By Brian Harrell and Bruce Barnes
Thomas Jefferson once said, “eternal vigilance is the price of liberty,” and it is also the price we must pay to ensure that our power grid is protected. Over the last decade, managing threats to our power grid has become a part of everyday life for the U.S. Energy Sector. Utilities are inundated with outside threats on a daily basis — often from angry customers, environmental groups, hacktivists, and criminals looking for targets of opportunity.
In fact, the energy sector’s critical infrastructure has been identified as a global target, and several countries including the United States have made its protection a legislative priority. In November 2014, the Federal Energy Regulatory Commission (FERC) approved a new mandatory Physical Security Reliability Standard (CIP-014-1) for industry to address physical security risks and vulnerabilities related to the reliable operation of the power grid, and in 2015 the Enhanced Grid Security Act was passed to provide for the modernization, security and resiliency of the electric grid.
These cyber and physical threats often focus on interrupting services or destroying critical equipment for the purposes of inflicting damage and embarrassing the utility. But in order to accomplish such an attack of any magnitude, the attacker needs knowledge of the equipment or system. Generally, they obtain this knowledge by conducting surveillance, probing and reconnaissance of the potential target. As you might assume, this is time intensive, has a learning curve, and is risky in terms of the attackers getting noticed or caught by authorities.
As a result of numerous failed plots, criminal groups and terror organizations have turned to social engineering, baiting, and the use of insider resources to accomplish similar-type attacks. This insider threat, or would-be-pawn in an attack, could have significant access and provide a debilitating blow to a utility. Someone having an electrical engineering background who understands critical grid components could wreak havoc on a system, or even destroy equipment. It goes without saying that an employee with true insider knowledge of the electric transmission or distribution system can cause significant damage and system failure.
This tactic is not new. Historically, one of the most effective ways governments used to gather data and information was by infiltrating the enemy’s ranks. This was the job of the spy or espionage agent, and in times of crisis, spies would also be used to sabotage the enemy by destroying critical equipment. According to a 2011 Intelligence Note from the Department of Homeland Security’s (DHS) Office of Intelligence and Analysis (I&A), officials cautioned that “violent extremists have, in fact, obtained insider positions,” and that “outsiders have attempted to solicit utility-sector employees” for damaging physical and cyberattacks (2011).
Today, the term spy is no longer used to describe this type of espionage in the private sector; rather we use the term “insider threat” to describe a security threat that originates from within the organization being attacked or targeted, often by an employee of the organization or enterprise. An insider threat does not have to be a current employee or stakeholder, but can also be a former employee or anyone who at one time has had access to proprietary or confidential information from within the organization.
These insiders pose an even greater threat, especially if they are working with a foreign state or other high-level threat actor, because of their detailed knowledge of system operations and security practices. In addition, since they are in a position of trust, they often have legitimate physical and electronic access to key systems and the controls designed to protect them. Individuals with the highest level of access pose the greatest threat because they are already inside your organization, using legitimate credentials and permissions to access sensitive areas, thus evading detection from traditional security products. Furthermore, an individual with access to grid infrastructure could purposely or inadvertently introduce malware into a system through portable media or by falling victim to social engineering e-mails or other forms of communication.
Many utility organizations have a false sense of security, because their employees are required to pass background checks before being hired. However, just because an employee passes a background check or has a security clearance does not mean they are not a risk. Most utility companies use a national commercial crime database search as part of their pre-employment screening process because they are relatively quick and inexpensive, but they have also been known to have errors due to incorrect or missing information. Also, employees that have been hired more than five years ago should undergo a periodic background check to ensure they remain qualified for the position they hold since they may have committed crimes after being hired that the employer is not aware of.
We have seen current events that have recently shown us that people with legitimate access can produce substantial harm. For instance, Edward Snowden, who released classified information about national surveillance programs, U.S. Army P.F.C. Bradley Manning who provided classified documents to WikiLeaks, and contractor Aaron Alexis who killed 12 people during a shooting at the Washington Navy Yard in 2013 while holding a security clearance.
We have also seen insider threat events play out in the utility sector. In April 2011, a lone water treatment plant employee is alleged to have manually shut down operating systems at a wastewater utility in Mesa, Ariz., in an attempt to cause a sewage backup to damage equipment and create a buildup of methane gas (Platts, 2011). Fortunately, automated safety features prevented the methane buildup and alerted authorities, who apprehended the employee without incident. Additionally, in January 2011, an employee recently fired from a U.S. natural gas company allegedly broke in to a monitoring station of his former employer and manually closed a valve, disrupting gas service to nearly 3,000 customers for an hour (NCI, 2015).
While strong physical and cybersecurity measures typically are in place to deter and detect these types of events, historically similar measures have not been developed to address threats from insiders.
The weakest link in our system continues to be the people who are charged with operating and protecting the grid. Much of this is caused by human error and is not intentional, but can have equally devastating effects. According to the 2014 IBM Cyber Security Intelligence Index, more than 95 percent of all incidents investigated involved human error (IBM, 2014). This is the equivalent of building a castle around your assets to protect them all, but having someone leave the keys in the front door. Cybercriminals use a variety of methods to trick insiders into handing over the keys to the castle. Oftentimes, they will trick employees into ignoring security safeguards by disguising links or emails as legitimate, so that when the employee clicks on the link they open up an infected document or download a virus to the system.
