Cutting the wire intentionally or tripping over it. Tales of Insider threats in OT environments that can be scarier than cyberattacks

I have visited a few factories and plants in India and I see a lot of unorganized and mismanaged cabling, setups, and weak physical security measures inside these environments not sure if that is the same case in other environments across the globe. This begs the question of the fact that adversaries are also aware of those who want to target these environments. We know very well engineers lack cyber awareness, and to solve this problem organization needs to train their personnel and make them aware of basics about how to maintain cyber hygiene like

1. Do not insert any random Pendrive on any OT workstation, HMI, Servers - that someone gives you or you find somewhere like on the ground of parking lot etc.
2. Do not open emails that are not legitimate and click on random links sent to you. (Phishing awareness)

These are the two most successful ways adversaries have been establishing a foothold in IT/OT environments and then executing their plans to disrupt operations through deploying ransomware, sophisticated malware, manually utilizing CNC channel to target some specific OT system, or just conducting cyber espionage.

So all this is OK but what about nation-state attackers or adversaries who don't want money or just damage the reputation, but want to disrupt operations so badly that can be hazardous, can cause large scale economic impact, harm human lives, damage the factories/plants completely.

How I see the future of OT attacks that can be impactful is when systems and processes are disrupted at L0-L2 and one needs to focus on the kind of attack vectors that can happen at these layers, With TRITON in 2017 we already saw adversary targeted safety PLC's.

But then we also need to talk about insider threats and discuss how insider threats can be different in OT than IT and what are a few ways we can approach to solve this problem.

16 years back in the case of Maroochy water treatment plant case in 2006 a disgruntled contractor attacked the system and caused production impact. Read more in the report Then more recently 4 years back one of the engineers at Tesla's Gigafactory in Nevada stole IP and sabotaged existing operations because he was not being promoted. Read the article. This is still not as dangerous but incidents have happened and are happening that do not make headlines or are not reported.

And this made me think of targeted disruption operation-based attacks where insider threats are so engineering specific and are very hard to detect, something where it cannot even be distinguished if it was disruption caused by accident or was intentional.

Looking at a scenario when, someone trips over the wire that is close to the machinery or just tries to sabotage in some way that can cause a hazard, trigger alarms, and damage the machinery.

Engineers have the training and know these machineries in and out, how they work internally, what are some problems they can have as they would be one to troubleshoot them, then there are contractors and vendor side engineers or technicians those visit these facilities to troubleshoot, commission equipment are the two sources of insider threats that can be disgruntled, socially engineered or manipulated by rewarding money to do this type of sabotage at large scale.

Now the question is what steps or measures we can put in place to maybe detect something of this sort and this is also one of the ways to improve the security posture of these environments.

Enhance the physical security posture

1. Conduct site-specific physical security assessment that identifies hotspots, critical machinery which can be sabotaged from an insider threats perspective.
2. Improve visibility of shop floor and critical machinery, PLC cabinets, etc if not already and deploy computer vision-based solutions that utilize ML/AI to detect not normal behavior when some engineer is doing something in the cabinet or at hotspots where machinery wiring is lying, This solution is just a thought and not sure if it exists in the market but could be explored in future.
3. Dashcam type small cams inside the marshaling cabinets that record activities continuously and are installed in such a manner that they are not visible easily.

Enforcing Security measures at L1-L2 levels OT assets

1. The Top 20 PLC Security project is one of the projects that is focussing on best practices for the devices at L1-L2 and the team is doing an amazing job in making these standardized in the future.
2. Improving visibility at L1-L2 by utilizing system features and data for monitoring operational behavior and detecting operational changes. David Formby has spoken about this in his talk and discussed how this can be used to detect insider threats in his article.

I just believe that we need to start focusing on these types of threats and attack vectors because in the OT process disruption is the end goal and it is not necessary it needs to be a complete cyber-attack, but to cause large scale catastrophic impacts it can be hybrid and thus we as defenders need to pay attention to these as well when we run our transformation program and commit to the investment of security posture of these environments.

I have tried to express my views and thoughts from how I believe and if there are facts that someone feels is incorrect or if someone feels we need to add more points, do let me know in DM or comment down so we as a community can have the discussions open and spread awareness :)

***

The views reflected in this article are the views of the author and do not necessarily reflect the views of the global EY organization or its member firms.