Skip to content

Learn How to Protect Your Company from Insider Threats.

Imagine yourself in a dining room in your company with colleagues and friends enjoying a meal. Suddenly, the lights flash and everyone’s belongings mysteriously disappear. The only suspects are those in the environment, including you. But how to find the culprit?

As much as the introduction of this text sounds a bit dramatic and the plot seems taken from an Agatha Christie book or a Sherlock Holmes tale, the feeling of having a threat within the company is very similar. An insider attack happens when least expected, while everyone involved in this compromised environment goes from innocent workers to suspects in a moment, and identifying the culprit is a challenging task.

Insider threats may be represented by careless or inexperienced employees, dissatisfied employees, third parties, partners, undercover spies, or any internal component that exploits or intends to exploit their legitimate access to assets to do something unauthorized.

According to a study by Verizon, 57% of information leaks involve insider threats and 15% of leaks are a consequence of the misuse of privileges.

As with detective cases, where a thief or a neighbor who does not live in the house is the primary suspect in crimes, many companies focus on threats outside the organization, such as cybercriminals and malware, while a dishonest employee may have been working among others for a long time without being identified, stealing information, and damaging business.

By having legitimate access and often unrestricted permission, these internal agents, malicious or not, can cause incidents within the organization without drawing attention, as they are somehow trusted by others while doing their job.

Disclosing confidential information, facilitating third-party access, and breaking equipment vital to a system are some of the incidents these bad employees may have. 

In addition, careless professionals who do not know the company and its processes are also insider threats, as they can cause errors when deleting important information or downloading infected files, for example, just because they are not prepared.

We invite you to continue reading the text and learn what you need to do to protect your business from insider threats.

Who Are Considered Insider Threats?

Insider threats can come from employees and even partners or third parties who have access to your systems, as detailed below.

  • Employees: They are above suspicion, are considered part of the organization, and are the last suspects.
  • Service Providers: These people are underestimated and they can take advantage of their access.
  • Partners and Third Parties: They are always under contracts and therefore receive access with high privileges, so the contract offers false protection to the company.

Former employees are also a threat. According to Deloitte, 59% of employees who leave a company voluntarily or involuntarily take data with them.

What Are the Main Motivations for Insider Threats?

In most cases, what motivates these internal malicious agents to cause an incident are financial and ideological issues, as well as the desire for recognition, loyalty to family, friends, or country, and even revenge. 

Regardless of motivations, malicious internal agents seek to leak sensitive data and disrupt processes, as these are the events that can most damage an organization. This fact is clearly corroborated by cases reported in the media, such as:

  • Edward Snowden Case: Snowden leaked nearly two million NSA files in 2013.
  • Ricky Mitchell: After he found out he was going to be fired, he restarted EnerVest’s servers to factory settings and discontinued operations for a month.
  • Zhangyi Liu: Chinese programmer working for Litton/PRC Inc. who accessed sensitive Air Force data. The contractor copied the credential passwords that were allowed to create, change, and delete any file on the network and posted them on the Internet.
  • Christopher Grupe: After being fired from the Canadian Pacific Railway, he accessed the system again to delete files and change passwords, preventing administrators from authenticating.
  • Paige Thompson: Former software engineer at Amazon Web Service, she accessed credit card information from more than 100 million Capital One customers. Amazon’s cloud environment configuration was not secure. Paige was aware of this incorrect configuration and abused her privileges to access data and share these methods in online chats.

Preventing an internal agent from stealing information can be more challenging than preventing an external agent from having access to assets, as internal agents have unrestricted access to endpoints and the network, and these are the components that correspond respectively to the means used to carry out attacks on an organization.

Other assets used to cause incidents internally are BYOD devices, which are increasingly accepted in companies today, even though their use is often uncontrolled.

Through these assets, attackers reach their real targets – databases and file servers -, as they keep the most valuable information for internal and external attackers, such as customer data, financial data, intellectual property, and privileged account data (credentials and passwords, for example).

