Sunday, May 13, 2018

InTP: Insider Threat Via Critical Infrastructure...

The private sector organizations of the United States are vital to the protection and security of the Homeland.  The private sector owns a majority of our assets and Critical Infrastructure Protection (CIP) remains a priority as a result of the latest asymmetric threats.  Securing Critical Infrastructure sectors includes:
  • Chemical:
  • Commercial Facilities:
  • Communications:
  • Critical Manufacturing:
  • Dams:
  • Defense Industrial Base:
  • Emergency Services:
  • Energy:
  • Financial Services:
  • Food and Agriculture:
  • Government Facilities:
  • Healthcare and Public Health:
  • Information Technology:
  • Nuclear Reactors, Materials, and Waste:
  • Transportation Systems:
  • Water and Wastewater Systems:
The National Strategy to Secure Cyberspace, emphasizes the importance of public/private partnerships in securing these critical infrastructures and improving national cyber security.
Similarly, one focus of the Department of Homeland Security is enhancing protection for critical infrastructure and networks by promoting working relationships between the government and private industry.

The federal government has acknowledged that these relations are vital because most of America’s critical infrastructure is privately held.  Further, the networks of our global super-infrastructure are tightly “coupled”—so tightly interconnected, that is, that any change in one has a nearly instantaneous effect on the others.

Attacking one network is like knocking over the first domino in a series: it leads to cascades of failure through a variety of connected networks, faster than most human managers can respond.

We realize that there are many facets of CIP, yet where should we be allocating resources?  The vigilance within our organizations has not changed and is based upon previous studies done by CERT and the US Secret Service:
"A system administrator, angered by his diminished role in a thriving defense manufacturing firm whose computer network he alone had developed and managed, centralized the software that supported the company’s manufacturing processes on a single server, and then intimidated a coworker into giving him the only backup for that software. Following the system administrator’s termination for inappropriate and abusive treatment of his coworkers, a logic bomb previously planted by the insider detonated, deleting the only remaining copy of the critical software from the company’s server. The company estimated the cost of damage in excess of $10 million, which led to the layoff of some 80 employees." U.S Secret Service and CERT Coordination Center/SEI Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors

Insider Characteristics

The majority of the insiders were former employees.

• At the time of the incident, 59% of the insiders were former employees or contractors of the affected organizations and 41% were current employees or contractors.

• The former employees or contractors left their positions for a variety of reasons. These included the insiders being fired (48%), resigning (38%), and being laid off (7%).

Most insiders were either previously or currently employed full-time in a technical position within the organization.

• Most of the insiders (77%) were full-time employees of the affected organizations, either before or during the incidents. Eight percent of the insiders worked part-time, and an additional 8% had been hired as contractors or consultants. Two (4%) of the insiders worked as temporary employees, and one (2%) was hired as a subcontractor.

• Eighty-six percent of the insiders were employed in technical positions, which included system administrators (38%), programmers (21%), engineers (14%), and IT specialists (14%). Of the insiders not holding technical positions, 10% were employed in a professional position, which included, among others, insiders employed as editors, managers, and auditors. An additional two insiders (4%) worked in service positions, both of whom worked as customer service representatives.


Making sure that you have a robust workplace awareness program is yet one key component in addressing the "Insider Threat" and our resilience.

More importantly, the timing may have been the perfect launch point for other malfeasance from non-state actors who lie in their "Lone Wolf" mode, waiting to strike.

And while the scenario could be well contained, the timing could create opportunities for the "Black Swan" outlier inside your enterprise.

It's never to early to plan for the unimaginable, all happening in the same geography and the same time frame.  Revisit your "Insider Threat Program" (InTP) and Critical Infrastructure Resilience today...