Evaluating ICS cyber threat landscape focusing on insider threats in OT environments

Operational technology (OT) environments face numerous cybersecurity risks and threats, such as supply chain security threats, nation-state hackers, malware, ransomware, and ransomware-as-a-service (RaaS) attacks, and data breaches, which can potentially disrupt services and halt production lines. Another key risk that these installations face comes from the amount of access and control employees and contractors have in these environments could enable insider threats to inflict severe collateral damage or potential loss of life, rendering traditional preventative security measures often ineffective.

As external attackers are not the only threats modern organizations need to consider in their cybersecurity planning. Malicious, negligent, and compromised users are also serious and growing risks that organizations must prepare for. Insider threats present a complex and dynamic risk affecting the public and private domains across critical infrastructure sectors.

Insider threats are posed by individuals from within an organization, such as current or former employees, contractors, and partners. They may be either malicious or negligent. Malicious insider threats result from rogue employees and contractors leaking confidential data or misusing their access to systems for personal gain and/or inflicting damage and disruption. These intentional actions are taken to harm an organization for personal benefit or act on a personal grievance.  

Negligent insider threats result from inadvertent employee errors, such as users falling victim to phishing emails or sharing data on insecure devices and USB sticks. Such insiders are generally familiar with the organization’s security policies but choose to ignore them, creating risk for the organization. They may also be insiders who mistakenly cause an unintended risk to an organization.

Typical indicators of insider threats in an OT environment include unusual access requests or permissions changes, unauthorized access to privileged systems or data, unusual user behavior, such as accessing systems at odd hours or from unauthorized locations, and unusual user accounts appearing, or deleted accounts reappearing. 

Such threats may also take the form of increased system errors and crashes, unexpected software installations, file transfers, large downloads, and unauthorized remote access attempts. Additionally, insider threats are particularly dangerous because they come from within an organization’s trusted circle, often with access to privileged organizational information. 

Proofpoint data identified that malicious, negligent, and compromised users are a serious and growing risk. As the ‘2022 Cost of Insider Threats: Global Report,’ reveals, insider threat incidents have risen 44 percent over the past two years, with costs per incident up more than a third to $15.38 million. The negligent insider is the root cause of most incidents, where a total of 3,807 attacks, or 56 percent, were caused by employee or contractor negligence, costing on average $484,931 per incident, while malicious insiders caused 26 percent or 1,749 incidents at an average cost per incident of $648,062. 

North American companies are spending more than the average cost on activities that deal with insider threats, the data disclosed. Companies in North America experienced the highest total cost at $17.53 million, while European companies had the next highest cost at $15.44 million.

Industrial Cyber turned to specialists in the cybersecurity industry to distinguish the common warning signs of insider threats on OT networks. Additionally, they sought to determine how these insider threats influenced the ICS (industrial control systems) cyber security landscape.

An insider is an individual with authorized access to a company’s system and intimate knowledge about the business processes and operations, John Lee, managing director of the OT-ISAC (Operational Technology Information Sharing Analysis Centre), told Industrial Cyber. “They can also be past or current employees. The threat is real as they may use that access or knowledge to cause harm, either intentionally or unintentionally.”

Lee pointed out that insiders in OT environments already possess system access and process knowledge, making detection challenging. “Red flags or threat indicators such as peculiar behavior, unauthorized entry or attempts to systems, data theft/exfiltration, malicious coding practices, and disgruntled employees may point to insider threats. The danger lies in insiders’ familiarity with system vulnerabilities. Insider threats may arise from various sources such as employees, contractors, and third-party vendors,” he added.

He also flagged that the impact of an insider threat event may be high due to the high knowledge of and access to systems. 

Lee provided an example of an insider threat, citing the Maroochy Incident of 2000. “It involved Vitek Boden, a former employee of the company that installed the control system for Maroochy’s sewage pumps. He had worked for the company for 2 years but resigned as a result of a dispute with his boss. He offered his services to the company as an independent Inspector but was declined. Boden then hacked into the computer system remotely and caused pumps to malfunction, resulting in a massive sewage spill.”

“This incident alerted us to the risk of insiders in critical infrastructure as a breach will have a significant impact on the economy,” Lee added.

Paul Smith, CTO at OT and IoT cybersecurity company SCADAfence told Industrial Cyber that “when we think of insider threat, traditionally the idea of a foreign agent stealing valuable secrets or intellectual property crosses one’s mind. I would say that during my career I have seen a number of interesting and recurring threats that have impacted various companies’ bottom line and which have been perpetrated by third-party contractors, employees, vendors, and competitors.”  