This type of attack increases due to insufficient strategies or solutions to protect data, as well as a lack of training, employee expertise, and risk awareness at the administrative level of the organization.

What Are the Cyber Risks Associated with Insider Threats?

As we saw earlier, insider threats are not always exclusively from people who work directly for your organization. We can include consultants, outsourced contractors, suppliers, and anyone who has legitimate access to some of your resources.

To understand more about the subject, we have selected five possible scenarios in which insider threats may arise

  1. An employee or third party who performs inappropriate actions that are not intentionally malicious, they are just careless. Often, these people look for ways to do their jobs, but they misuse the assets, do not follow acceptable usage policies, and install unauthorized or dubious applications.
  2. A partner or third party that compromises security through negligence, misuse, or malicious access or use of an asset. For example, a system administrator may incorrectly configure a server or database, making it open to the public instead of private and with controlled access, inadvertently exposing confidential information.
  3. An agent bribed or requested by a third party to extract information and data. People under financial stress are often the main targets.
  4. A rejected or dissatisfied employee is motivated to bring down an organization from the inside, disrupting business and destroying or tampering with data.
  5. A person with legitimate privileged access to corporate assets, who seeks to exploit them for personal gain, usually stealing and redirecting information.

Whether the damage is caused intentionally or accidentally, the consequences of insider attacks are very real.

One of the ways to mitigate the risks of the scenarios above is to implement monitoring tools to track who accessed which files and alert administrators about unusual activities.

In addition to these actions, the management of privileged accounts also helps to reduce damage caused by insider threats and contributes to proactive cybersecurity behavior.

How to Reduce the Risks Associated with Insider Threats?

Any corporation is subject to some type of cyberattack, and it is essential to have a system that defends and maintains data integrity.

According to a report by Fortinet Threat Intelligence, Brazil has suffered more than 24 billion cyberattack attempts in 2019, a fact that reinforces the need to have efficient solutions against this type of threat.

Preventing external attacks is already very common within companies, and according to the Verizon Data Risk Report, 34% of data breaches involve internal agents and 17% of all confidential files were accessible to all employees, which turns on a big alert for companies to protect themselves from internal threats as well as external ones.

For this, it is recommended that some technology be implemented to efficiently monitor the privileged access of employees. To help you with this task, we have separated 5 practices on how to protect your company from insider threats, check them out:

1- Know Who Has Access to Privileged Accounts

One of the biggest mistakes of companies is making privileged credentials available to many users, which directly affects data breaches and the risk of leaks through internal threats.

You need to find out which people have access to protected environments, and ensure that people who do not need to access such environments have some kind of administrative credential, limiting the number of privileged users.

Ideally, credentials with a higher level of privilege should be controlled by those responsible for IT, so that there is no type of breach.

2- Ensure User Traceability

With the use of some technologies, you can know who, when, where, and what actions were taken by the user to perform a privileged session, in addition to limiting the actions that can be performed in the environment.

Some solutions alert and block the user who performs any improper action and provide session recording for analysis.

3- Third-Party Access

If any type of service provided to your company is outsourced, there must be some type of protection.

Ideally, any type of access to company environments should be monitored through a VPN dedicated to a specific application for a predetermined time.

The best way to ensure that there are no loopholes for internal threats in your company is by having a complete PAM password vault, which ensures protection from possible threats, monitors privileged sessions, and automates tasks.

4 – Password Culture

Even if it seems ineffective, implementing a strong password culture is a great way to avoid insider threats.

By memorizing a simple password, for example, a malicious employee can easily infiltrate privileged access and move around in environments that do not suit them, allowing possible attacks on the corporation.

In addition to protecting companies against insider threats, strong passwords also help to protect against external cyberattacks, therefore, ask your employees to use passwords with uppercase, lowercase letters, numbers, and symbols.

It is also important to change these passwords constantly, so that there are no future problems.

5 – Backups

Even using every possible way to reduce the company’s security breaches, it is essential to have a way to recover the data in case of any leak or access block.

