On Thursday, October 14th the Cybersecurity and Infrastructure Security Agency (CISA), along with the Environmental Protection Agency (EPA), the National Security Agency (NSA) and the FBI issued a joint advisory warning that threat groups are targeting United States drinking water and wastewater infrastructure operations via vulnerabilities in hardware and software.
According to a report in ExecutiveGov on Monday, October 18th, the CISA was attributed with saying ‘malicious cyber threats to information and operational technology networks, systems and devices could affect the sector’s potable water delivery wastewater management efforts.’ The joint advisory warning shares that ‘cybercriminals are spear-phishing personnel, exploiting unsupported and outdated operating systems and software, and capitalizing on control system devices with vulnerable firmware in an attempt to compromise facilities.’
This warning comes just a few weeks after the CISA released its Insider Risk Mitigation Self-Assessment Tool intended to assist owners and operators of public and private organizations, especially small and mid-sized ones who may not have in-house security departments, to gauge their vulnerability to an insider threat incident.
Not surprisingly, the joint CISA, EPA, NSA and FBI joint advisory listed five insider threat incidents that occurred within the water industry between March 2019 August 2021. The reported events were sector-specific intrusions that leveraged improperly managed employee credentials and exploited that access to launch ransomware attacks.
To defend against such threats, the agency and its federal partners recommended operators to conduct monitoring and adopt various mitigation practices related to remote access, networks safety systems, and planning and operational processes.
The Insider Risk Mitigation Self-Assessment Tool is a downloadable PDF that helps executives and IT teams evaluation their existing enterprise systems and readiness, focusing on key areas such as Program Management, Personnel and Training, and Data Collection and Analysis. The interactive PDF allows users to generate a report that scores their organizations risk posture and evaluate their immunity to insider threat incidents.
While I applaud CISA for developing this tool and helping organizations educate themselves and score their internal risk mitigation readiness, the tool in ways presumes an ability to consume and operationalize the findings that the intended ‘small and mid-sized organizations who may not have in-house security departments’ do not possess. Likewise, it is short on tactical recommendations in certain areas where the inclusion of insider threat program can significantly improve an organization’s ability to mitigate insider risk.
Let’s explore Program Management as an example. Proper screening, onboarding, and separation handling is absolutely a critical component of the insider threat program process that can make initiatives more effective. And this is exactly the reason that those responsible for monitoring and investigating insider threats must be part of any new employee screening process. InT teams and practitioners see things from a different perspective, and when incorporated into the hiring process ~ directly or indirectly ~ alongside the hiring manager, soon to be peers and HR, can provide valuable questions to ask candidates as part of the interview process and inform the business about potential risks related to the employees’ online activities.
Onboarding is similar. New employees are pulled and thrown in a million different directions, and the last thing they are concerned with is risk to the business. Every organization should make internal risk, proper data handling, and acceptable company asset usage policies to ensure employees understand the potential negative impact to themselves and the business they can have based on certain behaviors.
Organizations consistently struggle to separate individuals from the business, often meaning extended access to the corporate device assigned to them, let alone file shares, data repositories, HR systems and more. This access provides individuals time to persist within the business, and this prolonged access has been shown to lead to consistent policy breaches, data loss, and more.
To be clear, the CISA’s Insider Risk Mitigation Self-Assessment Tool is something every organization should review and utilize to strengthen their resilience to insider threats… malicious, negligent or born from trusted insiders who have been unknowingly compromised. It will undoubtedly improve every organization’s risk posture.
So too will the inclusion of the insider risk and IT practitioners in the fundamental processes of hiring, on-boarding, evaluation and separation of employees. Many organizations rate partners for security risk before welcoming them into their supply-chain and ecosystem, why should employees be any different? And who better to evaluate that risk than those trained to identify behaviors, activities and patterns that lead to those risks becoming breaches?
In our next blog, we will explore the CISA Insider Risk Mitigation Self-Assessment Tools recommendations on data collection and analysis and the importance of IRM programs being an organization-wide program.