Insiders — including employees, contingent workers, visitors and trusted third parties — often have unfettered access to sensitive and critical information, systems and facilities for which there is minimal oversight or monitoring. Cyberattackers will also try to unwittingly convince employees into giving them their credentials by posing as a supervisor or other senior leader from within the organization so that they can gain access to the network by duping the employee into believing they are following orders from above.
A 2008 report by DHS identified that many critical infrastructure and key resources (CIKR) operators lack an appropriate awareness of the threat that insiders pose to their operations. Education and awareness presents the biggest potential return for policy by motivating CIKR operators and focusing their efforts to address the insider threat. Appropriate awareness will help to shape the insider threat policies and programs needed to address the unique insider risk profile of each CIKR operator (DHS, 2011).
The reason security awareness is so important in mitigating the risk associated with an insider threat is that employees are the last line of defense. Even with the best cyber and physical security protections in place, there is still no 100-percent guarantee that it will protect everything. Since secure systems are only secure if they are unplugged or turned off, organizations must constantly be prepared and vigilant to defend against an insider threat because operating the bulk power system is a 24/7 job. In order for utilities to be prepared, they must first train their employees to be aware of what the risks are. “Security awareness means that employees understand that there is the potential for someone to deliberately or accidentally steal, damage or misuse the data that is stored within a company’s computer systems and throughout its organization (Vaca, 2013).”
An insider threat program seeks to deter, detect and mitigate the risk associated with insider threats. As of November 2013, government agencies are required to develop insider threat programs to mitigate the risk of an insider attack. However, since 85 percent of the energy sector is privately owned, utility organizations, while not required to do so, should establish their own insider threat program. With increased legislation around grid security, it is probably just a matter of time before this becomes a requirement; however, it still remains a best practice.
Developing a risk-informed, responsive insider threat program that includes security awareness, personnel surety, current threat assessments, workplace violence training and forward leaning behavioral policies requires a strong commitment from senior management and those actively engaged in program development. A successful insider threat program must include active participation from a company’s physical security, personnel security, information technology and human resources as well. Once you have executive buy-in, here are a few high-level items for consideration:
Establishing a company culture that is threat-aware. Provide regular insider threat awareness training, as well as realistic training exercises. Create a safe environment in which to self-report actions that jeopardize security. Regular briefings by security department personnel on security policies, procedures, and emergency response will familiarize employees and set expectations.
Create clear procedures for reporting violent or suspicious behavior. While working with your company’s General Council and Human Resources department, provide easy-to-understand procedures for alerting supervisors and security personnel. The program should seek to prevent insider attacks by capturing observable indicators of potential activity before insiders act. Intelligence on the insider threat generally comes from within the enterprise through either technical data or behavioral indicators.
Training on indicators of an inside threat. Employees should be trained on the potential indicators that could signal something is wrong, such as employees seeking to gain a higher clearance than required and possibly trying to enter areas they do not have access to. Or, they may attempt to engage other employees in confidential conversations without their need to know. Not every employee who exhibits these indicators is guilty of a crime, but most of the persons who have been involved in workplace espionage were later found to have displayed one or more of these indicators.
Clear lines of communication with law enforcement agencies and intelligence partners. Oftentimes, employees who pose an internal threat to a company have been approached by known criminals and terrorists from the outside of whom law enforcement is already aware. By maintaining constant dialogue and known relationships with law enforcement, utilities may add value to existing investigations and receive useful intelligence.
Conduct a Risk Assessment. The organization should analyze the operational environment in order to discern the likelihood of an insider-driven event and the impact that the event could have on the organization. Determine, analyze and prioritize gaps.
Organizations have begun to acknowledge the importance of detecting and preventing insider threats. Just as it is vital to have methods to detect external threats, it’s also important to protect your organizations assets and systems from unauthorized insider misuse or destruction. Insider threats are an ongoing and evolving issue and your program should constantly be updated as your policies mature and you learn from security events. Remember, your constant vigilance is needed to ensure that the grid is protected so we can ensure the lights stay on!
Authors:
Brian Harrell, CPP is the Director of Security and Risk Management at Navigant Consulting, Inc. (NCI) and is a former security executive at the North American Electric Reliability Corporation (NERC).
Bruce Barnes, CPP is an Executive Director at Wayne Solutions, LLC. and is the former head of Infrastructure Security and Emergency Management for NV Energy.
References:
Homeland Security News Wire, (2011). “DHS warns utilities at risk from insider threats.” Retrieved from www.homelandsecuritynewswire.com/dhs-warns-utilities-risk-insider-threats
National Cybersecurity Institute, (2015). “How Critical Infrastructure Is Vulnerable to Insider Threat.” Retrieved from www.nationalcybersecurityinstitute.org/general-public-interests/how-critical-infrastructure-is-vulnerable-to-insider-threat/
Platts, (2011). “US utilities say ready for any potential threats to infrastructure.” Retrieved from www.platts.com/latest-news/electric-power/newyork/us-utilities-say-ready-for-any-potential-threats-6303585
IBM, (2014).
“IBM Security Services 2014 Cyber Security Intelligence Index.” Retrieved from http://media.scmagazine.com/documents/82/ibm_cyber_security_intelligenc_20450.pdf
U.S. Dept. of Homeland Security, (2008). “The insider threat to critical infrastructures.” Retrieved from www.dhs.gov/xlibrary/assets/niac/niac_insider_threat_to_critical_infrastructures_study.pdf
Vaca, J.R., (2013). “Computer and Information Security Handbook.” Morgan Kaufmann Publishers. Waltham, MA.