Smith detailed that these typically end up being the following – sabotage, which is not specifically intended to bring down an enterprise but more of a justification for ‘overtime/callout’ time theft; data exfiltration, which is the theft of sensitive data, intellectual property, and customer data for monetary gain; and data exfiltration that covers theft of sensitive data, intellectual property, and customer data for monetary gain. 

He also listed device bridging where the OT network is bridged to guest Wi-Fi to allow for bypassing security controls and introducing rouge software into the environment; default credential testing which is when it is observed that credentials for one area of technology suddenly start appearing in a completely different area, unit, site, and business line; and irregular connectivity which is when two nodes change communication behavior and traverse boundaries that have never occurred in the past.

“Insider threat has affected the ICS cyber threat in a number of different ways, from the incident Lockheed Martin incurred with losing intellectual property to the extra call-out service that the field technician in West Virginia puts in to fix the same problem time and time again,” according to Smith. “These threats each in their own magnitude impact the financial success of the company that suffers the internal breach.”

Insider threats are common and can come in the form of malicious and non-malicious threats, Ian Bramson, global head of industrial cybersecurity at ABS Group, told Industrial Cyber. “Most are non-malicious: the result of accidental exposure through employees or workers unknowingly connecting compromised devices to the system. That’s also true in other environments. However, OT environments are especially vulnerable to insider threats for two reasons – they use a lot of contractors and vendors, and they often lack the control systems and visibility necessary to manage digital identities effectively.”

Bramson highlighted that even worse, these two factors can work together to exacerbate each other. “More individuals coming in and out makes it more difficult to manage access while also increasing the likelihood that they’re bringing in a compromised device, intentionally or accidentally. Because of this, visibility into access and permissions within OT environments should be a top priority for operators looking to improve their cyber hygiene,” he added. 

The experts also investigate how industrial organizations protect against insider threats deployed across remote sites, offshore facilities, air-gapped automation environments, and other difficult areas. They also assess the average cost of an insider-related data breach in 2022.

Lee said that protecting against insider threats in remote sites, offshore facilities, air-gapped automation environments, and other challenging areas requires a multi-faceted approach with strict data access and security policies.

“To prevent insider threats, industrial organizations should implement strict access controls for remote sites, regularly train employees about security risks, monitor for unusual activity, limit data access through encryption and implement data loss prevention solutions, and conduct thorough background checks on employees and contractors,” he added.

Providing an average cost of an insider-related data breach in 2022, Lee admitted that it is challenging to provide a precise figure as it can vary depending on the size and scope of the breach. “However, according to the 2022 Cost of Insider Threats Global Report by the Ponemon Institute, the average cost of an insider-related data breach increased to $11.45 million in 2022, up from $8.76 million in 2021. The report also found that the cost per record for an insider-related data breach was $268 in 2022, up from $250 in 2021. These figures highlight the significant financial impact that insider threats can have on industrial organizations,” he added.

Addressing insider threats that span multi-application, multi-site, and multi-region has been an ongoing challenge inside OT environments, Smith said. “The use of assessments, reviews, spot checks, and training have been the traditional models but with the rise of UEBA (User & Entity Behavior Analytics) there has been a shift in the way organizations approach insider threat.”  

“Larger organizations have introduced internal case management teams that absorb internal and external data and run behavior modeling against the data ingested,” according to Smith. “Included in this data collection is user activity gathered from the OT networks that are under management and monitoring. Utilizing passive monitoring and correlating this data to users moving through the network is one of the most powerful ways to detect insider threat.”

As OT becomes more connected and remote, operators and cyber specialists will need to change their definition of ‘insider’ and how to protect against those threats, Bramson commented. “Truly air-gapped systems don’t exist in today’s world. If a device is ever serviced or updated, there is a means to connect to it and it loses its air-gaped designation. It’s vulnerable.”

“And if we broaden that idea and consider assets that are intended to be connected remotely, the impact grows exponentially,” according to Bramson. “Providers and partners will have access to sites and operations from thousands of miles away, which means strong monitoring, control, and management of change procedures are needed to adapt to that new reality, as well as increased estimates of the cost of a breach.”

Bramson observed that traditionally in cybersecurity, risk is contextualized in terms of the data exposed. “In OT, risk should be communicated in terms of the impact of the breach on safety and operations. The impact of someone opening valves on an offshore drilling rig cannot be framed in bits and bytes of data. It’s about the physical impact on safety, operations, and the environment. This will help define the cost more accurately by providing better insight into the risk associated with the impact of a breach,” he added.

