Cybersecurity Month: Four tips to confront insider threats

Cybersecurity Month: Four tips to confront insider threats

By: Matt Stewart, Head of R&D, Industrial Cyber and Digital Security


While cyber attacks committed by malicious actors attract a lot of attention, inadvertent incidents originated by an organization’s own employees are a significant cause of industrial cyber intrusions today. This “insider threat” highlights the need for organizations to strengthen their internal cyber training and awareness. Many companies in all sectors of the economy lack the in-house operational technology (OT) knowledge and expertise required to keep their own employees educated on the latest strategies, techniques and behaviors that will keep their organizations cyber safe.


The following tips will help organizations – and their employees – maintain good cyber hygiene in the OT environment, where we see increasingly sophisticated and frequent attacks against critical infrastructure.


Tip One – Flash drivesKeep your IT and OT flash drives separate and wipe clean often.

A commonly breached cyber practice for end-users in a plant is around transient devices, i.e. flash drives. Regularly wiping down flash drives is essential, especially before plugging into an OT system. As a rule, never cross-pollinate drives between IT and OT systems (unless this is necessary for a specific purpose).


Tip Two – Password managementStore critical vendor account passwords in a password safe application.


Another very dangerous practice and one of the most common attack vectors is leaving the vendor-default passwords in place. It is important to not only change all default passwords, but also store the critical vendor account passwords in a safe place. A good practice is to store them in a password safe application, and then restrict access to that application by two-factor authentication or a very strong complex password with some sort of logging mechanism to audit usage. Most password safe applications even have built-in expiration and reminder triggers to prompt users to change passwords.


Tip Three – Limiting AccessAlways log out of the Distributed Control System (DCS) when you walk away from your workstation

People frequently forget to log out of the Distributed Control System (DCS) when they walk away from a workstation. This is especially dangerous if they are logged in as a user with extra permissions, such as an engineering or safety system. DCS workstations should be configured to switch from a supervisor account to a lower level account after a period of inactivity. Computers in less-frequented areas should be configured to automatically log completely out of DCS sessions after a period of inactivity. Computers in a control room environment should lower their permission level, but not log out.


Tip Four – Secure Remote AccessChoose a remote access option with the strongest possible access controls and that meets all regulatory and compliance requirements.


Digitalization means connectivity, and connectivity means remote access for vendors. There are countless options for allowing remote individuals to connect up to a target system (e.g., Remote Desktop, Skype, LiveMeeting, etc.). Ensure that any solution meets all of the regulatory and compliance requirements of both the customer security organization, and government organizations within the region. When validating remote connectivity options, choose a solution with:

  • Strong access controls, including a least-privileged access design and two-factor authentication where possible.
  • An easily identified and operated on/off functionality with some form of logging or auditing capability and access to the on/off control should be restricted.
  • The ability to monitor or review actions taken by the remote user to validate any/all changes.

Growing evidence suggests that most OT cyber incidents originate from the inside, and a majority of these are unintentional. Given the potentially catastrophic consequences of any OT cyber intrusion, it is incumbent that organizations maintain internal cyber awareness and best practices training that will make their OT workforce better prepared to handle a cyber attack, from inside or out. Does your organization have an in-house certified OT cyber capability that can increase your employees’ security knowledge and establish a safe cyber environment? If not, find a partner who continuously invests in cyber solutions and can help you keep up with the evolving threat.


Published On: October 4th, 2018