Insider Threat to Utilities – More Focus Needed on Critical Components

Last week the Unites States’ Department of Homeland Security (DHS) released a report on “Insider Threat to Utilities” that has been getting a lot of attention in the mainstream media. While released “For Official Use Only (FOUO)”, the report has been posted on the Internet and portions of it have received considerable media coverage.

Unfortunately media coverage so far tends to focus on the dramatic, such as the potential threat of Al-Qaeda attacks on the ten year anniversary of 9/11, and don’t actually help utility owner operators secure their systems.  In this article I share my thoughts on how critical infrastructure operators need to extend the report’s recommendations to include additional protective measures.

The report contains the following sections:

• Key Findings
• Insider Threat (Definition and Example Incidents)
• Cyber Attacks (Definition and Example Incidents)
• Violent Extremists with Insider Access (Definition and Example Incidents)
• Protective Measures
• Outlook

and it describes many interesting security incidents. One unclassified incident that I was unaware of is:

“In April 2011, a lone water treatment plant employee allegedly manually shut down operating systems at a wastewater utility in Mesa, Arizona in an attempt to cause a sewage backup to damage equipment and create a buildup of methane gas. Automatic safety features prevented the methane buildup and alerted authorities, who apprehended the employee without incident.”

This incident highlights the important role of Safety Integrated Systems (SIS) in protecting plant processes and people.

Protecting Critical Infrastructure – Report Misses Key Protective Measures

The portion of the report that interested me most was the section on Protective Measures. In general, these are solid, but basic protective measures that are standard guidance in the IT industry.

My concern is that the measures described do not sufficiently emphasize protection for critical SCADA and ICS components, such as SIS. Following are additional measures that I believe should be included in the U.S. DHS’s report list.

a.    Put extra measures in place for critical systems such as Safety Integrated Systems (SIS).

The report recommends managing all staff and information flow in and out of an entire utility.

This may or may not be feasible or affordable.  What is feasible and what should be emphasized, is managing people and information access to critical systems or assets.

For example, to secure an SIS, the industrial network should be segmented into zones, as per ANSI / ISA-99 Standards, and protected with a firewall that protects communications between the control system and the safety system¹.

b.    Monitoring and analysis of internal information flows.

Too much attention is placed on the utility/corporate boundaries, and not enough attention is placed on monitoring and analyzing internal information flows.  By the time critical information is at the boundaries, it is often either too late or it is in a form that cannot be detected.

For example, consider the Wikileaks case of Bradley Manning and his reported carrying of sensitive U.S. military and diplomatic data out on a CD. His transfer of 251,287 documents over the network to his personal computer would have created a far more detectable signature than his carrying of a music CD out of a facility.

Similarly, it is generally believed that Stuxnet was introduced into the five Iranian organizations via a USB key, a very difficult pathway to control. However once inside a facility, its activity creates very noticeable changes to network traffic patterns, allowing potential detection, even before the worm was formally identified.

c.    Identification and control of secondary pathways.

As noted above, CD, USB keys, laptops and other secondary pathways exist in all utilities. There is a tendency to focus on the obvious network-based pathways and forget these other pathways. Managing these information flows is critical in the case of insider threats.

(For more information on secondary pathways, see the article: “The Many Paths of Stuxnet – How Robust are Today’s Best Practice Systems?”)

Focus needs to be put on Internal Controls as much as Boundary Controls

In summary, I believe that a utility owner/operator who is not a security expert would read this otherwise good report and then place too much focus on boundary controls, rather than internal controls.

Greater emphasis should be placed on:

• internal dataflow risk analysis and
• internal digital flow monitoring

Finally, focused mitigation of specific critical system risks, such as Safety Integrated Systems, needs to be stressed.

A blanket approach to utility security is not economically or technically viable. If we are going to have secure ICS and SCADA systems we need to get focused on the truly critical components.

₁ Examples of such a firewall are the Tofino Industrial Security Solution and the Triconex Tofino Firewall.

Related Content to Download

"Building Intrinsically Secure Control and Safety Systems Using ANSI/ISA99 Security Standards for Improved Security and Reliability"

Related Links

• ANSI/ISA-99 Standards
• Controlling Stuxnet – No More Flat Networks PLEASE. Let's Embrace "Security Zones"
• Using Tofino Security to Control Stuxnet - New Application Note

Subscribe to the "Practical SCADA Security" news feed