Connect with us

Hi, what are you looking for?



ICS Networks Not Immune To Insider Threats

Organizations Need Specialized Monitoring and Control Technologies for ICS Networks 

Organizations Need Specialized Monitoring and Control Technologies for ICS Networks 

The security threat from within can be even more potent than many external attacks. This is particularly the case with Industrial Control System (ICS) networks, which manage critical infrastructure and manufacturing processes. A smart, motivated, perhaps disgruntled employee or ex-employee with knowledge of a plant and access to the network, can cause a variety of disruptions that may result in tainted products, financial losses, equipment damages and even threaten human lives.

Case in point: a disgruntled ex-employee who worked as a system administrator at paper maker Georgia-Pacific recently used his VPN access (which had not been revoked) to log into the ICS network. He then installed his own software and made unauthorized changes to the industrial control systems. The sabotage caused an estimated $1.1m in lost or spoiled products. The campaign lasted two weeks before the root cause was detected and he was arrested by the FBI.

ICS Can Be More Vulnerable than IT Networks to Malicious Insiders

ICS Insider ThreatsThe following points are worth noting about the vulnerabilities of ICS networks:

Remote access to ICS is now commonplace

While external connectivity to operational technology networks and devices is good for boosting productivity, it has created a new attack surface. Remote access is often implemented by engineers to facilitate specific projects or needs. Yet too often, it is left in place after the project ends without anyone monitoring its usage. This enables unwanted and dangerous access to these environments. 

Even organizations that once believed the traditional air gap was sufficient to protect ICS by sealing the industrial network from the IT network and the outside world/Internet — no longer trust this antiquated security measure. Now, cracks and holes are everywhere, making it easy for insiders and external actors to attack an ICS network.

ICS networks lack Traditional IT security controls and monitoring 

Advertisement. Scroll to continue reading.

Because they lack such controls, ICS administrators cannot enforce policies for access, security, and change-management. Another headache: these networks don’t have audit trails or logs that capture who has accessed the network, when, and what changes they made.

Consequently, when an incident occurs and causes operational disruption, an organization will find it next-to-impossible to determine the source of the attack. This lack of visibility prevents staff from responding quickly and cost effectively.

Poor or non-existent visibility into engineering control-plane activities, where changes are made to process controllers

ICS networks typically lack event logs or audit trails that can provide information on changes made to critical control devices. Such changes are made not just by employees but also by integrators and third-party contractors that work on-site. If any of these parties makes malicious changes to these systems, it is very difficult to detect that and may lead to a facility-wide shutdown until the issue is resolved.

This is a serious blind spot that can be easily exploited by a knowledgeable insider or an ex-employee with an axe to grind.

What’s Needed to Detect Insider Attacks

Real-time monitoring of ICS activities, including the difficult to monitor yet very sensitive control-plane activities 

Organizations need specialized monitoring and control technologies for ICS networks that provide the deep, real-time visibility to identify suspicious or malicious activity, and to take preventative action to limit or stop damage. This includes the need to monitor the proprietary, vendor specific control-plane protocols which are used for engineering changes made to industrial controllers. It is also important to capture changes made via direct physical access to critical control devices, since these cannot be monitored over the network.

Detection of anomalies, malicious activities and unauthorized access

To identify anomalous traffic and malicious activities, like malware spreading across the network, unexpected changes to critical devices, unauthorized control-plane engineering activity, etc., granular security policies are needed. 

Detection of unauthorized changes made by trusted insiders

In addition to detecting anomalies, an organization should be able to track all access to controllers and see all changes being made in order to identify human error and unauthorized changes. 

Like cyber attacks, insider threats can be detected and mitigated before damage occurs with the right mix of visibility, monitoring, alerting and auditing. 

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.


Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...


Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...