National Risk Estimate: Risks to U.S. Critical Infrastructure from Insider Threat
Total Page:16
File Type:pdf, Size:1020Kb
UNCLASSIFIED//FOR OFFICIAL USE ONLY UNCLASSIFIED//FOR OFFICIAL USE ONLY National Risk Estimate: Risks to U.S. Critical Infrastructure from Insider Threat National Protection and Programs Directorate Office of Infrastructure Protection Integrated Analysis Task Force Homeland Infrastructure Threat and Risk Analysis Center December 2013 UNCLASSIFIED//FOR OFFICIAL USE ONLY UNCLASSIFIED//FOR OFFICIAL USE ONLY UNCLASSIFIED//FOR OFFICIAL USE ONLY This page intentionally left blank. i UNCLASSIFIED//FOR OFFICIAL USE ONLY UNCLASSIFIED//FOR OFFICIAL USE ONLY Executive Summary The Department of Homeland Security’s (DHS) Homeland Infrastructure Threat and Risk Analysis Center (HITRAC) produced this National Risk Estimate (NRE) to provide an authoritative, coordinated, risk-informed assessment of the key security issues faced by the Nation’s infrastructure protection community from malicious insiders. DHS used subject matter expert elicitations and tabletop exercises to project the effect of historic trends on risks over the next 3 to 5 years. In addition, DHS used alternative futures analysis to examine possible futures involving insider threats to critical infrastructure over the next 20 years. The results are intended to provide owners and operators a better understanding of the scope of the threat and can inform mitigation plans, policies, and programs, particularly those focused on high-impact attacks. The malicious insider threat is complex and dynamic, and it affects the public and private domains of all 16 critical infrastructure sectors. Owners and operators responsible for protecting our nationally-critical assets must recognize the nuances and breadth of this threat in order to develop appropriate risk-based mitigation strategies. Current Risk Assessment Understanding and mitigating insider threat are complicated by factors such as technological advances, globalization, and outsourcing. These factors increasingly blur the line between traditional insiders and external adversaries such as terrorists, organized crime groups, and foreign nation-states, who may collude with or exploit physical insiders as vectors to do harm to a targeted asset or system. The threat of supply chain sabotage by third-party vendors and contractors was a recurring theme that subject matter experts discussed during the NRE workshops and tabletop exercises. All agreed that the third-party insiders constitute an underestimated threat to U.S. critical infrastructure, particularly when their organizations are foreign-owned or are working under the auspices of foreign intelligence services. The common feature of all malicious insiders is tactical advantage. Sometimes the insiders are organizational vulnerabilities—adversarial force multipliers—who can operate relatively unfettered. Malicious insiders are not only aware of an organization’s vulnerabilities; they also may have purposefully created the very vulnerabilities they intend to exploit. Although the importance of understanding and mitigating the insider threat is clear, two major factors complicate current efforts to assess the likelihood of malicious insider attacks: . The challenge of identifying and predicting the stressors or triggers that can cause a trusted employee to become a malicious actor; and . The lack of detailed and reliable empirical data on insider breaches and attacks that can be shared across the full spectrum of critical infrastructure owners and operators. The available data do not characterize in detail the full scope of insider threat to U.S. critical infrastructure and do little to explain why the United States has not experienced a significant increase in insider attacks, particularly those that could result in high-to-catastrophic consequences. They do, however, provide a starting point from which to create a baseline threat profile that can be used to assess insider threats across the 16 critical infrastructure sectors. ii UNCLASSIFIED//FOR OFFICIAL USE ONLY UNCLASSIFIED//FOR OFFICIAL USE ONLY KEY FINDINGS AND RECOMMENDATIONS The Threat: Malicious Insiders . Access and specialized knowledge give insiders tactical advantages over security efforts. Technological advances, globalization, and outsourcing increasingly blur the line between traditional insiders and external adversaries. Insiders who combine advanced technological understanding with traditional espionage/terrorist skills have a significantly increased asymmetric capability to cause physical damage through cyber means. The Vulnerabilities: Expanding Organizational Security Boundaries . Even sectors with relatively robust preventative programs and guidelines in place face a dynamic and expanding threat that cannot be eliminated altogether. Some