The rising adoption of digital processes in manufacturing has fundamentally changed how this sector does business. The increased reliance on digitization and network connectivity has sharpened the risks of company data exfiltration, intellectual property damages, and more, especially those stemming from insiders. Insider threat actors operate from a position of trust that allows them to circumvent security and evade detection for months, if not years.
Manufacturing ranks among the top five industries with the highest reported insider breaches and privilege misuse. In Verizon’s Data Breach Investigations Report, nearly 40% of the cybersecurity incidents in manufacturing traced to insiders, including partners and third-party vendors. The same report outlined 57% of database breaches to an insider within the organization.
According to a CISA report, the manufacturing sector reported the highest number of insider attacks among companies in the critical infrastructure sector. These incidents can be perpetrated by employees of all ranks, contractors, third-party vendors, and partners resulting in severe damages to businesses of all sizes. IBM’s annual Insider Threat report estimates the average cost of insider attacks rose by 31% in 2020 to $11.45 million from the previous two years, and the number of insider incidents climbed by 47%.
Insider security breaches in manufacturing are now an impending reality requiring companies to safeguard themselves. This article dives deeper into the dynamics and challenges leading to the rise of insider incidents in manufacturing and ways to mitigate those.
Protecting intellectual property
In the manufacturing industry, intellectual property (IP) plays a pivotal role in a company’s success. IP in manufacturing includes product design information, competitive features and functionality, cost analysis, and other trade secrets. The main challenge with manufacturing IP is that many entities access the IP data to create a product. As manufacturers today compete globally, they leverage a large industrial ecosystem of a complex mix of technologies, industrial control systems (ICS), proprietary manufacturing processes, subcontractors, and supply chain partners to operate in the marketplace. In addition to employees, all these ecosystem entities access the manufacturer’s IP to various extents. IP theft is one of the top cyber threats facing manufacturers today and is the leading data protection concern, with 90% of data breaches in the manufacturing industry involving IP.
The IP of a manufacturing company has multiple facets, including R&D, engineering, and manufacturing operations. Manufacturing operations predominantly occur in overseas locations without oversight into who is accessing your IP data and what they are doing with it. Today, more insiders can access your IP remotely from various locations and act on those evading detection. Insider threat actors with malicious intentions and loyalty not aligned to the organization can inappropriately access, copy, share, or print IP, bypassing audit trails. Breakthrough innovations with insider access are worth millions when released to competitors.
A case study of insider IP theft
A senior research scientist employed in a chemical manufacturing company had access to all aspects of a project dealing with chemicals used to produce a new electronic component. After announcing his resignation and before leaving the company, he emailed a document detailing the proprietary chemical procedure to his personal email account at the beneficiary organization. He also downloaded more than 500 documents from the laptop to an external storage device. The victim organization had policies requiring approval for data transfer which the insider could circumvent by providing false proof to the IT department. Thankfully, the victim organization had procedures to review and approve any transfer of information from company computers and track an insider’s behavioral indicators and suspicious activities. The victim organization also tracked download activity regularly and performed a forensic examination on the insider’s computer, a standard practice for transferring employees. These reporting and surveillance stopgaps allowed the victim organization to detect this researcher’s suspicious attempts to repeatedly transfer data to the victim organization’s foreign branch and confront the insider about downloading confidential documents. Further investigation discovered that he copied the documents to his personal computer, with evidence that he transferred information to his personal online email account. The victim organization detected and investigated the incident before the information could be shared with the beneficiary organization.
This real-world example underscores the insider vulnerabilities of valuable and sensitive IP data in manufacturing organizations and the importance of constant vigilance to prevent these threats.
Another aspect of this problem is not all insiders expose IP data intentionally. Even employees with no wrongful intentions can be victims of external threat vectors that lead to unknowingly revealing IP data. In manufacturing, the problem heightens as many sections of the factory workforce are not sufficiently trained with cyber security disciplines. A common attack vector is social engineering. In the Robinhood breach, a phone call to an inexperienced customer support representative resulted in a massive data leak. Modern threat actors leverage social engineering and extensive reconnaissance to entice benign insiders to reveal access credentials (username and password) which can subsequently sabotage valuable IP.
