Is your Operational Technology (OT) environment insider safe?

Safety is the mantra in an operational technology (OT) environment. Accidents that may shut or slow down production are some of the biggest fears manufacturing and production organizations have. These organizations go to great lengths to make their operations as safe as possible. The drive for safety, along with profitability, led to automation and robotics, which allow machines to take the place of people. This led to OT development.

But automation and robotics still need people to make needed automation adjustments and keep the machines running correctly. People are one of, if not the weakest link in this automated, robotic, OT chain. People make mistakes, sometimes act before considering all the consequences, and yes, are sometimes motivated by selfish desires. The organization necessarily gives people access to its critical resources, the machines that make the product the organization sells. We call these people who have or had authorized access to the organization’s critical resources, whether they are employees, contractors, vendors, or trusted business partners, insiders. Bear in mind that as automation increases and the number of people needed decreases, the remaining people are entrusted with greater responsibility. They have greater access to more critical resources, which also provides them the opportunity to cause more harm. If these insiders represent one of the greatest risks to these organizations, shouldn’t the organization’s insider risk program be one of its most important safety, not to mention security, programs? You’d be surprised to learn that many, if not most, manufacturing and production organizations don’t have a holistic insider risk program, let alone make it one of the most important safety programs for the organization.

Here are just a few examples to consider:

Sabotage

What’s the worst that an insider could do? In 2014, a telecommunications contract engineer for the Federal Aviation Administration in Chicago accessed and cut wiring for critical communications and radar systems, poured gasoline on them and lit them, causing radar and communications systems blackouts for the Chicago and Midwest area airline and air traffic hubs. The damage cost tens of millions of dollars and took seventeen days to repair. Why did he do this you ask? He blamed his employer for his depression and poor mental health. The final straw for the insider was his employer’s decision to transfer him to another location.^[1]

While this incident did not happen in an OT environment, it certainly could have. Imagine one of your organization’s employees suddenly starts ripping out wiring and destroying consoles in the control room. Depending on how quickly coworkers were able to stop the employee, this could set operations back weeks or even months. Such an incident would certainly affect the organization’s bottom line, but what about its brand name and reputation? What if the product your organization was producing was so vital to your customer that they had to go to a competitor, at least temporarily, to mitigate the customer’s losses? I can see how this could happen in nearly any manufacturing or production organization.

Individuals don’t simply wake up one day and decide they’re going to hurt the organization they work for. It develops over time, and their ability to adapt to both business-related and individual pressure decreases. During this development, their conduct deviates from what’s typical for them, and they likely don’t realize it is occurring. They might be more irritable, have less patience, display a negative tone in their communication with peers and supervisors. These are things coworkers and managers may see. As these indicators aggregate and their capacity to cope with pressure lessens, they travel down the idea-to-action continuum, and their insider risk increases. A holistic Insider Risk Program can interrupt the idea to action continuum, mitigate the insider risk and harm to the organization, and possibly allow the organization to retain a valuable employee.

Trusted business partners/vendors

The mission and focus of OT organizations is to create and sell their products. This focus requires alliances with vendors and other business partners for support functions, especially in automation. Good business practice requires we exercise due diligence and due care standards while choosing vendors, and considerably more so in creating trusted business associations, but are they adequate? Is there a process set up to allow the organization to verify that the partner or vendor is indeed following the policies and procedures reviewed during due diligence?

We give contractors, vendors, and trusted business partners physical and network access to our critical resources and assets on a regular basis. Like our employees, we trust they will act appropriately and professionally. But, is that trust misplaced? We see in the movies where the spy poses as a telecom worker to gain access to and tap network communications to gain critical intelligence, but have we ourselves conducted a physical pen test to verify our controls would detect and thwart such a ruse? When one of your automation vendors comes into your facility to update software or flash firmware, do you have your own archive of the system software, firmware, and configuration to restore to if you later learn the vendor’s system had corrupted content? If the malware is hidden on the device, as some advanced persistent threat actors have done in the past, the vendor’s representative may not even know they are creating this security breach. Think this can’t happen to you? A 2018 study revealed that 44% of USB devices scanned across 50 industrial sites held files containing malware.^[2] Remember that when you let a vendor or trusted business partner in the door, you are also letting in everyone on their supply chain as well.

Conclusion

The above examples illustrate that the OT environment is susceptible to insider risk and needs an insider risk program to oversee and ensure adequate, holistic controls are in place to prevent, detect and respond to the insider risk and threat. While every organization wants to be able to completely trust its employees, vendors, contractors, and trusted business partners, that just isn’t realistic in today’s world where risk mitigation is a business essential. Balancing the need to give employees the suitable tools, conditions, opportunities, and autonomy to carry out their responsibilities and continuously improve the organization while maintaining adequate insider risk safety and security controls to detect and mediate when an insider is going down an inappropriate way, is no small feat. It requires adequate organizational resource commitment. Similarly, organizations need to exercise due diligence and care to ensure their vendors, contractors, and trusted business partners have adequate security controls in place to prevent damage and mitigate risk to the organization. A holistic insider risk program can help organizations with an OT environment to accomplish these objectives.

To find out more about how we can help you visit our cybersecurity services page.

Follow Dan Leyman on LinkedIn.

Dan Leyman

Certified Information System Security Professional (CISSP). Senior Security Manager of Insider Risk Services consulting. Over 25 years of complex investigations, operations, and personnel management experience with the Federal Bureau of Investigation (FBI). A proven Program and Project Manager, experienced in coordinating, influencing and developing consensus among multiple, diverse agencies and entities with a Juris Doctorate degree.