The Department of Homeland Security’s (DHS) Homeland Infrastructure Threat and Risk Analysis Center (HITRAC) produced this National Risk Estimate (NRE) to provide an authoritative, coordinated, risk-informed assessment of the key security issues faced by the Nation’s infrastructure protection community from malicious insiders. DHS used subject matter expert elicitations and tabletop exercises to project the effect of historic trends on risks over the next 3 to 5 years. In addition, DHS used alternative futures analysis to examine possible futures involving insider threats to critical infrastructure over the next 20 years. The results are intended to provide owners and operators a better understanding of the scope of the threat and can inform mitigation plans, policies, and programs, particularly those focused on high-impact attacks.

The malicious insider threat is complex and dynamic, and it affects the public and private domains of all 16 critical infrastructure sectors. Owners and operators responsible for protecting our nationally-critical assets must recognize the nuances and breadth of this threat in order to develop appropriate risk-based mitigation strategies.

Current Risk Assessment

Understanding and mitigating insider threat are complicated by factors such as technological advances, globalization, and outsourcing. These factors increasingly blur the line between traditional insiders and external adversaries such as terrorists, organized crime groups, and foreign nation-states, who may collude with or exploit physical insiders as vectors to do harm to a targeted asset or system. The threat of supply chain sabotage by third-party vendors and contractors was a recurring theme that subject matter experts discussed during the NRE workshops and tabletop exercises. All agreed that the third-party insiders constitute an underestimated threat to U.S. critical infrastructure, particularly when their organizations are foreign-owned or are working under the auspices of foreign intelligence services.

The common feature of all malicious insiders is tactical advantage. Sometimes the insiders are organizational vulnerabilities—adversarial force multipliers—who can operate relatively unfettered. Malicious insiders are not only aware of an organization’s vulnerabilities; they also may have purposefully created the very vulnerabilities they intend to exploit.

Although the importance of understanding and mitigating the insider threat is clear, two major factors complicate current efforts to assess the likelihood of malicious insider attacks:

The challenge of identifying and predicting the stressors or triggers that can cause a trusted employee to become a malicious actor; and

The lack of detailed and reliable empirical data on insider breaches and attacks that can be shared across the full spectrum of critical infrastructure owners and operators.

The available data do not characterize in detail the full scope of insider threat to U.S. critical infrastructure and do little to explain why the United States has not experienced a significant increase in insider attacks, particularly those that could result in high-to-catastrophic consequences. They do, however, provide a starting point from which to create a baseline threat profile that can be used to assess insider threats across the 16 critical infrastructure sectors.

KEY FINDINGS AND RECOMMENDATIONS

The Threat: Malicious Insiders

Access and specialized knowledge give insiders tactical advantages over security efforts.

Technological advances, globalization, and outsourcing increasingly blur the line between traditional insiders and external adversaries.

Insiders who combine advanced technological understanding with traditional espionage/terrorist skills have a significantly increased asymmetric capability to cause physical damage through cyber means.

The Vulnerabilities: Expanding Organizational Security Boundaries

Even sectors with relatively robust preventative programs and guidelines in place face a dynamic and expanding threat that cannot be eliminated altogether.

Some organizations are likely underestimating the threat from third-party insiders such as vendors and contractors.

Industrial control systems in critical infrastructure are attractive insider targets for remote sabotage in an increasingly networked world.

Without credible and sector-specific insider risk information, critical infrastructure owners and operators are likely to underestimate the scope of the malicious insider threat and make insufficient or misdirected investments in security.

The Consequences: Asymmetric Impacts

If the goal of malicious insider activity is exploitation rather than destruction of assets, it will be more difficult to detect, potentially resulting in serious cumulative consequences.

The impacts of a cyberattack that is designed to cause physical damage to critical infrastructure could be much more severe than those of a conventional cyberattack.

Recommendations

The Government and private sector should work to develop comprehensive and scalable insider threat program standards that incorporate long-term employee monitoring policies, including background checks and re-investigations, employee training and termination of access at separation.

Effective prevention and mitigation programs must be driven by better understanding the insider’s definition of success against a particular sector.

Organizations should establish workforce behavioral and access baselines, including an understanding of hiring, oversight, access, and security policies, in order to identify anomalies.

Employees used as a monitoring force may be the best way to identify malicious insiders, and they must have access to recurring training to do so effectively.

Public and private organizations must consider how to balance the best risk-based security procedures against the myriad of policy, legal, and employees’ rights issues associated with obtaining and analyzing relevant threat data in the workplace, especially data derived from social media and behavioral monitoring.

…