A recent article in the Washington Post “Russia has developed a cyberweapon that can disrupt power grids, according to new research” came as a real reminder of the constant risk critical infrastructure operators face. The malware, which researchers have dubbed CrashOverride, is known to have disrupted only one energy system in Ukraine but could be deployed against U.S. electric transmission and distribution systems.
The consequences of insider threats to critical infrastructure operators are much greater than in many other sectors because of the potential for actual physical harm from compromised control networks which could lead to ecological disaster, economic impact, and public health consequences.
Why is critical infrastructure so vulnerable?
- System Design – Operators have integrated IT systems to help manage the ICS and SCADA systems that monitor and control critical infrastructure. Unfortunately, these operating systems have become obsolete, unpatched, and vulnerable. Both the IT and operational technology (OT) legacy systems were not built with security in mind because they were once remote and isolated, literally siloed from the world. That has changed.
- Internet Connectivity – These once isolated, remote networks have now been connected to the Internet to make them more accessible. After all, why drive out to the pipeline control valve in the middle of nowhere on a frosty evening when that same valve can be accessed from a warm, comfortable office at the sub-station? Unfortunately, IT security professionals know well that this interconnectivity comes at a cost, and that cost is a level of porosity that can be downright frightening. The fact is, control networks can comprise thousands of devices, creating a larger attack surface. Those directly connected to the Internet, such as PLCs, can be found via search engines such as Shodan, and with numerous hacks already published online, they are exposed and vulnerable.
- Lack of Expertise Resources and Training – Each critical infrastructure provider must create and execute the security measures that are customized to its specific physical and digital properties. But this is unfamiliar terrain for most providers, who are focused on operational uptime. The control systems engineers who are first in line to defend against attacks receive very little cyber security training, creating a blind spot and a false sense of security. This expertise gap also leads to over reliance on partners, introducing more risk.
- Outsourcing – Because of a lack of trained security personnel in the industry as well as globalization and cross-border operations, critical infrastructure organizations often look to their equipment vendors to fill the gap. But with complicated, fragile IT, ICS, and SCADA systems to manage, neither party is prepared to counter the complexity, frequency, and severity of insider attacks on critical infrastructure.
- Newsworthy Targets – With the ability to infiltrate corporate networks and move laterally into control networks, and with so many Internet-connected devices, critical infrastructure is at risk of hackers using an attack to further their ideological goals, create geopolitical turmoil, and disrupt key services that power business and daily life worldwide.
The bottom line is that IT Security professionals lack the time, personnel, technology, insight, and budget to fully monitor, understand, and respond to the insider threat. There are essentially three problems to tackle:
- Data – Massive amounts of data from both the corporate network and control network that are too expensive to collect and retain and therefore are not helpful in reporting or analytics.
- Intelligence – Lack of visibility because of the noise of ineffective rules and signatures, which are blind to complex or unknown attacks and lateral movement. This intelligence problem when paired with the data problem above makes it impossible to connect the dots, which is exacerbated by a lack of:
- Expertise – Staffing shortages make for slow, inconsistent response, and this kind of operational inefficiency is worsened by the constant overload of alerts and false positives.
Understanding the big picture of insider threat requires a level of security intelligence driven by automation and machine learning. According to the Institute for Critical Infrastructure Technology Brief, “Rather than continue to promote the same antiquated and obsolete perimeter cyber-security solutions, critical infrastructure organizations need to adopt bleeding-edge defense-grade insider threat solutions that seamlessly detect, deter, and mitigate the harmful activities of malicious and non-malicious insider threat actors.”
It’s clear that traditional security management approaches cannot effectively address the insider threat to critical infrastructure, leaving companies unable to detect or respond to them immediately. A new approach is needed, one that:
- Addresses the urgency for unlimited logging
- Enables new levels of intelligence
- Creates operational efficiency with automated incident response
Read more on the topic: Protect Critical Infrastructure from Insider Threats with Security Intelligence