Impact of physical security breaches
Increased digitization in manufacturing plants has thinned the line between physical and cyber security. Manufacturing equipment is now increasingly network-connected. As such cyber security in manufacturing now intricately interplays with physical security. A gap in one side leaves the other exposed. For example, unauthorized access to a gas turbine can allow the threat actor to physically tamper with the equipment’s settings to trigger a failed state. The consequent failures can laterally spread across other interconnected systems. The infamous Stuxnet malware that affected 14 industrial sites, including a uranium-enrichment plant, made inroads through a USB stick that can only make its way through physically. The worm subsequently feigned a trustworthy digital certificate to evade automated detection systems and proliferated via the enterprise LAN, infecting other systems in the network.
The predominant role of physical systems in manufacturing factories makes physical security central to your insider security program. Failures in physical systems put all security investments at risk. Even though the data is digitally protected through encryption, access control, etc., unauthorized physical access can supersede those stopgaps. Insiders with physical access to mission-critical units in a nuclear plant can create havoc by physically tampering with temperature sensors, pressure sensors, and more. Having access to video and monitors allows insiders to remove records, thus erasing any evidence of the crime. In factories, an employee could also instigate a false alarm to occupy security personnel while the crime is carried out.
One of the key findings of a major study by U.S secret service of cyber insider threats across critical infrastructure sectors uncovered:
“Insiders who sabotage or exploit information systems don’t just snap. Before major incidents, they follow a pathway of planning and research. They engage in troubling behavior that is observable – online and in-person – and that alarms co-workers and friends. In some cases, they tell others explicitly about the malicious insider activity they are planning. This finding illustrates that information about potential insider threats may be known to physical security personnel or cyber security personnel, or both before harm occurs. Thus, underscoring the need for these departments to share information to prevent insider sabotage.”
The study further emphasized the close connection between physical and cyber security, especially regarding concerns about current and former employees. According to behavioral threat assessment, employees engaging in odd, suspicious activities online often exhibits alarming in-person behavior in the office or on conference calls, etc. In the absence of close communication between physical security responsibilities and cyber security domains, you might miss opportunities to connect the dots by sharing information and identifying growing concerns.
To prevent instances of unintentional physical damages, manufacturers can enforce policies that govern employees handling company data, decommissioned equipment and secure workstations.
Real-world insider Incidents crippling manufacturing
Manufacturing is one of the top industries affected by insider threats, studded with many real-world examples. Two recent ones are covered here.
Data Exfiltration over eight years
In July 2020, the FBI released the details of an insider data theft by a General Electric (GE) engineer stealing valuable proprietary data and trade secrets over eight years and managed to evade detection. The engineer exfiltrated over 8,000 sensitive files from GE’s systems. The reported intention behind the attack was to gain a professional advantage to start a rival company.
According to the FBI investigation, the engineer exploited his position of trust as an insider to persuade an IT administrator to grant him access to sensitive files containing commercially-sensitive calculations, which he emailed to a co-conspirator.
Lesson learned: IT personnel must be trained to strictly enforce least privilege access without exceptions to ensure you have watertight access controls. Augment that with monitoring employee workstations and email accounts for suspicious activity.
Scheme to inject malware into a computer network
In September 2020, a federal grand jury in the District of Nevada charged a foreign national for conspiring to cause data theft at Tesla’s Nevada Gigafactory intentionally. The alleged threat actor and his associates reportedly offered a Tesla employee $1 million to “transmit malware” onto Tesla’s network via email or USB drive to “exfiltrate data from the network.” The incident was detected before any damages could happen. In a previous insider incident at Tesla, CEO Elon Musk emailed all Tesla staff to report that one of the company’s employees had “conducted quite extensive and damaging sabotage to [Tesla’s] operations.”
