Security Experts:

How IoT Opens the Door for Insider Attacks Against Industrial Infrastructure

For manufacturers, improving security often means building better defenses against malware, botnets and other external threats. What may be further from their minds, however, are the threats that come from within the organization. 

Although they often fall under the radar, insider threats can be just as damaging as external cyberattacks — a 2018 Ponemon Institute Cost of Insider Threats report (PDF) cited that the average annual cost of insider breaches is now upwards of $8.75 million.

It’s a lesson that some industrial organizations have already learned the hard way. Last year, car manufacturer Tesla fell victim to a damaging insider attack when an employee sabotaged the company’s operations systems by making direct changes to the Manufacturing Operating System's (MOS) source code.

And it’s not just manufacturing that’s at risk. Last year, the Bureau of Reclamation, a division of the Department of the Interior, released a report (PDF) illuminating that the industrial control systems of two U.S. dams were “at high risk from insider threats.”

While malicious insiders undoubtedly pose a threat to IT infrastructure, operational technology (OT) and internet of things (IoT) systems are comparatively more fragile simply because they lack IT’s basic security defenses. There is also more at stake — while insider attacks on IT often result in data theft and financial losses, an insider breach targeting OT and IoT systems has the potential to shut down electrical grids, contaminate water supplies and otherwise destroy a nation’s infrastructure.

An Open Door for Insider Attacks

Despite the very real and growing insider threat, OT and IoT security is woefully inadequate at best, non-existent at worst. Electronics and sensors that control industrial infrastructure are often decades old, created long before security technologies were even a consideration. Since these systems are designed to operate with productivity — not security — in mind, manufacturers have been slow to make necessary updates to accommodate an evolving insider threat landscape.

Blind spots around insider threats can also be traced to a general lack of awareness. Part of that is cultural — manufacturing organizations don’t want employees to feel like they’re being watched. Additionally, most manufacturers simply lack tools that give them visibility into the entirety of their environment. While they’re starting to become more aware that security should be a priority, they’re often focused on other goals.

As a result, they miss glaring, yet easily fixable vulnerabilities such as passwords easily accessed in files or permissions to unauthorized users. These oversights leave OT and IoT systems vulnerable to miscreants who have insider knowledge about an organization’s weaknesses along with unrestrained access to critical systems. 

Bolstering Insider Defenses

The most effective solution for defending against insider threats is also one of the simplest: carefully monitoring all activity in the IoT environment. For manufacturers, it’s easier said than done. Many manufacturers are worried about the threats that enter the network but are not as concerned with what goes out. But improving general monitoring, particularly around exfiltration, and auditing unintended changes can go a long way to identifying and preventing sensitive information from leaving the organization.

That elevated monitoring should also extend to employees who enter the network through the VPN or remote access — and include alerts that raise a red flag to security teams if users are logging in from somewhere that might be suspicious. Organizations can also be more judicious about employee access, such as thoroughly reviewing role-based policies and removing unnecessary administrator access to machines.

However, to truly facilitate a culture shift toward security, industrial organizations will need to implement comprehensive and consistent employee training that updates employees on company security policies while incorporating security best practices.

With the surplus of IoT and sensor data available today, more information — such as blueprints, intellectual property and sensitive customer data — will be targeted by competitors and nation states. And it’s not much of a stretch to assume that attackers will pull out all the stops, including using insiders, to give them an advantage. Industrial organizations will need to start preparing by first acknowledging the very real possibility of insider threats, and find new ways to protect assets from both malicious outsiders and within.

view counter
Seema leads product marketing for Splunk’s emerging markets group and is responsible for Splunk’s Internet of Things (IoT) and Business Analytics solutions. In this role, she works closely with Splunk customers to help them understand how valuable insights from machine data can be applied to solve real-world business problems. Prior to Splunk, Seema served in product marketing roles at DataStax, Birst, and Actuate (OpenText). She has a Bachelors in Engineering from the University of Pune, India and a Masters in Computer Science from USC. Please don’t ask her to do basic math.