Panel: The Attacker Among Us: Insider Threats Within the Energy Sector

Moderator: Dr. William (Bill) Claycomb, CERT Insider Threat Center- Carnegie Mellon University

Panelists: (listed alphabetically)

• Dr. Nader Mehravari, Cyber Security Solutions, Software Engineering Institute

• Dr. Shawn Taylor, Sandia National Laboratories

• Mr. Randy Trzeciak, CERT Insider Threat Center - Carnegie Mellon University

Abstract:

Imagine a thriving oil exploration company - business is booming and investors are happy. The company plans to expand its sales and IT workforce to increase business and improve information security. But before permanent hires can be made, the company hires a temporary consultant to assist in maintaining and securing SCADA systems used to detect pipeline leaks on offshore platforms.

Initially, the partnership between the organization and the temporary employee seems strong. As the temporary employee’s contract nears completion, he requests permanent employment; unfortunately, his request is denied. Feeling betrayed by the company he developed emotional bond with, and disappointed to miss out on the benefits of working for a thriving organization, the temporary employee becomes disgruntled. Even worse, he feels the need to strike back at the company, to right the wrong… to seek revenge.

Knowing that his authorized access to IT systems is nearing an end, he surreptitiously creates an admin account for remote access after he leaves the company. Then, for two months following termination, he plants malicious programs that disrupt communication with the company’s SCADA systems. Fortunately, no actual leaks occur during the attack, but his actions could have resulted in devastating consequences, such as loss of human life, environmental disaster, and huge financial impact.

Preventing similar attacks with potential global impacts on human life, the environment, and business is of paramount importance to cybersecurity professionals charged with protecting the cyber-physical systems of critical infrastructure. In this panel, we will discuss defending critical infrastructure components from a wide range of operational risks, with a specific focus on insider threats (both malicious and accidental), their goals (kinetic damage, IT damage, terrorism, etc.), and their motivations (financial gain, industrial espionage, revenge, etc.). The panelists will describe unique aspects of each threat with specific incident examples, with the goal of enabling future detection and prevention of similar attacks. In addition, we will discuss developing specific recommendations for the energy industry based on the expertise and experience of our panelists.

Topics include the current state of cybersecurity in critical infrastructure, the similarities and differences between attacks in the energy industry compared to other industries, requirements for performing background checks and hiring of employees, the likelihood of companies becoming victims of insider threat via sabotage, fraud, and theft of intellectual property. We will consider both intentional and unintentional threats, and will conclude with a discussion of current and emerging best practices to mitigate attacks of this kind.