘Latest Research Highlights Growing Insider Threat in Cybersecurity Landscape’, 19.07.2015, Access: http://www.darkreading.com/endpoint/latest-research-highlights-growing-insider-threat-in-cybersecurity-landscape/d/d-id/1320962

[5] Matthew Bunn, Scott D.Sagan, ‘A Worst Practices Guide to Insider Threats: Lessons from Past Mistakes’, American Academy of Arts and Sciences, 2014., pp. 3-19.

[6] Nathan Eddy, ‘Business Lack Investment to Prevent Insider Threats, 09.04.2015, Access: http://www.eweek.com/small-business/businesses-lack-investment-to-prevent-insider-threats.html

[7] RSA Conference 2015, ‘Insider Threat Programs Need People, not Technology’, 28.04.2015, Access: http://searchsecurity.techtarget.com/news/4500245207/Insider-threat-programs-need-people-not-technology

[8] Department of Homeland Security, ‘National Risk Estimate: Risks to U.S Critical Infrastructure from Insider Threat’, 2013, pp. 18.

[9] Molly Bernhart Walker, ‘Insider Threat to Critical Infrastructure Underestimated’, 06.10.2014, Access: http://www.fiercehomelandsecurity.com/story/insider-threat-critical-infrastructure-underestimated-says-dhs/2014-10-06

[10] Office of Intelligence and Analysis of Department of Homeland Security, Insider Threat to Utilities, 2011, pp.2

[11] Office of Intelligence and Analysis, ‘ibid’, pp. 2-5.

[12] Department of Homeland Security, ibid. , pp. 44.

[13] George Silowash, Dawn Cappelli, Andrew Moore, Randall Trzeciak, Timothy J. Shimeall, Lori Flynn, ibid., pp. 14.

[14] Office of Intelligence and Analysis, ‘ibid’, pp. 5.

[15] Sharon Shea, ‘Insider Threat Program Need People, not Technology’, 28.04.2015, Access: http://searchsecurity.techtarget.com/news/4500245207/Insider-threat-programs-need-people-not-technology

[1] Dawn Cappelli, Andrew Moore, Randall Trzeciak, ‘The CERT Guide to Insider Threats: How to Prevent, Detect and Respond to Information Technology Crimes (Theft, Sabotage, Fraud), SEI Series, pp. 17.

[2] Thomas Noonan, Edmund Archuleta, ‘The National Infrastructure Advisory Council: Final Report and Recommendations on the Insider Threat to Critical Infrastructures’, 2008, pp. 11.

[3] Carl Colwill, ‘Human Factors in Information Security: The Insider Threat-Who can you trust these days?’, Information Security Technical Report 14, pp. 186.

[4] Thomas Noonan, Edmund Archuleta, ibid., pp. 20.

[5] Thomas Noonan, Edmund Archuleta, ibid., pp. 13.

[6] Thomas Noonan, Edmund Archuleta, ibid., pp. 14.

[7] George Silowash, Dawn Cappelli, Andrew Moore, Randall Trzeciak, Timothy J. Shimeall, Lori Flynn, ‘Common Sense Guide to Mitigating Insider Threats 4th Edition’, Carnegie Mellon Software Engineering Institute, 2012, pp. 3.

[8] Vormetric Data Security, ‘2015 Vormetric Insider Threat Report: Trends and Future Directions in Data Security’, pp. 3.

[9] Vormetric Data Security, pp. 4.

[10] CPNI, ‘Insider Data Collection Study: Report of Main Findings’, April 2013, pp. 7.

[11] CPNI, ibid., pp. 8.

[12] Carnegie Mellon Software Institute, ‘Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors’, May 2005, pp. 11.

Related posts

Leave a Reply

Your email address will not be published.