Recent years have seen an explosion in the cyber sabotage of critical infrastructure. As bizarre as it may appear, it is a fact that has become so widespread that even the common man has begun to feel its heat. Illegal transactions in one’s bank account to long cyber-attack caused power failures that put a whole city to a halt, such instances have become commonplace in all countries throughout the world.
Prevalence of cyber sabotage
When it comes to cyber-attacks, state and non-state actors target computing systems, often those that control a nation’s key infrastructure. Sabotage can be used for many reasons, ranging from the simple disturbance of government services to generate panic to demands for extortion and spying by enemy governments. Certain statistics must be presented to fully grasp the gravity of the issue. According to information presented by the union home ministry based on data reported by the Indian Computer Emergency Response Team (‘CERT-In’), India’s primary cyber-security organisation to the Parliament; in March 2021, the nation saw a stunning 1.15 million cyber-attacks in 2020. This is a twenty-fold rise above the data presented in 2016. Subex, a Bengaluru-based ‘Internet-of-Things’ and cyber security company produced research stating that India is one of the top five most cyber-attacked nations in the world, with threats originating largely from Slovenia, Ukraine, the Czech Republic, China, and Mexico. The majority of attacks target essential infrastructures, such as finance, defense, and industry. Oil and natural gas plants are the most heavily attacked in terms of essential infrastructure.
Recent instances of cyber sabotage
In 2017, India was badly impacted by the WannaCry ransomware crypto worm, which hit 150 nations and over 40,000 computers. During the same year, the Jawaharlal Nehru Port and APM Terminals Mumbai were crippled by another international trojan ransomware. Hackers successfully stole Rs. 94.42 crore from Pune’s Cosmos bank in 2018. This resulted in Rs. 14 crores being routed to a Hong Kong-based bank account and Rs. 80 crores being withdrawn from ATMs in 28 countries. In a separate incident in 2018, hackers gained access to the government’s UIDAI records of 1.1 billion users, which was then freely listed for sale to interested purchasers.
Around the launch of the Chandrayan-2 mission in 2019, CERT-In discovered malware intended for senior ISRO personnel by a North Korean hacker outfit called ‘Lazarus’.
In the same year, by hacking the administrative systems of the Kudankulam Nuclear Power Plant (KKNPP) in Tamil Nadu, hackers were able to collect a large number of records. According to the experts, hackers may be able to more easily target the reactor’s operational systems in the future with the stolen data, resulting in massive physical damage. RedEcho, a hacker organisation with ties with China, recently targeted India’s power stations, ports, and parts of its railways during the Covid pandemic. There has been a considerable rise in attacks against India’s essential healthcare facilities and pharma corporations such as Lupin and Dr. Reddy’s aimed at obtaining important research and patient data during this pandemic. Ransomware attacks on the pharmaceutical industry have surged the greatest.
Types of cyber-sabotage attacks
Attacks on key infrastructure are not linear, which is quite concerning. They come in a variety of forms. It is possible for cyber threat actors to get unauthorised access to personal information through cyber espionage and steal classified, sensitive data or intellectual property. Lazarus, a Chinese-North Korean gang, is suspected of orchestrating the KKNPP attack, which took administrative data.
Cyber-sabotage is increasing as well. There was an outage in Mumbai on October 12, 2020, as a result of cyber-sabotage of the Maharashtra State Electricity Board (MSEB). The cybercrime section detected it as a three-pronged malware attack on the MSEB server, transmitting 8GB of data and attempting forced log-ins from multiple banned IP addresses.
Another type of attack is ‘Sleeper cyber-attacks’. Sleeping malware, like sleeper cells in terrorist groups, is placed/sent to numerous vital systems and then remotely launched to control or damage the infrastructure. A ‘Sleeping malware’, according to a US-based intelligence firm, was behind the MSEB attack, which was part of a bigger cyber-sabotage plot by Chinese offenders RedEcho.
Due to remote working, India is seeing an upsurge in Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) assaults. It aims to render computers or network resources inaccessible to its potential users by temporarily or permanently disturbing services, inflicting time and money losses.
