By Dick Bussiere, technical director, APAC at Tenable
AUSTRALIA’S oil and gas industry is central to the nation’s economic growth and accounts for $34.5 billion of annual income. Its ability to handle this incredible demand hinges on taking advantage of new automation technologies to aid with discovery, extraction and processing through to delivery.
At the same time, increased real-time business interactions between upstream and downstream companies are resulting in increased connectivity between operational technology (OT) and IT networks exposes once-isolated OT systems to cyberattacks and makes organisations more susceptible to threats. However, not all threats are external. Some of these dangers come from within the organisation.
Understanding insider threats
Insider threats are users with legitimate access to an organisation’s network and resources, who use their privilege to accidentally or intentionally harm the organisation. These users can be employees, partners or contractors, both past and present.
On average, insider-caused breaches cost the global economy $11.45 million annually and we’ve seen a 31% increase in the past two years. Such threats are often a greater potential risk compared to external threats because they come from what’s considered to be a “trusted entity.”
Organisations trying to detect insider threats face the challenge of not only differentiating attacks from “normal” traffic but also ensuring they are not inundated with false positives from users performing legitimate tasks.
To understand how insider threats can be handled effectively, it’s important to first delve into the motivations and circumstances of these instances.
1. Malicious intent: A typical scenario of this threat involves a disgruntled employee motivated to exfiltrate information and/or cause organisational damage.
2. Human error: Human error often occurs when an employee accidentally alters industrial processes, equipment or accidentally leaks confidential company information which brings about damage or downtime. Another example of human error might be an accidental insecure misconfiguration of a system exposed to the Internet, creating conditions ripe for data theft.
3. Account compromise: This often occurs when an unsuspecting employee is tricked by an outsider into divulging confidential information through social engineering means such as phishing emails or a “call from IT” requesting an ID and password. The attacker then uses that information to carry out an attack.
Protecting OT environments from these threats
While educating employees to monitor for malicious or anomalous activity is important, organisations cannot solely rely on staff awareness to strengthen security. Companies must also defend against the multitude of insider threats. Here are three ways organisations can protect OT environments from insider threats.
- Risk assessment: Organisations should perform a risk assessment to identify and address vulnerabilities such as over-privileged accounts, insiders with access to resources not required to do their jobs and stray accounts belonging to past employees, contractors and partners.
- Know and monitor attack vectors: There are two primary vectors for insider attacks, one is the network itself and the other is devices that are directly accessed without using the network. The latter occurs when a user plugs a device into an industrial controller to distribute malware and upload new code, or accesses a local control console. Such attacks can quickly propagate but monitoring network activity and device integrity can detect both network and local-based attacks.
- Unify IT and OT security: Since IT and OT environments are often interconnected, an attack that originates on an IT network can move laterally to the OT environment and vice versa. Establish visibility across both IT and OT networks by integrating security tools and the data they generate to help detect lateral attack activity. Also, remember that a large percentage of devices residing on the OT network is in fact based on IT equipment, with the same risks and vulnerabilities that are seen in the corporate network.
With enormous pressure to curb external threats, insider threats can often be overlooked because security teams are focused on keeping the bad guys out, not dealing with those already inside the organisation.
While employee awareness of threats can play an important role, the onus is on organisations to ensure that a plan is in place to defend against cyber threats. Implementing IT best practices for insider threat prevention in OT environments and unifying controls and visibility across both infrastructures represents the best recipe for protection and defence against insider threats.