Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

Read More

3 Ways to Reduce Insider Cyberattacks on Industrial Control Systems

Read More

Categories Arrow

All Posts

3 Ways to Reduce Insider Cyberattacks on Industrial Control Systems

When power grids, water networks, and gas utility systems are targeted by cyberattacks, systems that are essential to our everyday lives are affected. While the damage potential due to external attack sources is alarming, insider threats also exist and constitute an attack vector that is difficult to monitor and control.

Sources of insider threats can include current and former employees, partners, vendors, or anyone else who at one time was granted access to proprietary or confidential information from within the organization. Although not all of these insider attacks are intentional, any such attack on an OT (operational technology) system can result in loss of data/trade secrets, equipment damage, lost revenues, and even personal injury.

The number of insider-related cyberattacks increase every year. The Verizon 2019 Data Breach Investigations report states that 34% of all breaches in 2018 were caused by insiders (as compared to 24% in 2016). As the incidents increase, so do the costs. A 2018 Ponemon Institute Cost of Insider Threats study shows that the average cost of an insider-related incident is around $513,000.

Motivation for such attacks includes financial gain, political ideology, a desire for recognition or public attention, fanatical loyalty to country, or a simple act of revenge. Unfortunately, many infrastructure organizations today have yet to implement proactive security controls to monitor areas that govern unauthorized access.

How Key Infrastructure Systems Can Be Affected

Consider how these cyberattack threats can manifest themselves on industrial control systems. An individual with an engineering background and insider knowledge of electric transmission or distribution systems could induce blackouts or destroy equipment. In a publicly released intelligence note from the U.S. Department of Homeland Security, officials caution that “violent extremists have, in fact, obtained insider positions,” and that “outsiders have attempted to solicit utility-sector employees” for damaging physical and cyberattacks.

That same Homeland Security Office of Intelligence and Analysis report points out that water systems and natural gas infrastructures are also at risk. In 2011, a lone water treatment plant employee is alleged to have shut down operating systems at a U.S. wastewater utility in an attempt to cause a sewage backup for the purpose of damaging equipment and creating a buildup of methane gas. Fortunately, automated safety features prevented the methane buildup and alerted authorities who apprehended the employee without incident. Another employee, recently fired from a U.S. natural gas company, allegedly broke into a monitoring station of his former employer and closed a valve, disrupting gas service to nearly 3,000 customers.

Three Precautions for Reducing Cyberattack Risk

Protection against insider threats requires an organization to first adapt a paradigm of deterrence as opposed to detection. Detection, which is a common tool in combating external cyberattacks, can, in the case of an insider threat, sometimes occur long after the threat has been executed, resulting in business disruption losses. Deterrence is strengthened when the following three strategies are executed:

  • Pursue appropriate protection technologies: Technologies have been created to control access rights, privileges, and policies, but these technologies are only as good as the people who configure, deploy, and monitor them. Controls that prevent people from circumnavigating the technologies implemented should be enforced across critical systems. If exceptions are made for various reasons, then these control technologies will no longer work reliably.
  • Create baselines for identifying high-risk individuals/situations: It is important for organizations to create a baseline to gain understanding into personalities and to assess abnormal behavior of those who could potentially become threat to the organization. This will provide security officers with the ability to discern changes in behavior that could raise the potential of an insider threat.
  • Control and monitor the actions of vendors and contractors: The presence of on-site outside vendors and contractors can also pose a potential insider threat. Therefore, organizations should impose strict controls surrounding on-site access to information and to sensitive areas within the company.

A best practice to counteract these insider threats is to conduct a mandatory training program for all employees. Proper training will assist employees in recognizing and flagging possible trigger behaviors (introversion, intolerance of criticism, lack of empathy, reduced loyalty, excessive greed, to name a few) that may be demonstrated by high-risk individuals.

This post originally appeared on the Schneider Electric blog. It is republished here with the permission of its author.
Michael Pyle, Schneider Electric
Michael Pyle, Schneider Electric
Michael Pyle is the CSO and vice president of cybersecurity for the Building & IT business unit of Schneider Electric.

    Recent Posts

    Get 30 percent off during ISA Black Friday Week Sale

    Related Posts

    Innovations in R&D: How AI Is Transforming Industrial Cybersecurity Operations

    Industrial control systems are becoming more complex as evolved cyberattacks threaten industry functions....
    Devin Partida Nov 15, 2024 7:00:00 AM

    In Conversation with Authors of ISAGCA White Paper on Zero Trust and ISA/IEC 62443

    The ISA Global Cybersecurity Alliance (ISAGCA) recently published a white paper exploring the application...
    Kara Phelps Nov 8, 2024 12:00:00 PM

    Webinar: Zero Trust Outcomes Using ISA/IEC 62443 Standards

    The ISA Global Cybersecurity Alliance (ISAGCA) held a webinar on 24 October 2024 to provide insights into...
    Kara Phelps Nov 1, 2024 12:00:00 PM

    The International Society of Automation (ISA) is a non-profit professional association founded in 1945 to create a better world through automation. ISA advances technical competence by connecting the automation community to achieve operational excellence and is the trusted provider of standards-based foundational technical resources, driving the advancement of individual careers and the overall profession. ISA develops widely used global standards; certifies professionals; provides education and training; publishes books and technical articles; hosts conferences and exhibits; and provides networking and career development programs for its members and customers around the world.


    The material and information contained on this website is for general information purposes only. ISA blog posts may be authored by ISA staff and guest authors from the automation community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

    We're on social media. Keep in touch!

    © 2024 International Society of Automation. All rights reserved.