Security Experts:

ICS Networks Not Immune To Insider Threats

Organizations Need Specialized Monitoring and Control Technologies for ICS Networks 

The security threat from within can be even more potent than many external attacks. This is particularly the case with Industrial Control System (ICS) networks, which manage critical infrastructure and manufacturing processes. A smart, motivated, perhaps disgruntled employee or ex-employee with knowledge of a plant and access to the network, can cause a variety of disruptions that may result in tainted products, financial losses, equipment damages and even threaten human lives.

Case in point: a disgruntled ex-employee who worked as a system administrator at paper maker Georgia-Pacific recently used his VPN access (which had not been revoked) to log into the ICS network. He then installed his own software and made unauthorized changes to the industrial control systems. The sabotage caused an estimated $1.1m in lost or spoiled products. The campaign lasted two weeks before the root cause was detected and he was arrested by the FBI.

ICS Can Be More Vulnerable than IT Networks to Malicious Insiders

ICS Insider ThreatsThe following points are worth noting about the vulnerabilities of ICS networks:

Remote access to ICS is now commonplace

While external connectivity to operational technology networks and devices is good for boosting productivity, it has created a new attack surface. Remote access is often implemented by engineers to facilitate specific projects or needs. Yet too often, it is left in place after the project ends without anyone monitoring its usage. This enables unwanted and dangerous access to these environments. 

Even organizations that once believed the traditional air gap was sufficient to protect ICS by sealing the industrial network from the IT network and the outside world/Internet — no longer trust this antiquated security measure. Now, cracks and holes are everywhere, making it easy for insiders and external actors to attack an ICS network.

ICS networks lack Traditional IT security controls and monitoring 

Because they lack such controls, ICS administrators cannot enforce policies for access, security, and change-management. Another headache: these networks don’t have audit trails or logs that capture who has accessed the network, when, and what changes they made.

Consequently, when an incident occurs and causes operational disruption, an organization will find it next-to-impossible to determine the source of the attack. This lack of visibility prevents staff from responding quickly and cost effectively.

Poor or non-existent visibility into engineering control-plane activities, where changes are made to process controllers

ICS networks typically lack event logs or audit trails that can provide information on changes made to critical control devices. Such changes are made not just by employees but also by integrators and third-party contractors that work on-site. If any of these parties makes malicious changes to these systems, it is very difficult to detect that and may lead to a facility-wide shutdown until the issue is resolved.

This is a serious blind spot that can be easily exploited by a knowledgeable insider or an ex-employee with an axe to grind.

What's Needed to Detect Insider Attacks

Real-time monitoring of ICS activities, including the difficult to monitor yet very sensitive control-plane activities 

Organizations need specialized monitoring and control technologies for ICS networks that provide the deep, real-time visibility to identify suspicious or malicious activity, and to take preventative action to limit or stop damage. This includes the need to monitor the proprietary, vendor specific control-plane protocols which are used for engineering changes made to industrial controllers. It is also important to capture changes made via direct physical access to critical control devices, since these cannot be monitored over the network.

Detection of anomalies, malicious activities and unauthorized access

To identify anomalous traffic and malicious activities, like malware spreading across the network, unexpected changes to critical devices, unauthorized control-plane engineering activity, etc., granular security policies are needed. 

Detection of unauthorized changes made by trusted insiders

In addition to detecting anomalies, an organization should be able to track all access to controllers and see all changes being made in order to identify human error and unauthorized changes. 

Like cyber attacks, insider threats can be detected and mitigated before damage occurs with the right mix of visibility, monitoring, alerting and auditing. 

view counter
Barak Perelman is CEO of Indegy, an industrial cyber-security firm that improves operational safety and reliability for industrial control networks by providing situational awareness and real-time security.