The Maroochy Incident in 2000 is the first known case of a malicious insider carrying out a successful cyberattack on critical infrastructure. If it doesn’t ring a bell, the case involves a former contractor at a water treatment plant in Maroochy Shire, Australia, who had installed the control system for the plant’s sewage pumps. After becoming disgruntled and discovering his credentials were never deactivated, he hacked into the plant’s computer system remotely and caused the pumps to malfunction, resulting in 265,000 gallons of raw sewage spilling into local parks and rivers.
This is the kind of cyberattack on critical infrastructure that we imagine coming from foreign nation-state actors. But when you start to understand the many faces of insider threats, you may want to pay attention to what’s happening much closer to home.
What Is an Insider Threat?
An insider threat involves a current or former employee, contractor, vendor or other individual with legitimate access to systems who causes a security incident, not always intentionally. The individual typically knows how the target systems work, how to navigate the environment and how to access valuable data or controls. It’s this inside knowledge that makes insider threats so challenging to detect and mitigate.
There are three types of insider threats:
1. Malicious
Unusual, unexpected or unauthorized behavior such as misuse of access or knowledge to inflict damage or disruption, often motivated by personal gain or vengeance. In 2023 two former Tesla employees leaked 100GB of data including personally identifiable information (PII) for more than 75,000 employees and ex-employees.
2. Compromised
An unwitting insider manipulated by phishing or social engineering whose credentials are stolen and used for an external attack. In 2013 Target was breached by a third-party contractor who compromised a vendor account and stole data from the payment cards of 40 million holiday shoppers. The retail giant settled $18.5 million in claims to 47 states and the District of Columbia.
3. Negligent
Careless, distracted or impatient behavior that inadvertently causes harm or exposes the organization to an external attack. In 2021, an incident involving a spike in sodium hydroxide levels at the Oldsmar water treatment plant in Florida initially appeared to be a sophisticated cyberattack. It was later determined to be caused by a remote-access employee accidentally clicking the wrong buttons.
The Maroochy and Oldsmar incidents, if relatively rare, demonstrates that the stakes of an insider threat in an industrial environment are higher. Instead of a damaging data breach — which could be the first stage in a larger attack — the perpetrators could, and did, cause real physical harm.
Insider Threat Frequency by Type
When we think about insider threats we tend to worry about the malicious ones. According to a 2022 Proofpoint/Ponemon report, however, they aren’t the biggest problem. Only about a quarter (26%) of insider incidents are maliciously motivated. Negligent employees and contractors account for more than half of incidents (56%). Compromised insiders (17%) are victims of credential theft, which arguably is due to poor cybersecurity awareness training, if not negligence.
Malicious insider threats may be the least common type but they’re the easiest to detect. Behavior such as multiple remote access attempts in privileged systems is more easily observed than negligent errors, as are flagrant activities at odd hours from odd locations such as software installations, file transfers, larges downloads and data exfiltration.
Insider Threats in ICS Environments: Larger Impact, Bigger Consequences
Here’s what industrial insider threats look like and how they differ from IT-focused insider threats.
People-Porous Landscape
Plant floors in particular are chaotic, noisy environments where employees, contractors and vendor technicians come and go with frequent shift changes. Unfamiliar faces are the norm, and all you need is a badge to fit in. If your badge was never deactivated, no one is likely to stop you.
Physical Impact vs. Data Breach
Stolen proprietary data including trade secrets and PII can be costly and tarnish a company’s reputation. An insider threat to an ICS environment may have safety consequences, cause production downtime, or damage equipment or the environment. Time to respond is more critical.
Known Vulnerabilities
Insiders may have knowledge of critical infrastructure weaknesses, including insufficient monitoring and segmentation, and have access to PLCs, SCADA and other sensitive control systems.
Easy Credential Theft
Default credentials are all too common in OT devices, as are shared credentials, with rolling and reuse policies rarely enforced.
Without endpoint security, there’s no way to know who’s plugging in when and what they’re doing until their commands have been executed on the network. This has always been a challenge in OT.
The Case for OT Endpoint Security Sensors to Catch Insider Threats
Detecting insider threats before it’s too late requires monitoring insider activity as it’s happening, using endpoint security agents that can correlate user activity with events. Without endpoint security, there’s no way to know who’s plugging in when and what they’re doing until their commands have been executed on the network. This has always been a challenge in OT. Passive network monitoring, remote collectors and even intermittent polling are great at spotting communications between workstations and PLCs, but not who’s on the machine.
Attempts to deploy IT-based endpoint agents in ICS environments range from ineffective to harmful, fueling operator distrust of safe cybersecurity tools. IT agents don’t work in ICS for three reasons: they’re heavyweight and disruptive, they detect the wrong (IT) threats, and they flag false positives. This last deficit has serious consequences. Because they’re not trained in OT environments, IT endpoint agents mistake things for threats when they’re not, such as legitimate safety protocols or control system commands. As a result, they may render engineering hardware unresponsive, stop a process or delete a critical application perceived as malware.
