Insider Threat to Utilities

Tuesday, July 26, 2011 @ 05:07 PM gHale

Editor’s Note: This is an excerpt from an Eric Byres story appearing on the Tofino Security web site. Byres is the chief technology officer at Byres Security.

By Eric Byres
Last week the Unites States’ Department of Homeland Security (DHS) released a report on “Insider Threat to Utilities” that has been getting a lot of attention in the mainstream media. While released “For Official Use Only (FOUO)”, the report has been posted on the Internet.

Media coverage so far tends to focus on the dramatic, such as the potential threat of Al-Qaeda attacks on the ten-year anniversary of 9/11, and don’t actually help utility owner operators secure their systems. What should happen now is critical infrastructure operators need to extend the report’s recommendations to include additional protective measures.
The report contains the following sections:
• Key Findings
• Insider Threat (Definition and Example Incidents)
• Cyber Attacks (Definition and Example Incidents)
• Violent Extremists with Insider Access (Definition and Example Incidents)
• Protective Measures
• Outlook

Smart Grid Security a Top Priority
Secure Smart Grid Moves Forward
White House Invests in Smart Grid, Security
CA Plan Protects Smart Meter Data

One unclassified incident:

“In April 2011, a lone water treatment plant employee allegedly manually shut down operating systems at a wastewater utility in Mesa, Arizona in an attempt to cause a sewage backup to damage equipment and create a buildup of methane gas. Automatic safety features prevented the methane buildup and alerted authorities, who apprehended the employee without incident.”

This incident highlights the important role of Safety Integrated Systems (SIS) in protecting plant processes and people.

The portion of the report that interested me most was the section on Protective Measures. In general, these are solid, but basic protective measures that are standard guidance in the IT industry.

My concern is the measures described do not sufficiently emphasize protection for critical SCADA and ICS components, such as SIS.

The following are additional measures that should be in the U.S. DHS’s report list:

a. Put extra measures in place for critical systems such as Safety Integrated Systems (SIS).

The report recommends managing all staff and information flow in and out of an entire utility. This may or may not be feasible or affordable. What is feasible and what should be emphasized, is managing people and information access to critical systems or assets.

To secure an SIS, the industrial network should be segmented into zones, as per ANSI/ISA99 Standards, and protected with a firewall that protects communications between the control system and the safety system.

b. Monitoring and analysis of internal information flows.
Too much attention is placed on the utility/corporate boundaries, and not enough attention is placed on monitoring and analyzing internal information flows. By the time critical information is at the boundaries, it is often either too late or it is in a form that cannot be detected.

For example, consider the Wikileaks case of Bradley Manning and his reported carrying of sensitive U.S. military and diplomatic data out on a CD. His transfer of 251,287 documents over the network to his personal computer would have created a far more detectable signature than his carrying of a music CD out of a facility.

Similarly, it is generally believed Stuxnet was introduced into the five Iranian organizations via a USB key, a very difficult pathway to control. However once inside a facility, its activity creates very noticeable changes to network traffic patterns, allowing potential detection, even before the worm was formally identified.

c. Identification and control of secondary pathways.
As noted above, CD, USB keys, laptops and other secondary pathways exist in all utilities. There is a tendency to focus on the obvious network-based pathways and forget these other pathways. Managing these information flows is critical in the case of insider threats.

Focus needs to be put on Internal Controls as much as Boundary Controls

In summary, a utility owner/operator that is not a security expert would read this otherwise good report and then place too much focus on boundary controls, rather than internal controls.

Greater emphasis should be placed on internal dataflow risk analysis, and internal digital flow monitoring.

Finally, focused mitigation of specific critical system risks, such as SIS, needs to be stressed.

A blanket approach to utility security is not economically or technically viable. If we are going to have secure ICS and SCADA systems we need to get focused on the truly critical components.

Eric Byres is the chief technology officer at Byres Security. Click here to view the full story.

Leave a Reply

You must be logged in to post a comment.