A ‘malicious insider’ refers to the existence of people in an organization – internal-employees or external-providers, engineering companies, integrators, contractors – who, due to careless mistakes, lack of knowledge and/or bad faith, perform an ‘action’ that affects the security of processes, systems or facilities within an industrial operation or a critical infrastructure.
Among these ‘actions’ we can mention the following: bad practices when accessing critical systems with manager privileges; use non-authorized USB devices that contain malware; carry out malicious actions when having a detailed knowledge of industrial network diagrams and setups; perform actions induced by social engineering; overlook policies, procedures, standards, and best practices; and many more.
This kind of threats has been analyzed by institutions like US-CERT. in fact, in May 2014 a White Paper was published with the title: “Combating the Insider Threat.” From this publication, we can highlight the description of an “insider threat” profile as shown below:
The question that arises is: What can we do to combat this kind of threat?
From our point of view, these three areas should be considered:
1. Design and, most importantly, correct communication of policies and procedures.
2. Conducting awareness and training sessions about industrial cybersecurity.
3. Promoting initiatives to join efforts and understanding among IT security and OT security managers.
This is not an easy job: we the people are the weakest link in the chain that secures OT in an organization, but some specific action must be done if we want to mitigate and/or remove this important threat.