Combating insider threats faced by utilities

Utilities within the U.S. energy sector are inundated with outside threats – often from angry customers, environmental groups, hacktivists, and criminals looking for targets of opportunity. These cyber and physical threats often focus on interrupting services or destroying critical equipment for the purposes of inflicting damage and embarrassing the utility.

In order to accomplish such an attack with any magnitude, the attacker needs knowledge of the equipment or system. This is often accomplished with surveillance, probing, and conducting reconnaissance of the potential target. As you might assume, this is time intensive, has a learning curve, and is risky in terms of the bad-actor getting noticed or caught by authorities.

As a result of numerous failed plots, criminal groups and terror organizations have turned to social engineering, baiting, and the use of insider resources to accomplish similar type attacks. This insider threat, or would-be pawn in an attack, could have significant access and provide a debilitating blow to a utility.

Someone having an engineering background who understands critical grid components could wreak havoc on a system, or even destroy equipment. It goes without saying, an employee with true insider knowledge of the electric transmission or distribution system can cause significant damage and system failure.

This tactic is not new. According to a 2011 Intelligence Note from the Department of Homeland Security’s (DHS) Office of Intelligence and Analysis (I&A), officials cautioned that “violent extremists have, in fact, obtained insider positions,” and that “outsiders have attempted to solicit utility-sector employees” for damaging physical and cyber-attacks (2011).

An insider threat is most commonly defined as a security threat that originates from within the organization being attacked or targeted, often by an employee of the organization or enterprise. An insider threat does not have to be a current employee or stakeholder, but can also be a former employee or anyone who at one time had access to proprietary or confidential information from within the organization.

Insiders pose the greatest threat, especially if they are working with a foreign state or other high level threat actors, because of their detailed knowledge of system operations and security practices. In addition, they often have legitimate physical and electronic access to key systems and the controls designed to protect them. Individuals with the highest level of access pose the greatest threat because they are already inside your organization, using legitimate credentials and permissions to access sensitive areas, thus evading detection from traditional security products. Furthermore, an individual with access to grid infrastructure could purposely or inadvertently introduce malware into a system through portable media or by falling victim to social engineering e-mails or other forms of communication.

Current events have recently shown that people with legitimate access can produce substantial harm. Today, we are aware of Edward Snowden, who released classified information about national surveillance programs, U.S. Army P.F.C. Bradley Manning who provided classified documents to WikiLeaks, and contractor Aaron Alexis who killed 12 people during a shooting at the Washington Navy Yard in 2013 while holding a security clearance.

We have also seen insider threat events play out in the utility sector. In April 2011, a lone water treatment plant employee is alleged to have manually shut down operating systems at a wastewater utility in Mesa, Ariz., in an attempt to cause a sewage backup to damage equipment and create a buildup of methane gas. Automatic safety features prevented the methane buildup and alerted authorities who apprehended the employee without incident. In January 2011, an employee recently fired from a US natural gas company allegedly broke in to a monitoring station of his former employer and manually closed a valve, disrupting gas service to nearly 3,000 customers for an hour.

Energy companies, as part of the nation’s critical infrastructure, are a target for threats from malicious outsiders intending to do harm and disrupt critical operations. While strong physical and cybersecurity measures typically are in place to deter and detect these types of events, historically similar measures have not been developed to address threats from insiders. Insiders, including employees, contingent workers, visitors and trusted third parties, often have unfettered access to sensitive and critical information, systems, and facilities for which there is minimal oversight or monitoring.

A 2008 report by DHS identified that many critical infrastructure and key resources (CIKR) operators lack an appropriate awareness of the threat insiders pose to their operations. Education and awareness presents the biggest potential return for policy by motivating CIKR operators and focusing their efforts to address the insider threat. Appropriate awareness will help to shape the insider threat policies and programs needed to address the unique insider risk profile of each CIKR operator.

Developing a risk-informed, responsive insider threat program that includes personnel surety, current threat assessments, workplace violence training, and forward leaning behavioral policies requires a strong commitment from senior management and those actively engaged in program development. A successful insider threat program must include active participation from a company’s physical security, personnel security, information technology, and human resources as well. Once you have executive buy-in, here are a few high-level items for consideration:

• Establishing a company culture that is threat-aware. Provide regular insider threat awareness training, as well as realistic training exercises. Create a safe environment in which to self-report actions that jeopardize security. Regular briefings by security department personnel on security policies, procedures, and emergency response will familiarize employees and set expectations.
• Create clear procedures for reporting violent or suspicious behavior. While working with your company’s General Counsel and Human Resources department, provide easy to understand procedures for alerting supervisors and security personnel. The program should seek to prevent insider attacks by capturing observable indicators of potential activity before insiders act. Intelligence on the insider threat generally comes from within the enterprise through either technical data or behavioral indicators.
• Clear lines of communication with law enforcement agencies and intelligence partners. Often times, employees who pose an internal threat to a company have been approached by known criminals and terrorists from the outside that law enforcement is already aware of. By maintaining constant dialogue and known relationships with law enforcement, utilities may add value to existing investigations and receive useful intelligence.
• Conduct a risk assessment. The organization should analyze the operational environment in order to discern the likelihood of an insider driven event and the impact that the event could have on the organization. Determine, analyze, and prioritize gaps.

Organizations have begun to acknowledge the importance of detecting and preventing insider threats. Just as it is vital to have methods to detect external threats, it’s also important to protect your organizations assets and systems from unauthorized insider misuse or destruction. Remember, you are never done! Insider threat is an ongoing and evolving issue and your program should constantly be updated as your policies mature and you learn from security events.