Anatomy of IIoT insider attacks: How do they work and how can we stop them?

Image courtesy: Brett Sayles
Image courtesy: Brett Sayles

The classic cybercrime stereotype of a shady hacker poking holes in defenses from afar has persisted for years. Security postures have historically been positioned to shield against these outside attackers under the assumption that those outside the organization are a greater risk than those within it. Recent data from surveys and incident reports show this assumption is no longer reliable.

According to the 2022 Cost of Insider Threats Global Report from the Ponemon Institute, insider cybersecurity incidents have risen sharply in the last few years. Their researchers found that 67% of responding organizations experienced between 21 and more than 40 insider threat incidents in 2021, an increase from 60% in 2020 and 53% in 2018. More and more companies each year are bombarded with insider threats. If your company isn’t already one of them, you’re soon to be. This escalation of insider threats is of particular concern for industrial and manufacturing organizations. Ponemon researchers reported the average annualized activity cost of an insider security incident in that market rose to nearly $15 million. Does your company have that lying around?

Where do insider attacks come from?

Insider attacks can come from privileged users and administrators, who present a greater level of risk given their sweeping access. They can also come from third-party vendors or partners, who can either accidentally or intentionally insert backdoor access into your network when integrating their solution. Temps/contractors with physical access to company physical or digital assets are another source of an insider attack, as they may not follow your organization’s cybersecurity rules and practices, if they are even aware of them. Executives are a risk, as well, since they may disregard company policies and expand their access for convenience, curiosity or control. Any of these individuals are corruptible by frustration with the company, a bribe from an external bad actor or some other sort of personal cause. Insider credential theft by outsiders is also quite common.

Despite all those potential threats, the primary root of most insider incidents is simple negligence. The Ponemon report cited earlier found that 56% of insider attacks were the result of negligence, while only 26% stemmed from malice. In this context, negligence could mean failing to follow policy, forgetting to upgrade systems when patches become available or simply forgetting to log out from a company device.

For a real-world example, we recently spoke with a global manufacturing company with more than 300,000 employees that had experienced an insider cyberattack on their OT infrastructure. A former employee left open a backdoor to the system prior to his departure and was remotely tampering with one of the systems on the production floor. His actions jeopardized the safety of staff working the floor and caused major disruptions that could have turned deadly.

Why are insider attacks on the rise?

Look around in almost every facet of life, and you’ll see more connected devices than ever. This is especially true in industrial settings where the IT/OT (information technology/operational technology) convergence is driving smart factories to new heights. More connected devices mean more targets for bad actors to exploit. It also means a more spread out surface for IT teams to defend and more people that need credentials, which we know are easy to steal or lose track of. Simply put, these new and legacy devices are connecting to smart factory networks faster than they can be adequately secured. It shows in the data. According to the X-Force Threat Intelligence Index 2022, 61% of incidents at OT-connected organizations last year were in the manufacturing industry.

What makes insider attacks more dangerous than outsider attacks?

Insiders have a lot of advantages that outsiders lack. Insider attacks exploit legitimate credentials, which means cyber defenses have little reason to think there’s a threat present. This gives an intruder the ability to escalate their privilege undetected. Compromised insiders like executives and network administrators are also likely to know exactly where to look for the most valuable assets, as well as where and how defenses are set. Establishing persistence without triggering alarms allows insiders to perform below-the-radar multistage attacks where they extract small chunks of data at a time. This is a big advantage over outsiders moving about blind and seizing data in big bursts that set off alarms.

What can industrial companies do to protect themselves?

The very first thing industrial companies need to do to protect themselves from insider attacks is to scrap their perimeter-based posture and immediately integrate a zero-trust approach. Any implicit trust built into a cybersecurity posture is a glaring vulnerability. No matter how much you might believe in the integrity of your team, recent data has shown that it doesn’t matter. According to data from IBM’s 2022 Cost of a Data Breach Report, 79% of critical infrastructure organizations do not have a zero-trust approach deployed, despite the fact that 20% of attacks on these organizations result from human error. Humans are fallible and therefore cannot be trusted implicitly when it comes to network access and privilege.

Another tactic industrial organizations should take is to adjust their priorities from preventing access to preventing outcomes. Given how easy it has become for bad actors to gain access into privileged networks and devices, the idea that these hackers or someone else will gain unauthorized access should be assumed; not granted obviously. Accepting that unauthorized access will eventually happen allows you to focus on what really matters, which is preventing those who gain access from actually doing anything.

Insider attacks are dangerous and spreading fast, especially in industrial settings. Fortunately, they are preventable with zero-trust postures that defend against all attack vectors.




Keep your finger on the pulse of top industry news