Insider Threat to Utilities – More Focus Needed on Critical Components

Last week the Unites States’ Department of Homeland Security (DHS) released a report on “Insider Threat to Utilities” that has been getting a lot of attention in the mainstream media. While released “For Official Use Only (FOUO)”, the report has been posted on the Internet and portions of it have received considerable media coverage.

Unfortunately media coverage so far tends to focus on the dramatic, such as the potential threat of Al-Qaeda attacks on the ten year anniversary of 9/11, and don’t actually help utility owner operators secure their systems.  In this article I share my thoughts on how critical infrastructure operators need to extend the report’s recommendations to include additional protective measures.

The report contains the following sections:

  • Key Findings
  • Insider Threat (Definition and Example Incidents)
  • Cyber Attacks (Definition and Example Incidents)
  • Violent Extremists with Insider Access (Definition and Example Incidents)
  • Protective Measures
  • Outlook

and it describes many interesting security incidents. One unclassified incident that I was unaware of is:

“In April 2011, a lone water treatment plant employee allegedly manually shut down operating systems at a wastewater utility in Mesa, Arizona in an attempt to cause a sewage backup to damage equipment and create a buildup of methane gas. Automatic safety features prevented the methane buildup and alerted authorities, who apprehended the employee without incident.”

This incident highlights the important role of Safety Integrated Systems (SIS) in protecting plant processes and people.

Protecting Critical Infrastructure – Report Misses Key Protective Measures

The portion of the report that interested me most was the section on Protective Measures. In general, these are solid, but basic protective measures that are standard guidance in the IT industry.

My concern is that the measures described do not sufficiently emphasize protection for critical SCADA and ICS components, such as SIS. Following are additional measures that I believe should be included in the U.S. DHS’s report list.

a.    Put extra measures in place for critical systems such as Safety Integrated Systems (SIS).

The report recommends managing all staff and information flow in and out of an entire utility.

This may or may not be feasible or affordable.  What is feasible and what should be emphasized, is managing people and information access to critical systems or assets.

For example, to secure an SIS, the industrial network should be segmented into zones, as per ANSI / ISA-99 Standards, and protected with a firewall that protects communications between the control system and the safety system1.

b.    Monitoring and analysis of internal information flows.

Too much attention is placed on the utility/corporate boundaries, and not enough attention is placed on monitoring and analyzing internal information flows.  By the time critical information is at the boundaries, it is often either too late or it is in a form that cannot be detected.

For example, consider the Wikileaks case of Bradley Manning and his reported carrying of sensitive U.S. military and diplomatic data out on a CD. His transfer of 251,287 documents over the network to his personal computer would have created a far more detectable signature than his carrying of a music CD out of a facility.

Similarly, it is generally believed that Stuxnet was introduced into the five Iranian organizations via a USB key, a very difficult pathway to control. However once inside a facility, its activity creates very noticeable changes to network traffic patterns, allowing potential detection, even before the worm was formally identified.

c.    Identification and control of secondary pathways.

As noted above, CD, USB keys, laptops and other secondary pathways exist in all utilities. There is a tendency to focus on the obvious network-based pathways and forget these other pathways. Managing these information flows is critical in the case of insider threats.

(For more information on secondary pathways, see the article: “The Many Paths of Stuxnet – How Robust are Today’s Best Practice Systems?”)

Focus needs to be put on Internal Controls as much as Boundary Controls

In summary, I believe that a utility owner/operator who is not a security expert would read this otherwise good report and then place too much focus on boundary controls, rather than internal controls.

Greater emphasis should be placed on:

  • internal dataflow risk analysis and
  • internal digital flow monitoring

Finally, focused mitigation of specific critical system risks, such as Safety Integrated Systems, needs to be stressed.

A blanket approach to utility security is not economically or technically viable. If we are going to have secure ICS and SCADA systems we need to get focused on the truly critical components.

1 Examples of such a firewall are the Tofino Industrial Security Solution and the Triconex Tofino Firewall.

Related Content to Download

PDF "Building Intrinsically Secure Control and Safety Systems Using ANSI/ISA99 Security Standards for Improved Security and Reliability"

Related Links


RSS Feed Subscribe to the "Practical SCADA Security" news feed



If you cannot see what is happening you do not know if you are in control.

On the topic of the document in question and the various sociopolitical engines behind it, I think it is about what you expect when things are going relatively well. I agree with your critique, but there is an Expertise Suppression Effect that exists around Official Bureaucracy (and we really wouldn't have it any other way).

The relatively ponderous motion of government is both an artifact of sheer size as well as a filter against wild ideas. It may not make good action film (better comedy, when it is going well ;~), but the pedantic pace of governmental and public/private consideration of such issues as ICS security masticates through topics and finds most of the contingencies that more rapid decisions might miss.

It is for us - the folks in the community which has highly evolved thoughts on specific solutions - to voice them broadly and directedly. There are not too many people in the meetings where governments thrash through these issues, more expert voices added will accelerate and improve the results experienced. There are not too many qualified people (and perhaps too many unqualified...) telling vendors and consumers of these systems how to go through the process of bringing them to a reasonably secure state.

Evangelism is more than a marketing activity in this environment, it is a large part of the solution. Folks are not going to know what best practices are unless the people developing them submit to the fact that they will be mostly repeating themselves for the next decade.

Governments will always by definition be behind, even when they are working well. When the expertise in the private sector lends them a hand they can at least stay visible in the mirror. Rants like this that help keep them in view. ;~)

Add new comment