Major EMS/SCADA control centers are usually situated well away from flood and earthquake zones (or backup, geographically-separated facilities are put in place if that isn’t possible.) They are usually housed in structures built to handle weather extremes and which generally even incorporate basic physical protective measures (like guards and gates) against physical assaults. ‘Threat agents’ can, of course, be actual terrorist organizations, criminal organizations or even mindless malicious software such as worms and viruses. One broad categorization that can be used for defining threat agents is to divide them as being either ‘directed’ (intentional) threats and ‘non-directed’ (accidental) threats. As of today at least, no one knows how to send a tornado or an earthquake your way, so if you get hit by one, as terrible as the resulting consequences may be, it is still just an unfortunate accident. When an organization puts a security program together and implements plans to provide the necessary level of protective measures, one of the hardest parts of such an undertaking is to identify the credible threat agents against which the security program needs to implement defenses. Spending time, money and other resources to protect against non-credible threats is simply a waste. But failing to protect against a real, credible threat may leave an opening (a ‘vulnerability’ as it is called in security circles) that can be exploited by that threat agent. So what constitutes a credible threat?

That question cannot be fully answered without knowing the specifics of your situation. Certainly you can provide defenses against the weather and avoid placing your control center on the slopes of an active volcano. But, do you really need to worry about someone crashing a bomb-laden truck through your front gates or hacking into your automation systems? To answer that question, several factors must be considered, but the prime consideration is this: What will be the consequences of a successful attack? Accidental threats don’t really care about that, but if your system gets infected by generic ‘malware’ (i.e., malicious software such as viruses and worms), that malware doesn’t concern itself with what happens when it disables the computer or device it is infecting.

In other words, whereas a tornado doesn’t care about the type of business you’re in, an intentional, directed, threat agent does. That’s because potential targets of attack – like your plant facilities and automation systems – are more attractive as targets, and may be ‘worthy’ of the necessary time and energy to stage an attack, based purely on the potential outcome of a successful attack. So if you make bricks, and a successful attack on your plant (or its control system) will shut down brick production for a couple of weeks with no one being otherwise harmed, then you are probably not a very attractive target for terrorists or activists. On the other hand, if you are a generating plant that provides base-load power to a large number of customers, then you might well be an attractive target. This is the reasoning behind the NERC stipulations that define a “critical asset” and associated “critical cyber assets.”

If an asset’s loss would cause a major long-duration outage, destabilize the grid or result in a threat to the public welfare, then it (whatever ‘it’ is) may well be a highly attractive target to those who wish to make headlines and/or terrororize the populace in a particular locale or region.

So far I’ve been discussing threat-agents as being either intentional (directed) or accidental (non-directed). But there is a further useful differentiation we can make by taking the directed (intentional) threat agents and further dividing them into two additional sub-categories: Internal and External. Most security efforts tend to focus on ‘external’ threats; that is, preventing the ‘outside’ people/ organizations that want to do you harm from breaking through your physical and electronic security perimeters. Unfortunately, it’s a sad truth that today we also have to be concerned about ‘internal’ threats, the “evildoer” who is actually one of your own; is angry or disaffected; and is probably already working within your security perimeter.

This person may be upset about a missed promotion, a pay cut, a disagreement with management, or any of many other such real or perceived transgressions. This might not be a direct employee, but rather a contractor or even a hired consultant. The point is that such a person has access to facilities, information, networks and even computer systems that an outsider wouldn’t ordinarily have.

A different motivation for such an insider is greed; that is, being willing to assist an external attacker in exchange for monetary or other comA different motivation for such an insider is greed; that is, being willing to assist an external attacker in exchange for monetary or other compensation. A different but related insider threat is human-error. Untrained or improperly trained employees can potentially cause as much damage as an intentional attack, while simply trying to do their job! Thus, the sub- category of insider threat-agents has itself two further sub-categories: Intentional and Accidental.

So, what can you do about addressing the insider threat, both the “evil” (intentional) kind and the accidental kind? Naturally, there are some things you can do with technology, such as using key- card access systems and electronic surveillance to monitor personnel traffic in and out of restricted areas. You can also review system logs to monitor user access to networks and computer systems. Or, you can even go to the extent of installing monitoring software in all of the PCs used by your personnel. (Note: Make sure that you provide the legally-required warnings about this possibility!) You can also institute physical searches of bags and briefcases and of personnel themselves. The risk of course is that treating people as if they are dishonest has been known to be a factor in employees becoming disgruntled. Anyone going through an airport today knows that feeling.

What has proven to work well for this issue is the use and enforcement of clear policies regarding acceptable behavior, and making workers aware of the consequences for violating policies. Also, the use of pre- employment background checks (criminal and financial) and drug testing, helps in weeding out potentially untrustworthy personnel (including contractors and consultants.) Those checks may also need to be repeated periodically, especially for people with the highest levels of physical and electronic access. Well-written and tested procedures also form a viable defense, particularly against that other internal threat sub-category: accidental damage.

The same goes for employee training. Develop good security policies and procedures and conduct effective, regular training to help mitigate human error and the corresponding problems. If employee training includes awareness of insider threats and understanding of security- related company policies, an evil insider will find it more difficult or impossible to launch any serious attack because co- workers following those policies and procedures will be better equipped to block such insidious efforts. These strategies fall under the category of administrative countermeasures, and there is a range of those that can be applied to the insider threat problem. But we’ll address that dimension in a future session… – Tim

About the Author

William T. “Tim” Shaw (PhD, CISSP) has been active in industrial automation for more than 30 years and is the author of Computer Control of BATCH Processes and CYBERSECURITY for SCADA Systems. Tim has contributed to several other books and is a prolific writer and presenter on a range of technical topics. He is currently a senior security consultant for SecuriCon, an information security solutions firm, based in Alexandria, Virginia. Tim has been directly involved in the development of several DCS and SCADA system products and regularly teaches courses for ISA (International Society of Automation) on various topics. Inquiries or comments about this column may be directed to Tim at Tim@electricenergyonline.com.