Last but not the least, another element in cyberwarfare’s arsenal is cyber propaganda. It’s an attempt to manipulate public opinion by controlling information in any form.
Possible leverage points
It is critical to remember that if governments and companies do not embrace global best practices, all other attempts to harness greater security will be futile.
Here is a three-pronged method to protecting key infrastructure:
1. The human side
- In terms of cyber security, humans are seen as the weakest link. Nevertheless, raising knowledge about cyber dangers, teaching people how to detect threats, and giving details about what inspires people to act maliciously can make a major difference.
- Simultaneously, firms must recognise cyber security as a crucial component of their overall well-being and build a strong policy to ensure it.
- Cyber security personnel or a team that is dedicated to the cause might be quite beneficial. A team can handle a large amount of information while also providing round-the-clock protection and supervision of operations. It can protect the firm by incorporating new technologies such as network detection and response solutions for improved cyber situational awareness against growing dangers.
- A company can also teach those in charge of Operational Technology (OT), which deals with Industrial Control Systems (ICS) and essential infrastructure.
2. Tackling technology
- It is essential for companies in charge of vital infrastructure to cover the complete spectrum of cyber security prevention, reduction, and response.
- Furthermore, reaction and recovery should not be confined to internal/internet-based technological configurations. To implement dynamic policies, companies should engage in OT network design and segmentation.
- It’s also important to set up security controls and separations to reduce the risk of fault or deception. OT teams should also include secure remote access so that they may assess and respond to risks from any location.
- Technology integrations such as ICS protocol awareness for threat identification, proactive monitoring, and preventive control across IT/OT and diverse OT segments might be advantageous. Companies must also invest in data backup and access control for OT systems.
3. Process scrutiny
- Procedures should be prioritised by critical infrastructure companies.
- Risk assessment and management enable organizations to weigh the economic and operational costs of safety precautions. Assessment of risk identifies threats and analyses the chance of their occurrence, while risk treatment is the process of taking action after recognizing threats. Cyber security audits should also be conducted by the companies to identify any cyber security hazards to operational technology.
- To determine the success of cyber security, and industrial control system must establish metrics and evaluate the time between threat detection and action. A few essential measures that users should activate are: Mean time to detect (MTTD), mean time to resolve (MTTR), and mean time to contain (MTTC).
- Supply chain security, which deals with the management of cyber security requirements for IT systems and corporate operating procedures that operate as standards for incident response, risk assessment, and control administration, are also essential.
What is an insider threat?
- Insider threats in computer security are threats posed by people within an organisation, such as current or former workers, consultants, and allies. These people can misappropriate network access and assets to intentionally or unintentionally reveal, change, or erase confidential material.
- Details regarding a company’s security measures, consumer and employee records, login permissions, and confidential financial data are all examples of information that could be stolen.
- Insiders pose a substantial risk to companies because of their legitimate access to their companies’ data, systems, and networks. Employees who are experiencing financial hardships have found it easy to carry out cheating using the tools they use at work every day.
- Other employees have stolen confidential information, proprietary knowledge, or intellectual property from their employers, motivated by financial concerns, greed, vengeance, the desire to gain a competitive advantage, or the desire to impress a future employer.
- Moreover, in retaliation for unpleasant work-related events, technical personnel have exploited their technological abilities to damage their employers’ computers and networks.
The Insider Threat Study was launched in January 2002 by the Carnegie Mellon University Software Engineering Institute’s CERT Program (CERT) and the United States Secret Service’s (USSS) National Threat Assessment Center (NTAC).
The Insider Threat Study has so far produced two reports. One study looked into malicious insider incidents in the banking and financial industry [Randazzo 2004]. The other studied the insider attacks in every key infrastructure sector in which the insider attempted to harm the company, a person, or the data, information system, or network of the business [Keeney 2005].
The CERT project team felt it was critical to use the Insider Threat Study’s wealth of experimental observations to focus on communicating the “big picture” of the insider threat problem—the complicated conversations, relative degree of risk, and unforeseen consequences of policies, processes, technology, insider psychological issues, and corporate culture over time.
