A scary 70% of critical infrastructure organization suffered security breaches in the last year, including water, oil and gas, and electric utilities. An almost equally high number of 64 percent anticipate one or more serious attacks in the coming year.
In the previous posts of this series, we highlighted insider threat risks for US companies and how they respond to them. While the insider threat in government agencies and big companies is a known problem with somewhat implemented mitigation strategies, less is known about the insider threat to critical US infrastructure, such as water purification or nuclear power plants. To illustrate the nature of the threats, let me provide two examples from a Department of Homeland Security report—the Insider Threat to Utilities report.
Insider threats to critical infrastructure are not new – think of espionage and sabotage during the Cold War. However, the parameters have significantly changed.
While the threat in the Cold War days consisted of privileged physical access and specialized knowledge along with espionage and terrorist skills, today’s set of potential threats is much larger due to the ‘deperimeterizing’ of US critical infrastructure. Globalization and outsourcing increasingly blur the lines between insiders and external adversaries.
Often used to reduce costs, unvetted vendors, contractors and trusted business partners get privileged access to critical infrastructure facilities. The use of cloud services, remote work and Web technologies within critical infrastructure organizations further exacerbate the problem if these practices are not treated and protected in a special way. So the threat to a local water purification plant is no longer just a sleeper foreign spy with privileged physical access, but trusted remote employees and contractors whose privileged usernames and passwords can get stolen in the cloud.
Little information exists about recent numbers and impact of malicious insider incidents in critical infrastructure in the United States and abroad. Most information is not released to the public and even trusted sources such as the United States Computer Emergency Readiness Team (CERT) has only limited access to real threat cases and scenarios.
The Department of Homeland Security (DHS), however, recently started to release National Risk Estimate (NRE) reports examining risks from malicious insider attacks. As the latest report states, “the limited availability of insider threat data means that there is uncertainty associated with the NRE risk assessments.”
The NRE is based on a structural analysis of input elicited from federal government and private sector subject matter experts. For the structural analysis, 31 insider threat scenarios with national-level consequences have been selected and their consequences and likelihood have been assessed.
While the experts judge catastrophic scenarios such as “the disruption of the international financial transactions” or “the introduction of a toxic chemical into the US milk supply” to have a rather low probability of around 10 percent or less, they consider scenarios with less severe consequences such as “organized Medicare and Medicaid fraud” as almost 100 percent likely. The median likelihood for all scenarios across all infrastructure sectors was assessed at roughly 15 percent.
The United States Computer Emergency Readiness Team (CERT) conducted 53 onsite assessments of critical infrastructure facilities across the United States to identify vulnerabilities and three major vulnerabilities have been identified.
The first and most common is the lack of segmentation of internal networks along with deficiencies in perimeter protections for virtual and physical enclaves. Network segmentation refers to splitting a computer network into subnetworks, each being a network segment or network layer which makes internal resources far less accessible from the outside.Implementing this would greatly reduce risks for critical infrastructure providers.
The second vulnerability is the lack of boundary protections in internal networks, meaning that there are too few or no firewalls between zones, and the firewall rule sets are minimal and lack auditing/verification.
The third is that remote access has been identified as a primary entry point for attacks due to a bad choice and design of remote access protocols. CERT suggests VPN tunnels and a restricted security zone (DMZ) for connections in order to eliminate this risk.
In summary, the fact that these easy-to-fix vulnerabilities exist in critical infrastructure is quite surprising. The described security holes are well known, and appropriate countermeasures and protocols are adopted standard in almost every other organization network and should be even more so for critical infrastructure. Let’s hope that the responsible CISOs take action.