Lesson learned: This highlights the interdisciplinary nature of insider threat mitigation. Companies must be vigilant in recruiting the employees after thorough background checks, ensuring an adequate physical security level, and monitoring employee behaviors.
Tips to mitigate insider threats
Timely detection and response to insider threats is a great challenge for organizations. To mitigate these threats, at a minimum, organizations need to have a program to identify individual anomalous behavior early enough and have the resources to respond. Technology solutions for insider threats can help you achieve these.
Verizon’s Insider Threat report shows misuse of privileges causes 20% of cybersecurity incidents and 15% of data breaches, 61% of internal actors do not possess a high level of access or stature. Fraud detection effectively uncovers 4% of insider and privilege misuse breaches. According to the IBM Cost of Insider Threat report (figure 1), the most cost-effective tools and activities are user and entity behavior analytics (UEBA), privileged access management (PAM), and user training and awareness about insider threats.
Figure 1: Cost Savings with Insider Threat reducing tools (Source: Cost of Insider Threat Global Report 2020, IBM Security)
Veriato’s insider threat detection tools comprehensively help you mitigate these threats with prevention, early detection, and response. Here are some of the ways Veriato can help:
Review appropriate use
Upon establishing roles and access, Veriato’s reporting enables you to validate the role definitions removing improper access. You can identify who is accessing specific IP with the ability to drill down into actionable data if needed.
Analyze user behavior
Veriato enables you to monitor the leading indicators of insider threat activity by analyzing shifts in user behavior and communications, alerting security teams to the potential. Veriato enables your organization to implement UEBA and Zero Trust cost-effectively to prevent misuse of privileges.
Improve visibility and physical security
Physical security is a vital mitigation step in identifying abnormal trends in individual behavior. Manufacturing’s operational security teams could potentially review the activity of employees and contractors themselves, rather than waiting or relying on IT. With Veriato, you can easily delegate the ability to review subsets of monitored users, providing complete visibility into the actions of delegated users.
Monitor for inappropriate use
On detecting anomalous activity, such as copying data, sending large emails, using specific keywords, etc., Veriato alerts security teams of abnormal activity based on established thresholds. This expedites the process of investigating potential breaches.
Respond to incidents
For most manufacturing companies, facing an IP data breach is well within the statistical probability. In the event of such a breach, it is critical to respond immediately to minimize the impact of the breach. Veriato helps you understand the context of the breach by pinpointing when manufacturing IP was compromised and the trail of actions that led to the breach. For example, when an insider accesses a CAD drawing, takes a screenshot, pastes it into a personal webmail account, and sends it off, Veriato tracks as it happens. Detailed video playback of activities provides visibility into what happened before, during, and after the accessing of IP to help you identify the actor, the scope of the breach, and motivation. Activity logging, along with playback, assists you in ascertaining the scope of the loss. The video also serves as legal evidence and threat intelligence.
Advanced threat detection solutions automate how you detect insider threats and minimize threat escapes. Veriato’s Cerebral is a threat detection solution that continuously monitors all user behaviors on every device across your entire organization. It monitors all files, applications, emails, chats, internet, and network usage, psycholinguistics, and more. Veriato’s Cerebral using AI adds intelligence to your entire threat detection by monitoring endpoints, creating a digital fingerprint, grouping, lowering false positives, predicting future threats, detecting anomalies, risk scoring.
Insider threat is a human problem. The most crucial factor in mitigating insider threats is the workforce itself. Veriato’s technology enables manufacturing organizations to assess workforce behavior, particularly in its virtual domains.
Veriato assists manufacturing factories in safeguarding intellectual property and valuable production activities by providing complete visibility into every action taken by the organization’s users without impacting the operational ability of the manufacturing process. Veriato’s insider threat solutions analyze risk, validate safeguard policies, procedures, and measures, and respond to abnormal behavior in a way that fosters trust leveraging the workforce as a partner.
Insider Risk – How Prepared Are You?
Not every company is equally prepared to deal with insider risk. This report outlines the four stages of insider risk maturity and explores how to improve your insider risk preparedness.