A good option is automatic backups in critical and strategic systems, which allows the company to refuse to give in to any type of threat by the attacker.

6 – Extra Practice

Obviously, this type of attack is the most difficult to predict and prevent. These are malicious agents who may be working alongside you right now.

However, some measures can be taken to make it difficult for a new internal attack to occur:

  • Checking Employee Background Before Hiring
  • Applying Mandatory Vacation and Work Rotation.
  • Monitoring Employee Behavior.
  • Educating and Training Employees.
  • Encouraging Employees to Report Abnormal Activities and Strange Behaviors of Their Colleagues if They Notice it.

Even With the Risk This Type of User Poses, They Are Necessary for the System. So, How to Control Them?

In another Haystax study, 60% of privileged IT users/administrators represent the greatest risk. They have large permissions within a system to execute infinite commands and view a large amount of information.

Privileged users are like stewards in suspense stories. They are the ones who have unrestricted access to various rooms in the house, perform important tasks, and are extremely trustworthy to members of the house, so it is no surprise when they are revealed as the guilty ones.

That is, privileged accounts are those with elevated access permission that allow account holders to access critical systems and perform administrative or privileged tasks. Like ordinary user accounts, privileged accounts also require a password to access systems and perform tasks.

Privileged accounts can be used by people or be non-human when used by applications or systems. The latter are also called service accounts. Privileged accounts, such as administrative accounts, are often used by system administrators to manage applications and hardware, such as network assets, and databases.

The problem with these accounts is that they are often shared, used on many systems, and can use weak or standard passwords, making it easier for insider agents to work.

Thus, when these accounts are not properly managed, they give insider agents the ability to access and download the organization’s most sensitive data, distribute malicious software, bypass existing security controls, and delete trails to hide their activities in audits.

One of the most secure ways to manage privileged accounts is through PAM (Privileged Access Management) solutions. This solution consists of cybersecurity strategies and technologies to exercise control over privileged access and permissions for users, accounts, processes, and systems in a corporate environment.

PAM As a Solution to Manage Insider Threats

As mentioned, privileged accounts represent high-value targets for insider agents. 

Organizations need to adopt a Privileged Access Management (PAM) solution and also provide data on access to privileged accounts for this solution in their monitoring systems.

Privileged Access Management – or simply PAM – consists of the technology and processes that control privileged access, store all access records for auditing purposes and analyze the actions taken by users in real-time, generating alerts about unusual activities. Using this technology can make the identification and mitigation of insider attacks much faster and more efficient.

Therefore, we selected 7 resources present in the PAM solutions that are strategic for those companies that seek to reduce the possibilities of insider threats.

  1. Use of effective policies for all employees, whether remote, service providers, or third parties.
  2. Protection for the credentials of your most confidential assets (confidential applications, databases, privileged accounts, and other critical systems) in a central and secure repository.
  3. Limitation of privileged access to confidential information, such as customer data, personally identifiable information, trade secrets, intellectual property, and confidential financial data.
  4. Least privilege procedures and resources to provide employees with just the access they need. That is what we call a need to know.
  5. Limitation of local administrator rights for all employees’ workstations; and implementation of permission, restriction, and denial policies to block malicious applications.
  6. Implementation of workflows for the creation and governance of privileged accounts.
  7. Monitoring and recording of privileged access to confidential information, data, and systems.

The first steps to better protect yourself and your customers from insider threats consist of applying at least some privileged access management best practices.

Start by learning more about how the principle of least privilege works, then it is important to establish and apply the best password management practices and, finally, invest in a comprehensive PAM solution that has all these resources at your disposal.

Learn About the senhasegura Solution

Senhasegura is one of the largest PAM solutions in the world according to Gartner. In addition to preventing data leaks and abuse of privilege and avoiding internal threats, the solution is complete to guarantee protection against external threats. 

The solution has granular access controls, credential management, detailed logging and session recording, and the ability to analyze user behavior. The senhasegura solution has several security locks that guarantee data protection from insider and external threats, such as logging, auditing, SSH key management, modules for secure DevOps, among others.

