The danger from within

Paul Boughton

New academic study reveals that internal attacks are on the rise. Louise Smyth reports on how the process sector can take measures to protect itself

As part of their latest research, Professor David Upton of Saïd Business School, and Professor Sadie Creese of Oxford’s Global Cyber Security Capacity Centre have discovered that internal cyber attacks against companies are an increasing threat “that costs tens of billions of dollars a year worldwide, can destroy companies, and sink the careers of many senior executives.” They found that although many organisations are intensifying their defences against external attack, these safeguards are often ineffective against attacks involving insiders.

The study states: “Such attacks from insiders, be they from employees, suppliers, or other companies legitimately connected to a company’s computer system, pose a more pernicious threat than external attacks.” Their study showed that 68% of companies are aware of the insider threat, however only 48% of companies are taking steps to address the risk.

Professor David Upton comments: “The insider threat is particularly prevalent in the process industry as the scope for widespread devastation is vast, should an employee with malicious intent take action. Consider the implications when a disgruntled employee, or indeed an employee that has been ‘planted’ into a particular organisation to cause chaos, takes action to introduce a virus into an oil or gas processing plant which in turn disrupts – or worse destroys – the national supply.” Research shows that SCADA and Industrial Control Systems (ICS) are most commonly attacked within process automation networks.

So what can process businesses do to protect themselves from such attacks? “Protecting businesses from insider (internal) attacks is vital, however it can be a difficult subject to approach as no-one would like to think their employees might have malicious motives,” says Alexandra Ellis, Senior Case Writer, Saïd Business School. “First of all, businesses need to prepare for the worst case scenario; cyber security is not a topic they can ignore and hope it will go away. They need to identify the single most important piece of information/sets of data – their "crown jewels, so to speak – and protect them. Technology programmes should be installed to help safeguard the company’s assets, however management need to understand that technology alone will not stop all attacks, and behavioural indicators can be vital in spotting potential attacks. Make sure a response plan is in place, should employees show any warning signs.”

Ellis reveals that the majority of cases of intellectual property theft are committed within a particular time scale – within 30 days of resignation. She advises that, “Managers should ensure that processes for removing access permissions, and revoking login credentials are applied promptly, to prevent unauthorised access to company data.”

Raising awareness about methods used to launch insider attacks is imperative and companies are urged to share, and learn, from incidents. Ellis states: “If a breach occurs, use the information to find out which area of your system was exploited, and strengthen it. This will likely prevent the same method being used twice.”

Ellis also believes that education is key in protecting business and industry from cyber attacks. “Initially the onus needs to be placed on schools, to ensure basic cyber security best practices are in place. We need to consider cyber security with the same level as importance as we would assign to hygiene,” she explains. “Examples of cyber security basics include choosing secure passwords, the importance of anti-virus and anti-malware software, and the capability to spot a phishing email. This will instil the bare minimums required to ensure online safety, and implementing these lessons at school level will result in a more informed workforce.

“The implementation of educational initiatives will help the workforce of the future, but the topic of cyber security is a pressing issue now, and many of the people already employed are not as well informed on the subject as need be.”

Ellis concludes: “We are trying to cultivate a culture of personal responsibility, whereby cyber security is everyone’s job. Businesses can start to protect themselves by making all employees aware that cyber security is not only a job for the IT department."

Hack attacks

Alexandra Ellis reveals that there have been a number of high-profile cyber attacks in the process engineering sector, including:

* Trans Siberian Pipeline 1982:  This is an early example of an industrial hack. The CIA successfully planted a logic bomb in the SCADA system that controlled the USSR’s gas pipeline.

* Aramco 2012:  Spear-phishing attack focused on a network of Aramco. Attack infected 30,000 computers and took two weeks to recover, however failed to shut down the flow of oil.

* Water Tower Decoy 2012:  Chinese hackers APT1 took control of a US Water tower control system, using a malicious virus concealed in a MS Word doc. Nothing was damaged as the water tower was planted as a decoy to attract these types of industrial attacks.

* Flame 2012 : A very sophisticated virus that ran undetected for years in government organisations, educational institutions and private devices. It was able to record audio, screenshots, keyboard activity and network traffic. It is believed it was designed to steal closely guarded PDF files and autoCAD drawings for IP theft from a 'huge majority of targets in Iran'. 

* U.S Steel 2010 (also Alcoa, Westinghouse, SolarWorld AG, Allegheny Technologies): US Steel was participating in trade cases with Chinese steel companies. Spear-phishing attacks were launched on US Steel employees, resulting in the installation of malware and subsequent vulnerability of US Steel company networks. 

* Norwegian Oil Aug 2014: More than 50 oil and energy companies have been hacked, with a further 250 companies being advised to check their networks for evidence of a breach. Statoil was the main target, however methods and motives are still unknown. Three years ago 10 oil and gas firms were targeted through spear-phishing emails allowing perpetrators to steal industrial drawings and login credentials.

Recent Issues