organizations are likely underestimating the threat from third-party insiders such as vendors and contractors. Industrial control systems in critical infrastructure are attractive insider targets for remote sabotage in an increasingly networked world. Without credible and sector-specific insider risk information, critical infrastructure owners and operators are likely to underestimate the scope of the malicious insider threat and make insufficient or misdirected investments in security. The Consequences: Asymmetric Impacts . If the goal of malicious insider activity is exploitation rather than destruction of assets, it will be more difficult to detect, potentially resulting in serious cumulative consequences. The impacts of a cyberattack that is designed to cause physical damage to critical infrastructure could be much more severe than those of a conventional cyberattack. Recommendations . The Government and private sector should work to develop comprehensive and scalable insider threat program standards that incorporate long-term employee monitoring policies, including background checks and re-investigations, employee training and termination of access at separation. Effective prevention and mitigation programs must be driven by better understanding the insider’s definition of success against a particular sector. Organizations should establish workforce behavioral and access baselines, including an understanding of hiring, oversight, access, and security policies, in order to identify anomalies. Employees used as a monitoring force may be the best way to identify malicious insiders, and they must have access to recurring training to do so effectively. Public and private organizations must consider how to balance the best risk-based security procedures against the myriad of policy, legal, and employees’ rights issues associated with obtaining and analyzing relevant threat data in the workplace, especially data derived from social media and behavioral monitoring. iii UNCLASSIFIED//FOR OFFICIAL USE ONLY UNCLASSIFIED//FOR OFFICIAL USE ONLY Exploring Alternative Futures In addition to the work done with this NRE, DHS also hosted a one-day workshop specifically to elicit subject matter expert judgment on four alternative futures that could present challenges and opportunities related to malicious insider threats to U.S. critical infrastructure over the next 20 years. The alternative futures are not intended to predict the future but to examine plausible combinations of uncertainties and contributing factors that tell a series of compelling stories about the nature and mitigation of the insider threat. Participants selected two major uncertainties, governance and insider capabilities, as the drivers for the alternative futures related to insider risk to the 16 U.S critical infrastructure sectors. Two of the resulting scenarios, designated Advantage Good Guys (Traditional Insider Capabilities—Effective Governance) and Mission Impossible (Technologically-Enhanced Insider Capabilities—Haphazard Governance), present the most compelling challenges for U.S. critical infrastructure stakeholders in the combination of uncertainties and variables highlighted. In the Advantage Good Guys future, the traditional insider must work hard and risk exposure to identify and target what is not guarded in his or her domain to be successful. Effective governance creates a higher probability of detection, greatly reducing the overall risk of an insider attack. In this world, insider collusion may become an imperative to overcome layered defenses with more physical and cyber threat mitigation controls in place. In the Mission Impossible scenario, the insider is more capable with enhanced tradecraft than ever before, making effective risk management more difficult, if not impossible. A non-standardized culture of governance sets the scene for repeatable and systemic attacks by insiders using technologically enhanced techniques to launch targeted and potentially widespread attacks from one or multiple vectors with minimal risk of attribution. Insiders who have worked their way up the company chain may have played a role in building the haphazard governance and infrastructure they seek to exploit. Outsourcing continually broadens the field of potential adversaries in the U.S. critical infrastructure virtual supply chain. The “high-tech” insiders have a significantly enhanced asymmetric capability to create widespread kinetic impact though cyber means. Perhaps more highly destructive is their ability to conduct widespread cyber exploitation attacks, the effects of which cannot be seen before potentially catastrophic consequences result. Key trends that will affect the future insider threat landscape over the next 20 years include the continued viability of traditional, “low-tech” insider techniques to