In this blog, a Fivecast Tradecraft Advisor discusses the risks to critical infrastructure caused by insider threats – and how open-source intelligence can provide proactive and preventative measures to identify and mitigate threats.
Critical Infrastructure – New Risks and Obligations
Managing critical infrastructure risk is a highly complex and dynamic problem. Never have malicious actors been able to project destructive capability and ideology through technology as they can now. To protect against this, governments and industry bodies are developing approaches and legislation to ensure critical infrastructure risk management is rigorous and transparent. For example, the Australian Government recently amended the Security of Critical Infrastructure Act 2018 (SOCI Act) to require owners and operators of critical infrastructure assets to meet mandatory baseline security standards by 17 August 2023 as outlined in The Security of Critical Infrastructure (Critical infrastructure risk management program) Rules 2023.
Insider threat magnifies the risk faced by critical infrastructure providers. Insider threats may be deliberate and malicious individuals, or unintentional, exposing their organisation to risk through their own security breaches or their own susceptibility to manipulation. The consequences range from IP or data theft, and reputational and financial loss up to physical threats to personnel and facilities. Unlike more traditional attacks, insiders enjoy access and familiarity with the existing security processes and protocols. They may also have relationships that allow them to exploit trust and break rules that would stop an outsider. A single poor decision or malicious act performed by an insider can have extreme consequences for the organisation and those who depend on it.
Insider threats come not just from an organisation’s personnel but also from those trusted with specific access. For example, in the private sector, business partners, contractors and vendors that form part of your supply chain can become insider threats.
Critical Infrastructure Risk Management Principles
As always, prevention is more important than a cure. The ability to identify concerning risk indicators and trends before an incident is critical. The disproportionate damage wrought by breaches or other incidents is typically high and may not be salvageable.
As we see in the modern age, an insider threat incident could trigger a loss of public confidence or inherent capability that a company may not recover from. Particularly when they are charged with protecting publicly listed critical infrastructure.
While prevention is not always possible, there should be risk management measures in place to minimise the harm of an incident where possible. That is where having a greater awareness of your environment, and that of your employees is incredibly important.
For detecting insider threats, one of the risks is the balancing act between trust and security. Employees have a legitimate need for access, and it is often in the organisational interest to streamline processes and ensure there are as few barriers to performing efficient business as possible. This includes access to IT systems, sensitive data and physical locations. How do you ensure employees have the access they need while also limiting the risk of malicious or unthinking actions? Also, in the case of malicious insiders, they can hide their intent while carrying out actions to ultimately harm an organisation. While doing so, they may exploit trust and existing relationships with other employees.
Value of OSINT (Open-Source Intelligence) in Insider Threat Risk Mitigation
In numerous insider incidents, from data breaches to physical attacks, these threats are also accompanied by a number of useful, yet often overlooked, indicators. Organisations, including governments, are often criticised for missing indicators that were publicly available. This is why, the Security of Critical Infrastructure Rules (January, 2023) Critical Infrastructure Rules (January 2023), stresses the importance of background checks and how personnel hazards can include a worker’s actions that cause damage through malice or negligence.
As such, open-source intelligence should be a tool of first resort, not last. Not after the damage is done but as a preventative measure. By using the advanced OSINT capabilities of Fivecast ONYX, organisations have a powerful, automated ability to search and analyse open-source information at scale. The solution’s advanced data collection and AI-enabled risk analytics allow for a very targeted analysis that focuses on potential risks to the organisation. By leveraging powerful AI and analytics, we can help organisations deal with these hugely complex digital challenges.