the insider threat: when trusted assets go bad

The potential for serious compromise of corporate security is higher than ever before because of increased application deployments and a more complex network infrastructure.

Electric utilities and related industries face a unique set of circumstances. Government and regulatory bodies are increasing efforts to improve oversight of cyber security standards and implementation, while business units are demanding the rollout of additional network-enabled applications in customer and control networks, and wider extranet access and outsourcing relationships.

Protecting critical cyber assets and ensuring compliance with corporate and government requirements have become key issues for IT executives. They cannot risk the potential financial and legal exposure of compromised customer data and system outages that are made possible by high-risk network security breaches.

the threat

Modern utilities are continuing to deploy large-scale Internet protocol (IP)-based networks for corporate and control functions. The risk profile on corporate networks is similar in many industries, where critical customer and financial data must be protected from disclosure, but the addition of control network functions to the IP network introduces a new dimension.

Much of the critical infrastructure on control networks is based around legacy platforms that offer limited security options, and traditional IT security profiles cannot be easily applied in many scenarios. Wireless wide and local area networks, extranets and mobile devices introduce an expanded risk profile, and many organizations find it challenging to cleanly separate and isolate network functions. Control system networks and devices have moved to IP-based communications without the authentication and encryption features commonly demanded by the IT world, and without the experience of many years of robust Transmission Control Protocol (TCP)/IP stacks and applications. Finally, control system vendors used to a relatively static landscape of embedded operating systems have limited experience in reacting quickly to the rapidly changing world of modern security vulnerabilities and exploits.

The most serious threat scenario to modern networks is the technically skilled outsider or insider who violates security for personal gain. This threat has evolved from Internet-based attacks such as website defacements and denial of service, which were often the work of unskilled individuals. The rise of profit-driven cyber crime is the major motivator in many cases, while the involvement of foreign nationals and political motivations raises the specter of network-based attacks against critical national infrastructure.

Unlike the attacker of yesterday, the modern intruders are determined to slip “under the radar” of existing security systems in order to achieve their goals. Attacks have evolved in sophistication in order to bypass detection by existing perimeter Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) and firewall systems, and are able to leverage novel methods to breach the perimeter by targeting mobile users. This situation demands a new approach to identify suspicious and risky behavior before security is compromised on the internal network.

Many employees or partners who support critical assets are “trusted” and thereby have authorization and authentication to access those systems. Traditional access control approaches will not contain a trusted user who becomes malicious. In addition, the knowledgeable insider-one who has the technical skills to hack away without being exposed -often has the ability to bypass established access controls. For example, an administrator with account creation and management privileges can easily masquerade as another user or administrator in order to conceal his or her activities.

existing perimeter security approaches

Security solutions designed to defend the network perimeter generally lack the capabilities to protect against internal threats. The nature of the most recent spate of internal security threats is distinct from perimeter threats and must be addressed differently.

Perimeter solutions such as firewalls and Virtual Private Networks (VPNs) are essential to counter many common exploits from Internet-based attackers but are ineffective against the sophisticated attacker who manages to breach the perimeter. The complex architecture of modern networks has effectively erased much of the traditional perimeter security model. Solutions designed to target blatant attacks, where signatures and patterns of abuse are evident, are typically not appropriate for deployment in the core of the network.

Internal networks require specialized defenses to effectively deal with threats against the most valued corporate assets. Because of the essentially flat nature of the modern enterprise network, with millions of network events per day, internal threats can often move undetected between network segments with few obstacles. One of the key requirements for a successful internal network security solution is a rapid and accurate response, with reduced instances of false positives and negatives. Being able to quickly find the source and pinpoint impacted resources is critical in mitigating the impact of any internal network security breach.

the perils of failure

As network-enabled business applications are being deployed en masse, the downside for a failure of security has become more critical. In addition to existing corporate compliance requirements such as Sarbanes Oxley, new legislation and industry standards have raised scrutiny to new levels. Strategic planning and a comprehensive security process are essential to reduce corporate liability and retain shareholder value.