As a result, the MERIT project was born. MERIT is an acronym that stands for Management and Education of the Risk of Insider Threat.
Considerations about Insider IT Sabotage in General
The following are the general considerations concerning insider IT sabotage.
The risk of committing IT sabotage was higher for most insiders due to personal predispositions
Personal biases explain why some employees behave maliciously while peers subjected to an identical environment do not. Certain forms of visual attributes can be used to identify personal biases:
- Severe mental health issues — Alcohol and drug addiction, panic attacks, physical spouse abuse, and seizure disorders are examples of observables from instances.
- People skills and prejudice in decision-making — Aggression and coercion of colleagues are examples of observables from instances, as are major personality conflicts, unprofessional behaviour, personal hygiene issues, and an unwillingness to conform to norms.
- A history of breaking the rules — Examples of case observables include detentions, hacking, security breaches, bullying reports, and abuse of travel, time, and money.
Due to unfulfilled aspirations, most insiders who committed IT sabotage were dissatisfied
All of the insiders who perpetrated IT sabotage in the MERIT incidents had unfulfilled aspirations. In the Insider Threat Study IT sabotage cases, 57 percent of employees were judged to be unhappy. 84 percent were driven by vengeance, and 92 percent of all employees attacked after a negative work-related incident such as dismissal, a disagreement with a current or previous company, a downgrade, or a transfer.
Examples of unmet expectations include inadequate salary/bonus, lack of promotion, restrictions on online actions, restrictions on the use of company resources, invasions of privacy in the workplace, diminishing authority/responsibilities, considered unfair job requirements, and poor colleagues’ relations.
The risk of insider IT sabotage increased in most cases by difficult events, including organizational sanctions
Before their attack, 97 percent of the insiders in the MERIT cases who conducted IT sabotage had one or more stressful occurrences, such as sanctions or other unfavourable work-related events. The majority of insiders who conducted IT sabotage in the Insider Threat Study cases did so after being fired or suspended from their jobs.
Bad performance assessments, scolding for undesirable behaviour, suspensions for too much absenteeism, downgrading due to poor achievement, limited responsibilities and internet access, payor bonus disagreements, absence of severance packages, new supervisors recruited, divorce, and death in the family are all demanding occurrences that have been observed in cases.
Behavioral antecedents were often observed in insider IT sabotage cases but were overlooked by the company
In the MERIT incidents, 97 percent of the insiders who conducted IT sabotage were flagged by managers or colleagues for suspicious behaviour before the event.
Drug use, fights with colleagues, violent or threatening behaviour, improper purchases on company accounts, mood swings, poor work quality, absence or tardiness, sexual harassment, cheating about qualifications, violations of dress code, and poor hygiene have all been observed as behavioural antecedents in cases. Direct contraventions of clear company policies and procedures were common behavioural antecedents.
Companies failed to detect technical antecedents in many cases
In the MERIT cases of insider IT sabotage, 87 percent of the insiders executed technical antecedents to the attack that went unnoticed by the company.
The download and use of hacker tools, omission to create backups, omission to document systems or software, unsanctioned access to customers’ or colleagues’ systems, system access after termination, unsuitable internet access at work, and the setup and use of backdoor accounts have all been observed as technical antecedents in cases.
Insiders produced or used unknown management access paths to put up their attack and hide their identity or steps. Most insiders attacked after termination
In the MERIT cases, 75 percent of insiders who carried out IT sabotage made access channels unknown to the company. In the Insider Threat Study of IT sabotage incidents, 59 percent were past employees, 57 percent did not have official system access at the time of the attack, and 64 percent used distant access.
In many of the cases examined, insiders exploited privileged system access to take technical measures to set up the attack before they were terminated.
Insiders, for example –
- formed backdoor accounts,
- fitted and ran password crackers,
- fitted remote network administration tools,
- fitted modems to gain access to the company’s systems, and
- exploited weak security controls in termination procedures.
Many of these actions generated or permitted the use of previously undisclosed access channels.
