Insider Threats Shouldn’t be Overlooked in India’s Critical Infrastructure Security

Insider Threats Shouldn’t be Overlooked in India’s Critical Infrastructure Security

Authored by Dick Bussiere, Technical Director, Tenable APAC

Critical infrastructure is the bedrock of India’s modern society. Essential services such as transportation, power and energy, healthcare, telecommunications and more, are key to the nation’s social and economic development. 

There’s an unspoken expectation that these critical services work seamlessly, yet, if compromised by a cyber threat, it can throw a spanner in the works and significantly impact the nation’s security, economy and deny access to basic services. When world leaders met at Davos for the World Economic Forum earlier this year, cyber threats to critical national infrastructure were listed as a top 10 global threat.  

These threats take centre stage as digital transformation initiatives roll out across India interconnecting operational technology (OT) and IT networks to optimise production and drive innovation. This makes an organisation more susceptible to threats. However, not all threats are external. Some of its dangers come from within the organisation.

What are insider threats?

Insider threats are users with legitimate access to an organisation’s network and resources, who use their privilege to harm the organisation. It can be accidentally or intentionally, in both the cases, it can bring an organization to kneel. The users can be employees, partners or contractors, past and present.

Insider threats are often a greater, unsolved risk in most organisations compared to external threats because they come from a trusted source. Organisations trying to detect insider threats face the challenge of not only differentiating attacks from "normal" traffic but also ensuring they are not inundated with false positives from users performing legitimate tasks.

To understand how insider threats can be handled effectively, let’s explore the key motivations and circumstances of these instances.

  1. Malicious intent/ malicious insider: This involves a disgruntled employee looking to exfiltrate information for personal benefit or to cause reputational damage.
  2. Human error or Negligence: A typical scenario is where employees leave an entry point by mistake, which can be exploited by cyberattackers. For example, when a user accidentally alters industrial processes or equipment, it may result in severe cyber risk, damage and downtime.
  3. Account compromise: This type of event occurs when an unsuspecting employee is tricked by an outsider into divulging confidential information through social engineering means such as phishing emails or a fake call requesting an ID and password. Attackers can then leverage this critical information to attack.

Securing organisations from insider threats

It’s important for security teams to educate and create awareness on cyber threats amongst employees. It helps employees to monitor for malicious or anomalous activity. However, companies must have a plan to defend against the multitude of insider threats. Here are three ways organisations can protect OT environments from insider threats.

  • Perform risk assessment: Risk assessments help to identify and address vulnerabilities such as over-privileged accounts, insiders with access to resources not required to do their jobs and stray accounts belonging to past employees, contractors and partners.
  • Know and monitor attack vectors: The two primary vectors for insider attacks are network and devices, which operate off-network. The latter occurs when a user plugs a device into an industrial controller to distribute malware and upload new code, or accesses a local control console. These kinds of attacks can quickly propagate and evade network-based passive detection mechanisms. Continuous monitoring of both network activity and device integrity can ensure an attack is stopped even before it happens.
  • Adopt a unified approach for IT and OT security: Since IT and OT environments are often interconnected, an attack that originates on an IT network can move laterally to the OT environment and vice versa. Establish visibility across both IT and OT networks by integrating security tools and therefore the data they generate to detect lateral attack activity. Also, remember that a large percentage of devices residing on the OT network is based on IT equipment. A concrete example of this might be a Human Machine Interface (HMI) based on a Microsoft Windows platform.

Improve security through continuous monitoring and visibility

With enormous pressure to curb external threats, insider threats generated by employees, partners and contractors can be easily overlooked. At the same time, identifying and combating insider threats can be challenging as most of the cybersecurity programs focus on keeping the bad actors out of the company’s network. 

Effectively securing connected OT and IT environments from insider threats is a work in progress and not something that will be fixed overnight. Implementing IT best practices for insider threat prevention in OT environments and unifying controls and visibility across both infrastructures represents the best recipe for protection and the best defence against insider threats.

Related Stories

No stories found.
logo
DIGITAL TERMINAL
digitalterminal.in