In addition, the implementation of senhasegura helps your organization to:

  • Apply the Security aspect to your DevOps pipeline, ensuring DevSecOps.
  • Carry out the proper management of digital certificates.
  • Comply with LGPD and GDPR.
  • Ensure security in your Cloud environment.

Request a demo now and discover hands-on the benefits of senhasegura to limit the damage caused by insider threats.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Segura®
Segura® strive to ensure the sovereignty of companies over actions and privileged information. To this end, we work against data theft through traceability of administrator actions on networks, servers, databases and a multitude of devices. In addition, we pursue compliance with auditing requirements and the most demanding standards, including PCI DSS, Sarbanes-Oxley, ISO 27001 and HIPAA.

Interview With SCADAfence’s New Field CTO, Paul Smith

OT and ICS Industry veteran Paul Smith, author of “Pentesting Industrial Control Systems” has recently joined the SCADAfence team in the role of Field CTO. We interviewed Paul to get his thoughts on the current state of OT security, challenges that need to be addressed and his predictions for the future.

He was interviewed by content marketing manager, Joan Weiner Levin.

Joan Weiner Levin: Hi Paul. Welcome to SCADAfence! We’re so excited to have you on board. Can you start by sharing a little bit about your background and why you are particularly interested in OT security.

Paul Smith: I grew up in Calgary, Alberta, Canada. They call us ‘little Texas’ because the economy is so heavily influenced by oil and gas. After a number of years working in the oil and gas sector, it felt almost natural for my father and I to start our own consulting company. Leveraging his years of experience and my computer science background. We performed forensic audits inside of the measurement space in oil and gas, which is a very niche vertical where we had to solve many interesting technical problems. I had spent my entire career until then looking through data and how systems are interrelated inside oil and gas trying to find answers and solutions to “Red Herring” problems.

During a project that my father and I were working on, I met Austin Scott who presently works at Dragos, Austin at that time was working on a compressor upgrade project and he invited me out to a “CalSec” Calgary Security meetup. I was hooked, I started investing time in understanding how people formulated careers in this space. I then was invited to attend a “Red vs Blue” event that the Department of Homeland security was hosting out of Idaho National labs. While attending this event I met some of the industry’s finest people, I still stay in touch with a number of individuals. It was from this event that I was eventually offered a job to join Lockheed Martin.

 Shortly after this event I decided to attend a SANs conference in Orlando, it was really the only ICS related security course being offered. Justin Searle was the instructor and this is where I met Michael Assante and Rob Lee. Michael dropped in to give us a pep talk and welcome us to the industry as it was either the first class or second that had ever been presented. Rob Lee had just started Dragos at this time. When working at Lockheed Martin I had numerous discussions about buying two specific new startups in industry one being Dragos and the other was Indegy. Both companies were at a very early stage, Dragos hadn’t even commercially released CyberLens yet. Friends of mine were visiting Israel and got very excited by technology they saw created by a Team 8 foundry company, the product was called ICS Ranger, and that company would go on to come out of stealth mode and brand themselves as Claroty, shortly after this I met with one of the Nozomi founders and became enamored by the possibilities of the product and in the end started working for them for a period of time as well.

JL: What are some of your immediate goals in your new role as field CTO for SCADAfence? Like what do you hope to accomplish first?

Paul Smith: The first thing is making sure the SCADAfence Platform is the best performing product in the market.

We are now industry leaders, and I want to make sure that we always stay ahead of our competition. 

JL: Why did you choose to join SCADAfence? You’re a celebrity in our field. You’re a well published author. You’re also very well known in the industry. Why did you decide to be a part of the leadership in SCADAfence?

Paul Smith: I don’t know if I would say celebrity, maybe been around the block once or twice as for SCADAfence, it is a lean team, it’s got the right funding. I like working with a company when it’s small, hungry, scrappy, and people are wearing multiple hats. It’s on the cusp of blowing up to be big, and that’s something really alluring to me. I like it because now I can come in and put an idea on the table and we bat it around as a team and then we shape it, hone it, and finally we implement and run with it. We are in a constant state of innovation while exceeding customers expectations. 

