Connect with us

Hi, what are you looking for?



ICS Networks Not Immune To Insider Threats

Organizations Need Specialized Monitoring and Control Technologies for ICS Networks 

Organizations Need Specialized Monitoring and Control Technologies for ICS Networks 

The security threat from within can be even more potent than many external attacks. This is particularly the case with Industrial Control System (ICS) networks, which manage critical infrastructure and manufacturing processes. A smart, motivated, perhaps disgruntled employee or ex-employee with knowledge of a plant and access to the network, can cause a variety of disruptions that may result in tainted products, financial losses, equipment damages and even threaten human lives.

Case in point: a disgruntled ex-employee who worked as a system administrator at paper maker Georgia-Pacific recently used his VPN access (which had not been revoked) to log into the ICS network. He then installed his own software and made unauthorized changes to the industrial control systems. The sabotage caused an estimated $1.1m in lost or spoiled products. The campaign lasted two weeks before the root cause was detected and he was arrested by the FBI.

ICS Can Be More Vulnerable than IT Networks to Malicious Insiders

ICS Insider ThreatsThe following points are worth noting about the vulnerabilities of ICS networks:

Remote access to ICS is now commonplace

While external connectivity to operational technology networks and devices is good for boosting productivity, it has created a new attack surface. Remote access is often implemented by engineers to facilitate specific projects or needs. Yet too often, it is left in place after the project ends without anyone monitoring its usage. This enables unwanted and dangerous access to these environments. 

Even organizations that once believed the traditional air gap was sufficient to protect ICS by sealing the industrial network from the IT network and the outside world/Internet — no longer trust this antiquated security measure. Now, cracks and holes are everywhere, making it easy for insiders and external actors to attack an ICS network.

Advertisement. Scroll to continue reading.

ICS networks lack Traditional IT security controls and monitoring 

Because they lack such controls, ICS administrators cannot enforce policies for access, security, and change-management. Another headache: these networks don’t have audit trails or logs that capture who has accessed the network, when, and what changes they made.

Consequently, when an incident occurs and causes operational disruption, an organization will find it next-to-impossible to determine the source of the attack. This lack of visibility prevents staff from responding quickly and cost effectively.

Poor or non-existent visibility into engineering control-plane activities, where changes are made to process controllers

ICS networks typically lack event logs or audit trails that can provide information on changes made to critical control devices. Such changes are made not just by employees but also by integrators and third-party contractors that work on-site. If any of these parties makes malicious changes to these systems, it is very difficult to detect that and may lead to a facility-wide shutdown until the issue is resolved.

This is a serious blind spot that can be easily exploited by a knowledgeable insider or an ex-employee with an axe to grind.

What’s Needed to Detect Insider Attacks

Real-time monitoring of ICS activities, including the difficult to monitor yet very sensitive control-plane activities 

Organizations need specialized monitoring and control technologies for ICS networks that provide the deep, real-time visibility to identify suspicious or malicious activity, and to take preventative action to limit or stop damage. This includes the need to monitor the proprietary, vendor specific control-plane protocols which are used for engineering changes made to industrial controllers. It is also important to capture changes made via direct physical access to critical control devices, since these cannot be monitored over the network.

Detection of anomalies, malicious activities and unauthorized access

To identify anomalous traffic and malicious activities, like malware spreading across the network, unexpected changes to critical devices, unauthorized control-plane engineering activity, etc., granular security policies are needed. 

Detection of unauthorized changes made by trusted insiders

In addition to detecting anomalies, an organization should be able to track all access to controllers and see all changes being made in order to identify human error and unauthorized changes. 

Like cyber attacks, insider threats can be detected and mitigated before damage occurs with the right mix of visibility, monitoring, alerting and auditing. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


Siemens and Schneider Electric address nearly 100 vulnerabilities across several of their products with their February 2023 Patch Tuesday advisories.