Endpoint sensor technology has finally evolved to meet the needs of industrial environments. Safe, non-disruptive agents — including Nozomi Arc, released in 2023 — are purpose-built for OT devices. They don’t need to be installed on everything, but you do want to deploy them where humans interact on your attackable assets such as engineering workstations, HMIs, and selected ICS hardware.
Some of the best uses cases for OT endpoint sensors involve these four insider threat scenarios:
1. Infected third-party laptop
A systems integrator is performing maintenance on a PLC, unaware that the laptop they plugged in is infected with malware.
2. Operator error
A newly hired engineer accidentally changes an HMI configuration or issues a nonsensical command.
3. Malicious insider threat
A disgruntled employee intentionally changes the setpoint on an HMI.
4. Stolen credentials
An alert indicates an authorized person is logged into two places at the same time, but in time zones 3,000 miles apart.
End-to-End Security Strategies for Insider Threats in ICS
Insider threat defense strategies look a lot like general OT cybersecurity strategies, and defense in depth is always best, but some techniques are critical for detecting insider threats, especially non-malicious ones.
Normally defense starts with physical access control, where the standard barrier is badges. But we’re talking about insiders, who by definition all have badges. Moreover, as discussed, in industrial environments contractors, vendors and other outsiders with unfamiliar faces all have badges, too. So, we need to heavily discount this control or simply acknowledge that it’s not much of a barrier.
Digital Access and Credentials
With weak physical access control, your first line of defense is digital access controls. You want rigorous enforcement of role-based, least-privilege access controls that extend to vendors and contractors, who may insist on using their own less-secure remote access tools tied to other functions. Overcoming that hurdle may involve insisting they strengthen their own security.
Curtailing the use of default manufacturer credentials and shared credentials is another clear opportunity for ICS security teams, as is deactivating credentials promptly when an employee, contractor or vendor is no longer engaged. Finally, companywide security awareness training can help prevent credential theft via phishing attacks, which prey on distracted insiders.
Network Monitoring
Real-time ICS network monitoring and threat detection are table stakes today. They give you foundational visibility for your entire OT security strategy. But to detect insider threats, it’s insufficient to monitor networks without also monitoring endpoints. Even then, monitoring OT networks and endpoints in parallel siloes won’t give you the real-time correlation that you need; they must work together in real time to provide defense in depth. You can’t wait for collected data to meet in the SIEM, where correlation time is 30 to 60 minutes after an event. That’s ample latency for an insider to cause harm.
OT Endpoint Monitoring
To reiterate, endpoint monitoring is essential for detecting insider threat activity before it’s too late. The important thing for industrial environments is that the agents must be purpose built for OT devices; that is, lightweight, able to read industrial protocols, trained on your environment to recognize baselines, and so on.
Network Segmentation
Given the number of OT devices that can’t be patched, segmentation in industrial environments is a major compensating control that should also be table stakes by now. Unfortunately, ICS networks are often under segmented, even between OT and IT networks where so many threats originate. You also want to be able to visualize your network traffic, including segmentation, to confirm that your policies are working as designed.
Behavioral Analytics
Standard signature-based threat detection techniques compare incoming data to a database of known signatures, or strings of data associated with known malicious activities. That doesn’t work for detecting insider threats. Instead, you need AI-driven behavioral analytics to detect anomalies from the baseline, in this case anomalous, suspicious or malicious insider activity. Nozomi Networks’ network, endpoint, wireless and remote sensors all rely on advanced machine learning to develop process and security profiles specific to each ICS and create a baseline of normal communication. They then detect unknown threats by constantly looking for deviations from the baseline, filtering out alerts for benign behavior. The result is the rapid detection of cyberattacks and critical process anomalies.
Incident Response Plans
Your InfoSec team likely has solid incident response plans for insider threats on the IT side, probably heavy on automated responses. Given the potential physical impact of an insider OT incident, you need to create tailored OT-focused plans that instead rely on humans to quickly identify and contain insider breaches involving specific equipment and process controls. What’s the plan if a malicious employee or contractor just compromised a PLC or HMI? It depends on the PLC, HMI and process controlled.
Shedding Light on Industrial Insider Threats
The 2022 Ponemon report cited above studied 278 global organizations that had experienced one or more insider threats. They included both commercial and public sector organizations, with no further breakdown. Scant data is available specific to insider threats in critical infrastructure or industrial settings. Incidents are either underreported or not detected at all, and certainly under studied.
Common wisdom says that admitting you have a problem is the first step to solving it. Except for a rarely reported Maroochy Incident, we don’t know whether insider threats are a problem in industrial environments and if so, how big a problem. We know they occur. If we start talking about them and sharing mitigation strategies, perhaps next year we’ll have more insights and better defenses.
