It's an inside job
Former disgruntled employees are the biggest risk to network security in these troubled times, explains E&T.
Barely a week goes by these days without a media report of hackers trying to break into a corporate IT system - and sometimes almost succeeding. In March this year, for example, one man was jailed for eight years and another for between three and four years for their part in a plot to steal £229m from the Sumitomo Mitsui Bank in London, UK.
What makes this case so worrying is not only the scale of the attempted theft but that one of the men was the bank's own security supervisor. He claimed he'd been coerced into letting the gang into the offices at night to allow them to install 'keylogger' software on various workstations, which recorded every key pressed by users.
This later gave them access to the usernames and passwords of every employee who had used the infected computers, which in turn enabled the gang to attempt cash transfers from the bank to others around the world.
The plot failed for various reasons but it shows how easy it can be to underestimate or overlook the threat from within an organisation when all eyes are scanning the external horizon. And while this case involved a bank and its customers' accounts, the threat is just as real for DCS and SCADA networks, as a widely reported landmark incident in Australia shows (see 'When the sewage hits the fan', p47).
It is a myth nowadays that these networks are "islands of automation"; the growing use of control systems based on mainstream IT technology such as Windows, Ethernet and TCP/IP, and their interconnection with enterprise-wide IT networks, put paid to that some years ago. So, in principle at least, gaining unauthorised access to a control network is only one step on from hacking into the IT network.
"Traditionally, SCADA always used to be proprietary, built around efficiency rather than security, and this is where the problem stems from," says Dr Guy Bunker, chief scientist at security software developer Symantec, and author of 'Data Leaks For Dummies'.
"Physical security used to be essential in SCADA networks but now Internet protocols, for example, enable control from anywhere in the world," he says. "This technology has crept in, and engineers and IT departments are equally guilty of putting new stuff in and not taking old stuff out. So if I was looking for where threats could come from I'd be looking for things like dial-up modems still sitting around."
And the internal threat comes not only from staff who may have been forced into helping malicious outsiders, as in the Sumitomo Mitsui case, but from disgruntled employees and former employees - a threat which, while hardly new, is set to grow in the current economic climate, according to reports.
Retained computer access
In one study, by information management research body the Ponemon Institute and Symantec, nearly 60 per cent of US workers who lost or left their job in 2008 admitted stealing confidential data before they went. Of those, more than 60 per cent said they harboured a grudge against their former employer and nearly 25 per cent still had access to the computer systems after they'd left.
Meanwhile, Microsoft has warned companies to expect a rise in security attacks by disgruntled staff who have been laid off in the current downturn. "With 1.5 million predicted job losses in the US alone, there's an increased risk and exposure to these attacks," a company spokesman told the BBC. "This is one of the most significant threats companies face."
The reason is that, unlike an external hacker, a malicious insider or disgruntled ex-employee knows exactly where and how to attack the system for maximum effect. "External users are presented with limited applications protected by security barriers, with no real sight of the internal network," says Kevin Gourlay, head of testing at corporate data security company Global Secure Systems. "An insider, however, may have full authorised access to domain systems and even core assets, depending on their role in the organisation."
Yet experts agree that many of the measures for countering external threats also apply to internal ones. "Awareness is the key issue, knowing that the threats exist - internally as well as externally - and what you can do about them. It's an IT thing, although control engineers need to be aware of the measures," says Dr Bunker.
"But it's your people, not the technology, who should be at the top of your list here, and educating them first about the risks is critical," he adds. "Look at it as people first, then the process, and lastly the product or technology.
"So educate engineers in not doing things such as using default passwords," he says. "If they are on a default setting they need changing, and the IT department needs to handle the log management and analysis to ensure that updated passwords are in a password log."
According to the UK's Centre for the Protection of National Infrastructure (CPNI), insider threats can arise at any stage of employment, so although it recommends that all new staff with operational or administration access to control systems are appropriately screened - and are given the appropriate accounts, authorisation levels and security training - it also points out that security must be a continuous process.
One reason for this is that staff's loyalties can change. The CPNI says that in most of the cases reported so far, the individuals involved did not obtain their position in an organisation with the intention of abusing their access, but rather they have exploited their access opportunistically while in post.
It says: "People and their attitudes change over time and in response to life experiences and events. A very large proportion of insider acts are carried out by employees who had no such intentions when joining the organisation, but whose loyalties and commitment changed after recruitment."
Part of this process is down to monitoring. Dr Bunker says: "There's the issue of implicit trust. The trouble with a malicious insider is that there's no 1984-style eye over their shoulder, so you need some form of auditing - event logs and audit trails, looking for any behaviour that's out of the ordinary."
Gourlay agrees, adding: "You should introduce full system auditing so that every action by an individual is accountable. And ensure the audit logs cannot be tampered with."
In these uncertain times this monitoring takes on greater importance. "Sometimes lay-offs are not so short notice," says Gourlay. "Many organisations are running on the threat of announced redundancies, so before any announcement is made, appropriate access controls and monitoring should be confirmed. During a period of organisational change, the level of system monitoring should also be heightened to identify any abnormal behaviour."