A patchwork of state laws is already in effect or contemplated by local legislatures as a reaction to a number of prominent incidents and concerns about identity theft. Recent legislation in California, for instance, mandates that companies doing business in California promptly disclose breaches of personal data to consumers. The financial cost and damage to corporate image involved in such a disclosure has already been clearly demonstrated.

At the federal level, new standards to protect critical infrastructure have emerged. The newly approved NERC Critical Infrastructure Protection (CIP) standards for utility networks comprise compliance requirements that specify acceptable approaches to the design and implementation of a secure network.

Network Behavior Analysis

Gartner, Inc., an independent research company that covers a range of global IT issues, recently identified a new class of technology called Network Behavior Analysis (NBA) as a way to think about solving the challenges in internal network security to protect key assets. As the Gartner report highlights, many security and IT organizations have deployed intrusion detection and prevention systems and firewalls, but network operators often lack strategic insight to address zero-day worms, unauthorized access, and suspicious connections. Operators also lack the necessary information to identify when employees and partners have knowingly or unknowingly compromised corporate network policies. Ultimately, NBA provides network administrators with more insight into suspicious network behaviors, which are often missed by intrusion prevention and perimeter security systems.

Electric and gas utility executives can leverage emerging NBA technology to identify and respond to suspicious activity that is otherwise hard to identify with traditional intrusion detection technology. According to Gartner, by year-end 2007, 25 percent of large enterprises will employ NBA technology as part of their network security strategy. (See sidebar for tips on considering an evaluation of NBA technology.)

An NBA solution can reduce the exposure window in which assets may be compromised from hours or days to minutes, by identifying threats earlier and reacting more rapidly. The ability to visualize threat behavior removes the need for analysts to carry out manual analysis of individual network events, and empowers the security team to initiate mitigation measures swiftly and accurately to minimize potential damage. Security teams can quickly distinguish between true threats and benign network activity, identifying all impacted resources and exposing “patient zero.” Errors and omissions in network policies and configurations are exposed, providing strategic insight into network behavior, and improving overall situational awareness.

Utility executives face a unique set of IT security challenges. The current crop of IT security threats are enough to keep most security professionals in all industries fully engaged. The additional threat to utilities posed by poorly secured control networks, and the potential motivations of attackers, require additional scrutiny and the evaluation of technologies that can provide cost-effective protection of critical assets.

Dr. Ross Ortega is the president and co-founder of GraniteEdge Networks ( The Bellevue, Wash.-based company received the Frost & Sullivan 2005 Award for Entrepreneurial Company in the Security Event Correlation Market.

Here are tips for electric utility executives who want to review their security posture and consider an evaluation of NBA technology:

“- The best security practice is “Defense in Depth,” which uses relative asset and risk value to drive the level of defense required on the internal network. Evaluate how many levels of defense are deployed on your corporate and control networks, especially around critical assets.

“- Many security incident response plans are predicated on identifying known attacks, relying on vendor provided signatures. Review the security response plan to see what the impact of a “zero-day” exploit would be on your security team’s ability to respond to an attack on both corporate and control networks.

“- A successful perimeter security breach is likely in most networks. Take the security team through an exercise where they could model a set of potential breaches across your network infrastructure and identify what technologies are currently deployed in order to assist them in identifying and mitigating a breach on the internal network.

“- Trial NBA technology on a critical network segment in order to baseline the internal security environment. Evaluate how the security team could leverage an NBA system to monitor network security and ensure the enforcement of network traffic policies. Expand the security incident response plan to leverage the NBA to quickly expose and respond in order to prevent/minimize damage.

Previous articlePOWERGRID_INTERNATIONAL Volume 11 Issue 6
Next articleTexas upsets California as top wind energy state says AWEA quarterly report

No posts to display