Ever since I was a kid, certain movies have stuck with me, surfacing unexpectedly. Some because they are irreverently funny; I still quote Caddyshack when on a golf course. Others because they explore some element of humanity; think The Deer Hunter and Apocalypse Now. And others simply scare the ever loving you-know-what out of me; The Exorcist was definitely one of those. The movie When a Stranger Calls is in this last category. It’s about a series of prank calls made to a babysitter where the dark voice at the other end of the phone asks over and over again if she has checked the children. The calls become more ominous and finally the police are able to trace them to…wait for it…the inside of the house. At this point, panic takes over (me and the babysitter), and it isn’t clear whether the babysitter is going to make it out alive. Definitely edge of your seat stuff.
The movie was remade in the 90s, but I thought of the original recently as I was reading a Global State of Information Security® Survey 2015 report from PwC. Seriously, I did. Many of the big consulting firms have similar security surveys, but this one is particularly good because it breaks out Oil & Gas as well as Power to draw conclusions on the state of cybersecurity. Within the Oil & Gas section, they highlight the fastest growing sources of security incidences. The “foreign nation-states” group has the highest growth rate at 108 percent, but the next highest is the “current employees” group at 85 percent.
Security risk is often viewed as an external threat best defeated by physical- or networked-based security. The idea is that if you keep the bad guys at bay – on the outside of the house – then you are safe. Unfortunately, 85 percent growth clearly indicates the bad guys are already inside the house. And, in truth, they aren’t even bad guys. They are engineers, IT, or operations personnel with every intention of doing a good job. But sometimes a mistake is made, such as an inadvertent configuration change to a control system that compromises security. The trick for plant operators or security personnel is detecting these mistakes before something bad happens.
In the movie, the babysitter had the police trace the calls to discover the location of the threat. In a plant, finding the threat requires a police action as well. The difference is that a plant needs a much higher degree of technical prowess for effective detection – specifically, software automation that monitors for unauthorized changes to proprietary configuration data for all control systems. Today, if this is done at all, it typically relies on incomplete, manually gathered asset inventory data. It’s hard to police what you cannot see or that becomes stale over time.
Have you seen similar increases in the number of employee-based security incidences? Do you have effective measures to detect them and remediate before something bad happens? Have you checked the children?