It seems that nearly every week a headline appears related to an attempt to sabotage anindustrial control system, nuclear power plant, bank, hospital, social media site — the list goes on and on. Almost all the post-event analyses focus on how the attackers got into the network from the outside, usually with the help of malware. Very little analysis is focused on how an attacker would accomplish industrial sabotage from within the environment.
A single insider or a group of insiders could easily accomplish their goal of sabotaging industrial systems or exposing sensitive information to outsiders. It starts by establishing a network of confidants or informants, fragmenting the environment at a project or program level, establishing themselves as a critical resource and then slowly but surely achieving complete control over the environment.
Most countries are familiar with the term “industrial espionage” and the concept of the insider threat in one form or another. Whether it’s the spy who gets caught, the malware that quietly slinks through the corporate network collecting information and then parsing it out to the highest bidder, or the software backdoor that renders a control system useless, insider threats are nothing new. However, the insider threat landscape is changing. Threats are taking on new forms and evolving faster than most industries can keep up.
One aspect of the insider threat landscape that is often overlooked, if not flatly ignored, is the instance in which the insider threat infiltrates an environment, establishes itself and then expands to gain greater control over the environment. This type of insider threat should be considered highly sophisticated, adaptable and intelligent. The primary goal of the individuals conducting these operations is usually that of economic, social or political gain at either the group or individual level.
A Brief Word About Game Theory
One of the most-studied topics in the fields of economics and political science is game theory. A full scholarly explanation of game theory can easily fill several novels and take up an entire year of collegiate course work, but to put it simply and explain it in a single paragraph, one of the simpler principles from economics is used.
The simple economic principle behind game theory states that whenever natural resources are scarce or finite, two interested parties will compete in one of four ways for use of that resource, like so:
- Party A will cooperate with party B (i.e., the two will share the resource);
- Party A will defect while party B cooperates (i.e., party A will attempt to control the resource);
- Party A will cooperate while party B defects (i.e., party B will attempt to control the resource);
- Both party A and party B will defect (i.e., they will both attempt to take the resource and maintain control over it).
If the concept of an insider threat were put into game theory terms, one could see how a company could play the role of party A and the insider threat could play the role of party B and vice versa. Most research indicates that a threat will usually identify a target environment, embed itself and then build upon itself to accomplish its end goal — which is either power, profit, public embarrassment, industrial sabotage or some combination of the four.
The basic principles of game theory could be applied to understand how an insider threat could establish itself within a company and then expand upon even its most minuscule and seemingly useless accomplishments to become a far more malevolent threat. For the purposes of explaining how this could occur, it helps to consider the term insider threat as any employee, contingent worker, group of employees, consulting firm, group of consultants, union worker, vendor or business partner, but this is of course not an exhaustive list.
Methods an Insider Threat Could Employ
Phase One: Establishing a Presence
The insider threat starts by establishing a presence in the environment. If the insider threats were able to gain control over more than half of the active projects within a given environment, they could easily put themselves in the position to maximize profit while sending the company into debt and even damaging its reputation with shareholders and investors.
Here are a few areas that could be affected by the insider threat:
- The overall cost and timeline of a project;
- Budget shortfalls and cost overruns hidden through creative shell gaming and overbilling;
- Employment of the buddy system to price out competitors;
- Embedding more malicious insiders in a variety of positions throughout the corporate environment;
- Bypassing corporate procedures for onboarding new individuals, which could include skipping routine background checks and security screenings;
- Ignoring security policies, standards and governance for projects;
- Ignoring the input of other employees or consultants, including those deemed too competitive, even though those individuals may offer the best solution to a problem; and
- Passing off the responsibility of problem ownership to the company.
If this phase is successful, the insider threat could expand its power and control within the environment without arousing too much suspicion. In keeping with the principles of game theory, the insider threat would move into the next phase.
Phase Two: Entering the Environment
The insider threat then gains control of a single program within a corporate environment. If that is a high-visibility program tied to a company’s annual performance, executive compensation or stock price, an insider threat could:
- Affect the direction the company takes with regard to short- and long-term goals of growth and business strategy;
- Impact the analyses and measures used to determine whether programs deliver real value or are on track in terms of timelines and deliverables;
- Establish factions or allegiances within a company;
- Make it extremely difficult, if not impossible, to reorganize the company without substantial damage to the corporate reporting structure and daily working cadence;
- Withhold key details of any bidding process to block competitors from answering requests for proposals or statements of work;
- Employ a multitude of back avenues to go around well-defined and documented business processes; and
- Align with personnel that the consultancy feels are gullible, easily duped, unethical or can simply be bribed with money or power.
Phase Three: Gaining Control
After accomplishing phase two, the insider threat moves to gain control over more than half of the positions within a corporate environment; it could be less, depending on the industry and company. Should that occur, the threat could:
- Tear down and destroy long-standing working relationships with vendors, investors, other consulting firms, employees and contractors;
- Exfiltrate massive amounts of corporate data to external sources;
- Sell corporate information and data that can affect company stock, the outcome of shareholder meetings and annual reports regarding operating expenses and profits;
- Blackmail employees and consultants via social engineering, coercion, bribery, threats, harassment and intimidation tactics to gain access to insider information; and
- Engineer an industrial sabotage operation to steal intellectual property that would be virtually impossible to detect or stop.
If an insider threat is allowed to reach this level of control within a company, the damage done would be exceedingly difficult if not impossible to reverse. It would also likely result in one or more data breaches, all but assuring the organization becomes a public spectacle.
Countermeasures to Mitigate Risk
To mitigate the risk of an insider threat establishing and maintaining majority control over projects, the project management office within a company should establish well-defined processes and cost accounting methods tied to timelines and resources. Personnel should be required to use standard project management software — not an amalgam of text files, hand-scribbled notes, emails, documents and spreadsheets.
Personnel should also be required to understand resource leveling and how to calculate timelines in the correct manner. The project management office should be sourcing project resources, documenting and reviewing architectural diagrams, ordering infrastructure, configuring services and designing and building software. Anyone working on the project should be required to change job roles on an annual or biannual basis or rotate to another project entirely.
To mitigate the risk of an insider threat establishing and maintaining majority control over programs, the program management office within a company should establish thorough processes for beginning and ending projects. It also needs to vet potential vendors, consulting firms, independent contractors and subcontractors.
The office should have all business processes, policies and procedures clearly articulated and precisely defined before anything is initiated — not during the project or after it is complete.
The Corporate Environment
To mitigate the risk of an insider threat establishing and maintaining majority control over the corporate environment, senior leadership and executives should have strict controls and procedures in place to measure the performance of all divisions, projects and programs as well as the personnel within those areas.
Executive leadership should have visibility into all major programs that could affect their position within the global or domestic marketplace, or with consumers of their products and technology. Poor decision-making and project management has a trickle-down effect: It will usually have a greater impact on consumers than internal personnel.
Beyond the social aspects, executive leadership should have visibility into all information security projects at a detailed level. Information security needs to be one of the first lines of defense against insider threats.