JL: How do you want to work with SCADAfence’s customers? What is your ideal customer relationship? 

Paul Smith: I want to be a trusted advisor. I want our customers to know that they are first and foremost, we are addressing their concerns and features prior to chasing PR. I want SCADAfence to be the first thought in their heads. When they have a problem in their field or network, they can call us up. Queue up the shameful plug, but in all honesty I want the customers to know that they can call either our managed services team or professional service team and will get the answers they seek. Whether it is writing OT protocol rules, testing packet rules, writing yara rules, adding/removing firewall rules, performing firewall swap outs or whatever it happens to be, I want people to start thinking of us as unbiased experts in this field, the trusted advisors of OT Cyber Security.

JL: What are currently the biggest challenges in the world of OT Cyber security. 

Paul Smith: Number one is staff. It’s always been staff. Companies can’t find enough of the best, well-qualified people that they need to hire. 

 Next, I’d say it’s human error. A lot of the OT security issues we see out there are operator error. Someone who is not properly educated on how to execute changes in an environment can accidentally take down an entire facility. We see this all the time.

For the real cyber threats, if we look beyond human error and its operational impact, I would say it’s nation state threats. The threats and attacks that are happening inside of Ukraine as a result of the Russian attacks right now are pretty insane and indicative of what can happen.

JL: Let’s talk for a minute about the current situation in Ukraine. There have been a number of reported attempted cyber attacks against electrical stations and attempts to damage Ukraine’s fragile critical infrastructure. For those of us observing this from the west, from an OT perspective, what about this situation should alarm or concern us? 

Paul Smith: I’ve had this conversation multiple times with people and they think Russia has all this old military hardware, these bombs and tanks and infantry and it’s falling apart.

But what you don’t see is the cyber warfare going on in the back-end. The next world war isn’t going to be fought with guns and traditional weaponry, it’s going to be fought in cyberspace. You can cause a country to essentially implode just by knocking out their critical infrastructure. 

People have asked me, why isn’t Russia just sending more people in on the ground. And I tell them, it’s because you don’t see what’s happening on the back-end. That’s a major part of the war. If you take down a city like New York, and they can’t get power back up in under two weeks, you don’t even have to shoot a single bullet. People will turn on each other, they’ll figure out ways to survive at all costs. Remember no power means no pumps, no pumps no fresh water, and even worse… no Twitter! I’ll say this, you take down critical infrastructure, you can take down a country.

JL: Is this nightmare scenario preventable?

Paul Smith: To a certain degree, yes. But the problem with technology, the beauty and the problem, is that it’s always evolving. And we’re always innovating. But the cost of innovation is security. To be new and leading is great, but it doesn’t always mean it’s new, leading, and secure. Security is usually an afterthought. 

A lot of engineering companies are trying to change that and put security in the design, but you can’t always do that. You don’t know what you’re securing, because if you’re trying to engineer to be secure, then it is near impossible to innovate at the same time.

JL: You mean security is an afterthought of design?

Paul Smith: Yes. But from a technology perspective, I don’t see this as a problem. Because if you try to put security into your engineering design, it will actually stifle innovation. For example, if an organization tried to create certain things to be completely secure, they would never be able to build them. Because they could have never innovated past the security boundaries that would have to be put into place. If you always put boundaries there, and say you can’t go past these boundaries then you’ll never innovate past the boundaries.

We haven’t invented the next thing that you have to secure yet. If you don’t innovate past that, then there’s no chance of ever seeing what the next wave of security is going to have to be, and that’s why I say it’s a mixed bag. Can we secure things? Absolutely. But as we innovate we have this lag until we find the security gaps. So we invent a new thing, and then, there’s the gaps. Now we have to invent something to secure that, because we’ve never had to secure this before.

