The Threat of the “Malicious Insider” in Industrial Operation and Critical Infrastructure Environments
What is a malicious insider? and... What can be done to combat this type of threat? We list the most common actions and how to avoid them...
It is difficult to translate the term “malicious insider” into Spanish, but with some imagination and put in context, it can be concluded that this type of threat refers to the existence of people in an organization (either internal-employees or external-suppliers, engineering, integrators, contractors) who, through carelessness, ignorance, and/or bad faith, perform an “action” that affects the security of the processes, systems, or facilities of an industrial operation environment or critical infrastructure.
Among these “actions,” we could list the following: carrying out bad practices by having access to critical systems with administrator privileges; using USB devices not authorized by the organization that contain malware; carrying out malicious actions by possessing detailed knowledge of diagrams and configurations of the industrial network; carrying out actions provoked by social engineering; ignoring the policies, procedures, standards, and best practices designed, and so on.
This type of threat has been analyzed by institutions such as the US-CERT. In fact, in May 2014, a whitepaper was published with the title: “Combating the Insider Threat”. From this publication, we would highlight the description of the profile of an “Insider Threat” that we extrapolate below.
The question that arises naturally is: What can be done to combat this type of threat?
From our point of view, the following three areas should be worked on:
- The design and, very importantly, the correct communication of policies and procedures.
- The realization of awareness and training days in the field of industrial cybersecurity.
- The implementation of initiatives that unite efforts and understanding between those responsible for IT security and OT security.
It is not an easy task; people are the weakest link in the chain that secures an organization’s OT environment, but some specific action must be taken if we want to mitigate and/or eliminate this important threat.