There is also the danger of social engineering - outsiders manipulating employees into performing actions or divulging confidential information. The CPNI says: "By posing as, for example, a co-worker, a new employee, a delivery person or a workman, or by pretending to have lost their password, the social engineer will attempt to gain information piecemeal, target different employees over an extended period of time, ask for small favours or obtain information through seemingly innocent conversation." This has an echo in the case involving the Sumitomo Mitsui Bank.
And when employment is terminated it says conﬁdential information and documentation must be retrieved, accounts deactivated and passwords changed. Gourlay is more specific. He says: "I would recommend that any person with access to secure areas be escorted off the premises as soon as termination of employment is known. Other measures should include returning all IT assets - laptop, phone and so on - removing the person's access card and therefore access to all secure areas, and immediately changing access controls such as door combinations."
Clearly someone needs to be in charge of making sure this happens. Gourlay says: "From my experience, any person in a company with security access is controlled by a security officer. This person is key to any movements of security cleared staff and should know who to inform and when."
There are plenty of other simple measures you can take - change passwords frequently and lock IT cabinets, for example. Broadly, says Dr Bunker: "Assess the risks. Make sure you understand what you've got by carrying out a physical and logical survey of the network, what the connectivity is - modems and wireless access, for example - then look at your policies. And make sure you have a procedure for the different devices, what's called a risk hierarchy.
"It's all basic and simple stuff but it's all too often overlooked."
There comes a point, though, where some technology is called for, and here again many of the measures to protect against internal threats are similar to those for external ones.
As Dr Richard Piggin, network and security services consultant at Rockwell Automation, explains: "Securing an integrated, distributed automation system requires working across multiple disciplines to develop a multi-layered solution, known as 'defence in depth'.
"In simple terms, this means applying different security layers or defences at different levels across the system to address different threats. Typical layers include physical, network, operating system, application and device security."
One obvious measure here is to segregate the different parts of the control network, and the network itself from the corporate IT system, using firewalls. Another is to implement role-based access control, which works in much the same way as administrator-level password control on modern PCs, and distribute this among only the senior people.
Dr Piggin also recommends using a Demilitarised Zone (DMZ), which is a zone that provides a buffer network between the Manufacturing Zone (or control network) and the Enterprise Zone (or corporate IT system) for the purpose of sharing data securely. All network traffic from either side of the DMZ terminates in the zone, so no traffic can travel directly across, and clearly all the control network's assets need to remain within the Manufacturing Zone.
"Manufacturing Zone applications could replicate data to an application mirror within the DMZ," Dr Piggin says, citing a Microsoft SQL server as an example. "Users can then replicate the data from this application mirror to an application within the Enterprise Zone."
So how much is all this going to cost, and how can organisations justify investment when budgets are under such immense pressure? It comes down to risk mitigation and calculating Return On Investment (ROI), having assessed the level of risk and the cost of addressing it.
"The first step is to undertake business impact analysis, considering the value of all your business assets, and the potential costs associated with the loss of any of those assets," says Dr Piggin. "It is also important to understand the threats to these assets that could disrupt normal business activities, including process reliability and availability."
Dr Bunker agrees, adding: "This brings us back to People, Process then Product - you can cut the Product spend by spending more time on the People and the Process. ROI can be difficult the first time around, so you need to focus on the devices or classes of devices."
Both also agree that security is essentially an insurance policy. Dr Piggin says: "Just as you would not spend more on insurance than the cost of the asset to be protected, the same is true for evaluating the cost-benefit ratio for implementing security solutions." And Dr Bunker adds: "The biggest trap is thinking it won't happen to you - it can happen by mistake, and in ways that can't be predicted - and your largest outlay could come after a device has been compromised."
And although security should not be seen as a bolt-on or afterthought, Dr Bunker is pragmatic. "It doesn't matter if, say, you're stuck with a SCADA network that won't be replaced or upgraded for the next few years, if you do something now you'll be ready for the new network. This is a gradual thing.
"If the SCADA and enterprise networks are already segregated, great, but for the vast majority of people the trigger comes from connection to the corporate IT system, so there's always some measure of retrofit. There's nothing wrong with bolt-ons but make sure you know where you should be focusing your budget.
"Remember to include a disaster recovery plan - understand what could happen and what to do if it does," he says.
All of this raises the issue of ongoing communication between an organisation's SCADA and IT communities, and on this point Gourlay says: "I would suggest that core personnel in these groups talk regularly - similar to an ISO 27001 security working group - to discuss security matters and how they can assist each other."
Increasingly, technology is bolstering these procedural measures. Dr Bunker says: "In the main, we're seeing the merging of logical and physical security, for example where you can't log on to a network if your access into the building hasn't been logged. There's also authentication using more than just a password - at Symantec, for example, we also have to scan or swipe our ID card to gain access. And the use of biometrics, such as fingerprint checks, is growing.
"Monitoring and managing devices, as in looking out for any anomalous behaviour, is growing too," he adds.
But the consensus seems to be that, although the technology to help you deal with this threat is out there and plays a key part, this is much more of a people issue.