A good example is self-driving cars with AI. There is this vision of what those self-driving cars need to be. But if someone puts some obstacle there, like a little orange dot, extended symbols on signage or something no one ever considered, it throws the whole self-driving car off course or can change a stop sign into a 45 m/hr speed sign, this is called adversarial ML attacks. No one could have predicted this because the fundamental technology for ML vision models had never been invented before.

JL: Let’s talk about legacy equipment, the older technology that is still running in manufacturing plants and critical infrastructure facilities. Is there technology still in place that is just too old to be secure, or is the older technology more secure because we’ve had more time to make it secure?

Paul Smith: I talk a lot about this topic, because I say the people who could actually fix the older technology are no longer with us and that is a major risk. So it’s so archaic, that it’s secure by nature. But just don’t look at it, don’t touch it, because if it falls down, we’ll never be able to fix it again. The old legacy stuff is hyper vulnerable. But more from an obsolescence perspective. Now if we talk moderate to old equipment, this is where you will find the highest most vulnerable assets. This technology was first/second generation adoption of ethernet cards, moving away from serial communications. It has become a major issue in industry where companies feel that if it is producing, don’t mess with it. The cost benefit analysis isn’t there for them to justify implementing new technologies yet. This is why we haven’t seen solutions such as GE predicts and Siemens Mindsphere eclipse the market, new technologies just come with price tags that executive teams feel aren’t warranted.

JL: Why aren’t more people choosing an OT cyber security career?
Paul Smith: The reason people don’t go into OT is because really OT security is two, maybe two-and-a-half different roles. Often, companies put up a job posting with a certain salary rate. My reaction is, “well, that’s an interesting salary. The rate is lower than either an automation specialist or an IT specialist.” So they’re trying to pay someone who has to know both job roles less than either singular job.

If you combine the salary for both, then you could have more interesting opportunities for people to grow into. Someone would say to themselves, I’ve had to learn all the OT background, and now I have to learn all the IT cyber elements, like all the networking gear, all the endpoint technology, all the frameworks and security standards, and you only want to pay me same or even less than this other person, I’m just gonna do that other job, because I’ll get paid the exact same.

 The market still hasn’t adjusted salary rates for what it really means to do the job of OT cyber security.

JL: Let’s talk about the relationship between IT and OT. How should those two sides be working together, and what are they currently missing in that relationship?

Paul Smith: We’ve been talking about IT-OT convergence for a long time. And I think the gaps are slowly fading. I always said that it’s easier to take an automation person, and maybe it’s biased because I come from that side, and teach them the security side. As opposed to taking an IT security individual and teaching the automation side, because the automation side is more finicky, it’s not straightforward programming and implementation. Every decision being made inside the controllers can cause millions of dollars of impact.

There has to be more open conversations. For more mature companies, I would say, take one of your automation guys and put him right in your SOC and have him talk directly with all the IT staff there. A lot of these products feeding up data into a SOC use language that the IT analysts don’t fully understand. Whereas if you put an automation guy there, he will be able to translate it. One of the value points for all this technology is we need to change the language to make sure we can communicate both to an automation specialist and an IT security specialist. Because if we put both languages in a security alert, it’s easier for them to communicate and talk to each other.

JL: What is the role of governments in securing the OT? What is the ideal collaboration between the government and the private sector in securing public critical infrastructure?

Paul Smith: When it comes to private companies securing public critical infrastructure, there should be a lot of vetting and a lot of oversight, especially as it relates to major city centers. So if we’re discussing water treatment plants, or electrical facilities, if you’re a third party vendor, you need to be subject to governance. Governments should have a big stick to use for enforcement because one bad incident can impact millions of lives. 

There needs to be a heavier influence of government mandates and sanctions on third parties. And I know for a company like SCADAfence as an Israel-based company, selling into critical infrastructure in North America, that would put a little bit of a hamper on some sales, but it would also force us to comply with standards. Then everyone would feel safe, and there would be full transparency. And then once you have that stamp of approval facilities would be more comfortable working with approved third party vendors. 

JL: What about governments encouraging private companies to do more for their OT security. Should the government be telling private manufacturers that they should do more to protect their OT?