IT sabotage was made easier by a lack of tangible and electronic entry controls
In the MERIT IT sabotage cases, 93 percent of insiders took advantage of lax access protections.
Access control flaws observed in cases include:
- colleagues’ computers being left ignored while logged in,
- the potential to generate accounts unknown to the company,
- the potential to publish code into production systems without validation or awareness by the company, and
- inadequate impairing of electronic and physical entry at termination.
Repercussions for targeted companies
- Insider activities resulted in cash losses for corporations, as well as detrimental effects on their company operations and reputational damage.
- Incidents have an impact on the facts, systems/networks, and parts of the company.
- The insider targeted many areas of companies for sabotage.
- Insiders harmed particular individuals in addition to causing harm to companies.
- Policies and procedures should be developed to ensure the survival of important assets.
- Backup and data recovery processes must be followed and evaluated regularly.
Policies and procedures should be developed to ensure the survival of important assets
- Insiders had plenty of opportunities to understand which assets were most vital to the company’s business and to use flaws in those resources or their management to do harm.
- Essential applications and computer systems may be particular targets of insider attacks, risk management for resource survival should be considered.
- By attacking applications, insiders harm enterprises by directly interfering with crucial processes linked with such applications. Some companies are obliged to negotiate with insiders for the recovery of the data or hire outside expertise to try to recover it.
- Network breaches not only cause immediate harm but also disrupt normal modes of communication, raising unpredictability and interruption in organisational processes – including recovery from the attack. This is particularly true with insider attacks because insiders are well-versed in corporate communication mechanisms and may explicitly strive to disrupt such communications during an attack. Companies can limit this impact by multi-homing: keeping trustworthy communication channels outside the network with enough ability to ensure key operations in the case of a network loss.
- Companies need to deal with possible insider threats proactively. Steps must be taken to make sure that a workspace in which procedures are routinely assessed guarantees their longevity and robustness in the face of attacks by well-placed people. Vital company data must be securely safeguarded and evaluated regularly. The level of the impact seen in these circumstances justifies the price of such solutions.
Backup and data recovery processes must be followed and evaluated regularly
- Standard protective procedures, particularly backups, will not always be successful in the face of insider threats.
- There have been reports of attackers deleting backups, stealing backup media, or other acts that could not be reversed owing to malfunctioning backup storage.
- In one instance, the employee erased crucial data that he was aware was not backed up, as he was the person in charge of backups.
- To defend against insider threats, companies must ensure that backups are not only done and checked regularly, but that the medium and data are also safeguarded from alteration, stealing, or deletion.
- Consolidation of important assets and backup destruction allowed some insiders to increase the severity of their attack by eliminating unnecessary copies and routes for recovery.
- Consolidation minimises asset dispersal and duplication, both of which are critical components of viable operations.
- While consolidation can improve a company’s productivity, it is important to make sure that backups are done regularly and are safeguarded to provide continuity of operations in the case of loss or damage to consolidated data.
Cybercriminals are aiming at OT networks because they believe they can cause more disturbance than IT systems. OT is at the heart of systems that, if violated, could result in outages of important services. As a result, a committed security provider is needed to accurately manage each of the three aspects of cyber security: individuals, procedures, and technology. AI-enabled tools are capable of identifying, protecting, detecting, responding to, and recovering systems.
Furthermore, the danger is not limited by geographical boundaries. To keep up with the unusual ways of disturbance that hackers rapidly adapt, this area of cybersecurity laws and regulations requires a rapid upgrade. Detailed legislation will eliminate this discrimination and make sure a more rigorous mechanism to deal with the twenty-first-century curse of cyber-attacks on vital infrastructure.
It has been discovered that the dynamic systems approach aided in structuring and focusing the team’s dialogue. This was significant because team members came from various fields such as psychology and information security. Using accessible empirical data, system dynamics modeling can tide over this scientific gap and convert the best available evidence into recommendations for policies, procedures, and tools to limit insider danger. The hackers are constantly improving their arsenal. As a result, staying updated on them is critical.
Students of LawSikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: