Insider Threats in the ICS Environment


September 16, 2020

Most people think of state-level actors when they think of threats to ICS networks. China, Russia, and others certainly represent threats to America’s critical infrastructure and any type of operational networks that you may be operating, but they aren’t necessarily the biggest threat to you.

The most prevalent threat, and the one to most likely cause you some type of disruption or harm this year, is the insider threat.

Insider threats come in many different forms, and those forms are really dependent on the environment. Most IT Security practitioners have preconceived notions of what an insider threat is, but there are aspects inside of an operations network that must be considered a high priority. If you have an incident on an IT network, there are certainly damages that can be done to a company, but an incident on an OT, ICS, SCADA, or other control network can cause:

  • Significant physical damage to facilities
  • Dangerous environmental incidents
  • Rapid and considerable loss of profits
  • Contamination and loss of improperly produced materials
  • Fires and explosions
  • Large scale injuries and loss of life

Yes, the stakes are very high when it comes to insider threats in the ICS environment.

It’s important to understand what an insider threat looks like inside of these environments before you can do anything to mitigate the threat. How are insider threats different in the ICS environment compared to an IT environment? First, let’s look at how we define insider threats in the ICS environment.

Insider threats are based on actions that cause damage or harm by someone who has legitimate access to a network, whether the actions are non-malicious or malicious.

Non-malicious threats cover a wide range of activities that can cause harm to an environment. The actions could be the result of a host of different factors like fatigue, stress, inattentiveness, or other factors that normally affect people. The actions could also be the result of someone making changes when they come on shift because they feel that they know more about the processes than others. And yes, each one of these examples represents a threat to the overall production, quality, and safety of operations. Any actions that reduce productivity, quality, or safety is a direct threat to your organization.

Think about the effects of a bored operator, and how they can cause the loss of an entire batch of finished product, or several man hours of lost time because they accidentally deleted a critical system file. It doesn’t take much for someone accidentally overwrite a file, or delete something that they shouldn’t have, and those types of changes in an operational environment can quickly spiral out of control. If you don’t have role based access set up, with specific parameters where different people can operate, then you are completely exposed to these types of incidents.

Non-malicious threats could also come from OEMs, system integrators, and other third parties that need access to your operational networks. They may be making changes to individual devices or to an entire system, but regardless of the scale, these changes can affect the stability of your networks or your production. Most operational networks are not well monitored, so knowing who is in your network and what they are doing is a key component to at least identifying who the threats are to your environment.

Malicious threats in the ICS environment are extremely dangerous. These represent people that are willing to cause harm, and their actions can be catastrophic. Malicious threats can be further broken down into those who want to steal from your organization, those who want to do harm to your organization, or those that want to do both.

Think about the amount of intellectual property that you have on your operational networks. There may be specific configuration files for how you operate, or specific recipes and formulas that you use to produce your product. That information is extremely valuable and is an asset to someone that will be leaving your organization soon. If you do not have some way to track activities and prevent movement of data, then you are completely exposed to these types of attacks. And make no mistake, these actions are a direct attack against your organization, and can result in significant financial or market loss.

A frequent scenario that we see very often is when a disgruntled, formerly trusted individual is facing disciplinary action, curtailment, or some other action that will result in their termination. This happens often, and there is always the threat that they may do something to your network or operations before they leave. Consider the risk that this represents, and how much harm that someone could do to your facilities and networks. One angry person who feels that they don’t have anything else to lose can quickly cause catastrophic damage if you do not have the proper safety and security preventative measures in place.

Hopefully this gives you some insight, or maybe an opportunity to revisit and think about something that you already knew. It’s good to consider the threats to your specific environments on a fairly frequent basis so that you can address and manage those threats appropriately.

Red Trident can certainly help you with any type of threat or vulnerability assessments, and also help you manage those threats and vulnerabilities in a cost effective, risk-based manner. Please reach out if there is anything that we can help you accomplish.

Share on linkedin
Share on twitter

Meet the team that's revolutionizing ICS Security




Let's Connect

904 Gemini Ave, Houston, TX 77058

904 Gemini Ave, Houston, TX 77058

© 2020 Red Trident. All Rights Reserved.

Scroll to Top