Monday, March 23, 2009

Insider Cyber Attack Example

There is an interesting short article over on about an insider cyber attack against a gas/oil field developer. A federal grand jury indicted a ‘disgruntled IT contractor’ for “unauthorized impairment of a protected computer”. Apparently the contractor set up a computer system that among other things monitored leak detection equipment at gas and oil wells. After finding out that he was not going to be offered full-time employment he reprogrammed the system to provide faulty data. There are few details in the article about how the damage was done, but at least one quote indicates that the ‘reprogramming’ was done after the defendant left the company. This indicates that either his access was not terminated or that he had programmed an ‘alternative method of access’, or back door, to the system. In either case he had unauthorized access to the system. This article points out two different potential security problems that are becoming increasingly familiar to high-risk chemical facilities; computer consultants and laid-off employees. In this particular case the incident included both problems. Computer Consultants More and more companies, inside and outside of the chemical industry, are increasingly using outsiders, contractors and consultants, for ‘non-core competencies’. The installation, implementation and maintenance of a wide variety of computer systems, including process control systems, is probably the area where this trend is most pronounced. This makes it easier to adjust headcount for the ebb and flow of personnel requirements as new systems are brought on-line. All companies, but high-risk chemical facilities in particular, need to take particular care to do detailed background checks of all personnel with access to their computer systems. With the increased complexity of all computer systems, it is unlikely that only the personnel that you see on site will be working on your system. Contracts with consultants and contractors should make clear the security responsibilities of all parties, including sub-contractors. Special efforts need to be made to ensure that all access to company computer systems are removed when a contractor or consultants services are terminated. For all high-risk control systems, and certainly for stand-alone safety systems, off-site access to these systems should require special review, justification and control. Terminated Employees Computer access levels for all employees should be periodically reviewed to ensure that they only have access to systems and data necessary for performance of their jobs. A listing of the systems to which they have access should be part of their personnel files. This way a formal process for removing access to these systems can be made part of the termination, voluntary or involuntary, process. Not only should there be a system to terminate access, but there should be an independent system to verify termination to sensitive systems. Termination verification should probably be done by security staff rather than IT or Personnel. Changing Environment The current economic situation is just the latest in a long series of changes in the business environment that is changing the personnel environment at most facilities. High-risk chemical facilities have an especially important job to ensure that these changes are properly reflected in their security plans.

No comments:

/* Use this with templates/template-twocol.html */