In the 2022 Ponemon Cost of Insider Threats Global Report, data revealed that insider threats have increased both in frequency and cost over the last two years. Credential thefts, for instance, have almost doubled in number since 2020, as the cost of credential theft to organizations increased 65 percent from $2.79 million in 2020 to $4.6 million at present, and the time to contain an insider threat incident increased from 77 days to 85 days, leading organizations to spend the most on containment. Furthermore, it revealed that incidents that took more than 90 days to contain cost organizations an average of $17.19 million on an annualized basis.

The executives focused on how this affects the ICS cyber threat landscape and the measures that can be adopted to safeguard against such threats.

The increase in frequency and cost of insider threats, especially credential thefts, poses a significant risk to the ICS cyber threat landscape, Lee said. “Insider threats can potentially cause more harm than external attacks as insiders have access to critical systems and data and can cause damage intentionally or unintentionally. In the context of ICS, insider threats can result in production downtime, equipment damage, safety incidents, and environmental damage,” he added.

“Privileged users are a target for attackers, so monitoring these accounts can help identify misuse,” according to Lee. “Implementing monitoring systems, strict access controls, security awareness training, data encryption and masking, and thorough background checks can help prevent insider threats. A robust incident response plan can also minimize the impact of a breach.”

Smith pointed out that credential theft is very tricky for the ICS landscape, as we still see a mixture of default credentials and shared credentials. “It certainly is a major issue that when shared credentials are stolen this leaves a major attack surface vector for future attacks. We know that OT credential rolling policies certainly are limited in enforcement allowing for this attack vector to stay open for long periods of time which is a ticking time bomb waiting to be exploited,” he added. 

“Introducing policies to roll credentials, running tests to make sure that default credentials and credential reuse are not occurring,” Smith added. “Real-time network monitoring tools can provide detections for when plaintext, default, and credential reuse are happening inside the ICS network.”

“In the OT environment, credentials are often easily shared and exchanged. These facilities have been primarily concerned with operational uptime and efficiency, but that point of view should shift now that they’re more connected and digitalized,” Bramson said. “To better mitigate the threat, facilities should strengthen their identity management procedures, expand their ICSs security controls, and update their management of change logs frequently so as to empower teams to react more quickly and prevent or remove insider threats from the network remotely,” he added. 

The executives also shed light on how to best mitigate insider threats when it comes to safeguarding the ICS cyber threat landscape. They also provide essential elements for building an insider threat mitigation program for OT environments.

Lee said that to mitigate insider threats in the ICS cyber threat landscape, industrial organizations should

adopt a comprehensive approach that includes conducting risk assessments, developing policies and procedures, implementing strict access controls, providing employee training, implementing monitoring and detection tools, developing incident response plans, and continuously evaluating and improving the insider threat mitigation program.

He also focused on the importance of strict access controls such as multi-factor authentication, role-based access control, and privileged access management should be in place. “The use of monitoring and detection tools is crucial to identifying unusual or suspicious employee behavior,” he added.  

Lee also added that a robust incident response plan should be established to respond effectively to insider threats. “Data protection measures such as data encryption and data masking should be implemented to prevent data exfiltration. Lastly, the program should be continuously evaluated and improved to stay ahead of changing threats and environments.”

“Lockheed Martin has a comprehensive insider threat mitigation program that includes employee training, access controls, and continuous monitoring of employee activity,” Lee observed. “The program also includes a dedicated insider threat team that investigates potential incidents and a process for reporting and responding to insider threats.”

Lee also mentioned that OT environments, especially in critical infrastructure sectors, can learn from the financial services sectors. “Banks typically have insider threat monitoring programs as part of their overall information security programs. The Monetary Authority of Singapore (MAS) requires financial institutions operating in Singapore to implement robust cybersecurity measures to protect against cyber threats, which include insider threats,” he added.

Depending on budgets, Smith said he “would move towards central log collection, running analytics against the data collected to see if any known threats are occurring. Implement a UEBA monitoring solution that will perform heuristic analysis on the data being captured. Introduce real-time network monitoring that is creating a baseline of access, services, users, identity, and control,” he added.

“Managing insider threat risk comes down to two factors: visibility and control. Teams need to be able to see who is in the environment and control their access freely,” Bramson said. “Currently, most OT environments have neither. However, by having strong asset inventories, vulnerability management protocols, management of change procedures, and OT monitoring and response capabilities, companies can lay the groundwork for a better foundation to manage insider threats,” he concluded.