Paul Smith: Yes. I do feel that the government needs to have more say in the manufacturing of  products that impact people on a whole. Pharmaceuticals are a great example. If you have a disruption in drug supply, how many people is that impacting? If a company manufactures insulin pens for diabetics and their production goes down because of an OT security incident, and people miss their shots, you’re killing people because of that cyber incident. So anything that can critically impact people’s lives needs to have a little bit more government oversight. I don’t like a lot of government controls. But I do feel in the case where people’s lives can be impacted, government enforcement for companies to maintain a dedicated level of security practice is necessary.

JL: What is the future of OT security? What do the next three to five years look like?

Paul Smith: Oh, yes, that crystal ball stuff. Where we are now is still pretty immature in terms of OT security. From an industrial OT security perspective there were companies that were ahead of their time, and they owned the market share and then they just stopped innovating, and they fell apart. But I think we’re coming full circle.

If you look at the way our technologies evolved, passive detection became super hot, super silver bullet, we’re all in that market. Venture capital money was just being dumped into it. And now executives are concerned that they don’t get full visibility that way. So we needed to add an active component, but everyone was staying away from active at that time. Now people are more open to active. Ten years ago, that’s how companies were doing this, and they had a massive install base. And they lost market share to passive companies. Now passive companies are supplying an active component/device as part of their product offering, which is where these other guys were 10 years ago. So it comes full circle.

I think you’re gonna see a lot of IT implementations like XDR, and SOAR. Customers are going to start utilizing and coordinating their various security tools. There is a shortage in experienced individuals and the only way to offset that is more intelligence and more automation. Also companies are going to be a lot more open to agents installed out there in their OT environment, telling them what they see so they can be more secure. Agents in OT doesn’t sound very sexy to me, because it’s been done forever ago, but it’s how the industry is maturing and evolving. So that is what I see in the next 3ish years, I predict that in the next 5 years there will be an adoption of AI at the edge providing interesting ML model solutions. I don’t want to give away too much of our secret sauce! 

JL: Finally, because we always need to know. Do you have any pets?

Paul Smith: I do. I have a very sweet German Shepherd. Her name is Bailey, like the Irish cream, we named her because she is the same color as Baileys.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About SCADAfence
SCADAfence helps companies with large-scale operational technology (OT) networks embrace the benefits of industrial IoT by reducing cyber risks and mitigating operational threats. Our non-intrusive platform provides full coverage of large-scale networks, offering best-in-class detection accuracy, asset discovery and user experience. The platform seamlessly integrates OT security within existing security operations, bridging the IT/OT convergence gap. SCADAfence secures OT networks in manufacturing, building management and critical infrastructure industries. We deliver security and visibility for some of world’s most complex OT networks, including Europe’s largest manufacturing facility. With SCADAfence, companies can operate securely, reliably and efficiently as they go through the digital transformation journey.

The New US Cybersecurity Act & What it Means

If you face a major cyber attack or pay ransom to attackers, you may have to report it to the Cybersecurity and Infrastructure Security Agency (CISA) within a certain timeframe under the new cybersecurity law .

The Strengthening American Cybersecurity Act of 2022, which became law in March 2022, imposes strict reporting obligations on critical infrastructure owners/operators: Entities operating and/or owning critical infrastructure have to notify the CISA of the ransomware payment within 24 hours and of the major cyber incidents within 72 hours.

Who is covered by the new requirements? When and how are cyber incidents reported under the new law? Keep reading to find out more.

What is Strengthening American Cybersecurity Act of 2022? 

Although the new requirements on incident-reporting makes the headlines, the new cyber security law is composed of three separate regulations:

  1. The Cyber Incident Reporting for Critical Infrastructure Act of 2022: This regulation imposes on critical infrastructure operators the obligation to notify the CISA of “covered cyber incidents” and “ransom payments” within a certain timeframe.
  2. The Federal Information Security Modernization Act of 2022: This regulation contains requirements on federal information security management and on reporting of cyber attacks and how these attacks will be remedied
  3. The Federal Secure Cloud Improvement and Jobs Act of 2022: This regulation deals with the security requirements for the use of cloud products.

