Insider Threat Management

The Insider Threat Risk to Critical Infrastructure (And What to Do About It)

Share with your network!

No one likes to think about potentially disastrous situations, like power grid blackouts, public health threats, or snakes on a plane. (Seriously, it’s a terrible movie.) The unfortunate truth is that critical infrastructure systems are extremely vulnerable to both cybersecurity and physical security risks. This is due to their potentially high area of effect.

State-sponsored threats and high-level hackers are constantly looking to gain access to the critical infrastructure of nations worldwide, with the intent of hitting where it hurts most.

But, there’s a little-discussed front door to critical infrastructure: the employees and third-party vendors and contractors who already have access. (The potential insider threats!)

Since November is Critical Infrastructure Security and Resilience month, let’s take a deep dive into critical infrastructure to explore some of the most common insider threat risks to these sectors, and detail a few insider threat prevention strategies that could be put into effect.

What is Critical Infrastructure?

According to the U.S. Department of Homeland Security, there are 16 critical infrastructure sectors made up of both physical and virtual assets, systems, and networks. A compromise to any of these sectors could have devastating effects on security, national security, and/or public health.

These 16 sectors include: transportation, food and agriculture, emergency response, energy, and communications, to name just a few.

Many of these sectors are highly dependent on one another. For example, food and agriculture is interconnected with the water and wastewater, energy, chemical, and transportation systems sectors. If a single link in the chain is affected, the entire ecosystem could face serious problems.


[click_to_tweet tweet="Because a nation depends on its critical infrastructure, infrastructure is a constant target for threats." quote="Because a nation depends on its critical infrastructure, infrastructure is a constant target for threats." theme="style3"]

Common Insider Threat Risks to Critical Infrastructure

Two out of three insider threat incidents that occur in an organisation happen accidentally, according to insider threat statistics pulled from the Ponemon Institute’s Cost of Insider Threats report.

Accidental insider threat incidents occur most often when an employee or trusted third-party contractor doesn’t have a clear understanding of an organisation’s cybersecurity policy, or does not follow cybersecurity best practices.

In some cases, these accidental insider threat incidents are caused by someone falling for phishing or social engineering attacks that are designed to look legitimate. A rogue attachment or link placed in an email could infect an organisation’s system with malware, without the employee or contractor even realising it. Or, if insiders don’t leverage account security best-practices such as multi-factor authentication (MFA) or strong passwords, their accounts containing sensitive data could be compromised.

Cybersecurity policies, strategies, and best practices can be put into effect, but it is difficult to know for certain that they are being followed without adequate visibility.

According to the Institute for Critical Infrastructure Technology, many of these insider threat risks come from third-party technology companies contracted by governments to run critical infrastructure.    Just like employees, third-party vendors and contractors can be a source of vulnerability if they aren’t adhering to strict government cybersecurity policies and compliance standards for IT systems and data management.

Beyond accidental insider threats, malicious insider threats are also a major concern. Employees or contractors that work within a critical infrastructure sector are especially vulnerable to becoming state-sponsored insider threats, who are often driven to act on behalf of a foreign government for financial, revenge, stress, ideological, or patriotic reasons.

In some cases, malicious insider threats act on their own accord. It’s important to understand the motivations of these insiders, as there are often common patterns that emerge.

For example, if an organisation is paying close attention to any abnormalities in employee activity in context with their activity on IT or physical systems, evidence may imply that further investigation is needed.

Insider Threat Prevention Strategies

Insider threat prevention in critical infrastructure sectors starts with having a solid foundation: a comprehensive, yet digestible cybersecurity policy. Having the right policy in place, combined with a culture of cybersecurity awareness can help organisations reduce their risk of insider threat incidents.

Build Good Habits

The cybersecurity team is a key stakeholder in ensuring that employees thoroughly understand the policies and procedures put into place to protect both them and the organisation. A once-and-done training session will not do the trick.

Ongoing, in-the-moment coaching, paired with regular workshops and sessions can help reinforce positive user activity and reduce the bad habits that most often cause accidental insider threat incidents.

Embrace Insider Threat Management Technology

An effective insider threat management strategy combines these “soft” people skills with technology solutions purpose-built for detecting, investigating, and preventing insider threats. These tools should be capable of providing ample context indicating an increased source of risk, and direct ways to deter or react to unusual or “risky” activity.

In short, delivering visibility is key. But that doesn’t mean that your employees, vendors, and contractors should be left in the dark. By maintaining a sense of transparency, and taking strides to safeguard user privacy with data anonymisation tools, cybersecurity can be positively engrained within the workplace culture (and built on trust).

Be Aware of Privileged Users

Privileged users -- or users with administrative access credentials --  can pose a major risk to critical infrastructure. However, in a changing technological landscape, it can be difficult to define who is a “privileged user.”

The main thing to keep in mind is that insiders have the potential to abuse their privileges to access digital or physical systems, files, and data, and act maliciously (or grant access to unauthorised users). Or, if they aren’t careful with their account security, privileged users can become some of the most costly targets of credential theft.

A strict privileged user management policy can help prevent minor abuses or mistakes from becoming full-blown insider threat incidents.

People, Process, Technology

Finally, consider the notion that the best insider threat management strategy focuses on people, process, and technology -- in that order.

At the end of the day, you rely on your people to keep critical infrastructure (including systems, files, and data) safe. Putting them first establishes the tone for adopting a cybersecurity culture built around trust and individual vigilance, which can help significantly reduce the risk of insider threats to critical infrastructure.

Process can help make sure that protections that are put into place -- and are consistently created, maintained, and enforced.

And of course, having the right technology can help deliver the visibility and direct action needed to detect, investigate, and stop insider threats.