What Entities Are Covered in the Cybersecurity Act?

Under the new law, the CISA will have the power to decide what types of entities will be subject to the new incident-reporting requirements.

While the CISA is provided with wide discretion, the law requires the CISA to consider the following three factors when determining the “covered entities”:

  • How would national security, public safety, and public health be affected if an entity’s operations are disrupted or compromised
  • What is the likelihood that a malicious actor, such as a foreign country may target the entity?
  • “the extent to which damage, disruption, or unauthorized access to such an entity, including the accessing of sensitive cybersecurity vulnerability information or penetration testing tools or techniques, will likely enable the disruption of the reliable operation of critical infrastructure.”

Considering that these criteria refer to “national security”, “public safety” and also to the possibility of being targeted by foreign state actors, the 16 critical infrastructure sectors defined by the Presidential Directive 21 will likely be declared as “covered entity”.

These sectors include, but are not limited to:

  • Defense Industrial Base
  • Emergency Services
  • Energy
  • Financial Services
  • Healthcare and Public Health

While it is reasonable to expect that these sectors will be defined as “covered entities,” the CISA will likely go further and determine additional sectors as falling under the new law.

What Incidents Should Be Reported

Under the Act, there are two categories of attacks that needs to be reported:

Cyber incidents

The Act does not require all incidents to be reported to the CISA and provides CISA with the power to determine the criteria and threshold for cyber incidents to be covered by the Cybersecurity Act.

However, the Act lists three types of high-impact cyber incidents that is covered by the Act.  For example, incidents that involves “unauthorized access or disruption of business or industrial operations” due to a “compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise” must be reported under the Act.

A recent example of such a cyber attack is the SolarWinds attack. After Russia-backed hackers inserted a malicious code into the SolarWinds’ network monitoring software, they gained access to thousands of companies’ networks, including electricity, oil and manufacturing companies.

Ransom payments

“Ransomware Attacks” are defined broadly under the Act: Use or threatened use of all techniques aimed at hindering an entity’s information processing operations falls under the definition of “ransomware attack”. Alongside the traditional ransomware technique, encryption of data, the following types of mechanisms are also subject to the Cybersecurity Act:

  • Distributed denial of service attacks
  • Insertion of malicious code.

When to Report the Incidents? 

The Act sets out two different deadlines for the reporting of incidents:

  1. Incidents falling under the “ransom attack” category must be reported to the CISA within 24 hours after the entity operating/owning the critical infrastructure makes a ransom payment.
  2. “Covered entity” must report cyber incidents within 72 hours after it “reasonably believes that the covered cyber incident has occurred”

Criticisms Against the Law

Though the new law is welcomed by many in light of the growing numbers of cyber attacks targeting critical infrastructure and the rising geopolitical tension in Eastern Europe, it is also criticized for not addressing a few critical issues:

  • No reporting to the FBI: The Department of Justice publicly opposed the new law for not requiring “covered entities” to report the incidents to the FBI. Some agree that direct notification of incidents to the FBI would enable the FBI to provide support to affected entities promptly and warn the other potential vulnerable entities against the risks.
  • DNS: Another criticism directed at the new Act is that DNS information is not included in the reporting requirements. Some argue that DNS information is critical to law enforcement agencies and investigations and it would make it easier for the law enforcement to carry out investigations and determine the origin of the attacks.

What Should “Covered Entities” Do?

Monitor new developments

It is far from certain what entities will be covered by the new reporting requirements, what the contents of the report will include or what types of incidents will fall under the applicability of the new Cybersecurity Act.The CISA will have the power to issue directives in these critical issues and organizations should closely monitor new directives and opinions issued by the CISA.

Establish and Implement an Incident-Response Plan

Given that the new Act sets 24-hour and 72-hour notification requirements and defines the minimum content the reporting must include, organizations must put in place a robust incident response plan.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。