In August 2020, news broke that a Tesla employee had been approached by criminals to deploy malware at the company’s Nevada Gigafactory. The recruitment of an insider by criminals is a traditional threat and one which is being exploited by cyber adversaries. The incident prompts security professionals to reexamine their threat models and emphasises the importance of a common approach to managing cyber and physical security.
Best practice mandates that cyber and physical security go hand in hand. In order to secure operations and meet objectives, an organisation requires effective structures and processes, strong governance and risk management, and a joined-up approach to cyber and physical risk mitigation. In this article, we discuss the overlap between cyber and physical security, and the importance of consolidated security management, governance and advocacy in protecting an organisation’s critical systems, networks and data.
GAINING THE INSIDE TRACK
The FBI ultimately arrested a Russian national for attempting to ‘recruit an employee of a company to introduce malicious software into the company’s computer network’.1 Egor Igorevich Kriuchkov and his associates sought to introduce malware to Tesla’s network, extract data, and extort ransom money by offering the employee USD 1 million to install the malware. While not stated in the court documents, the malware was most likely a form of ransomware designed to encrypt a victim’s IT systems, which is popular with cybercriminals practising extortion schemes today. The operation failed when the employee instead reported the incident.
High earnings from extortion have provided ransomware operators with the resources and confidence to develop and test different techniques to target a company’s networks. However, instead of re-inventing the wheel, the group behind the attempted attack on Tesla chose to exploit traditional physical access control vulnerabilities. Exploiting physical security weaknesses is a tactic previously exercised by nation states. Up until now, cybercriminals have been less known for leveraging physical vulnerabilities in an organisation’s defences. A notorious example of nation states exploiting physical access loopholes is the deployment of the Stuxnet malware – developed by Israel and the US – at Iran’s Natanz nuclear facility in 2007.2 The malware was deployed onto the Iranian computer system via USB by a Dutch-recruited insider. The echoes of that attack are felt in the Tesla case, where a USB was one of the potential vectors designed to carry the suspected ransomware.
IT OFTEN COMES DOWN TO ACCESS
Two other recent incidents exemplify how the insider threat or employee access – whether physical or digital – can create information security risks. E-commerce giant Shopify and grocery delivery service Instacart were both forced to investigate security breaches after individuals with access permissions chose to access restricted customer data. In the case of Instacart, the perpetrators were two employees of a contract company who accessed customer profiles without permission.3 In the case of Shopify, law enforcement were alerted after two employees sought to obtain customer transaction details, access beyond their mandate.4
Least privilege access: Who should be allowed where?
The principle of least privilege is a security concept which advocates limiting the privileges of any user, account, programme or process to the minimum privileges required to perform their designated function.
The principle of least privilege has its clear counterpart in physical security. Here, best practice mandates that employees should have access only to the sites and areas necessary for them to carry out their designated duties.
In the cybersphere, this principle is equally important to safeguard an organisation’s systems and networks. It is applied most commonly to administrative rights by limiting those to users with an explicit need for admin privileges. The principle of least privilege aims to reduce the opportunity for threat actors to access critical systems and data by compromising low-level user accounts or devices.
“The access that you give employees can be abused by malicious insiders for personal gain or leveraged by external threat actors.”
The cases above highlight how employee access controls – whether physical access or digital access to a network or privileged data systems – can be abused by malicious insiders for personal gain or leveraged by external threat actors. According to the 2019 Verizon Insider Threat Report, 57% of database breaches involved an insider threat within an organisation.5 The Tesla case demonstrates how traditional physical security vulnerabilities can be exploited by cyber threat actors using an insider as a proxy.
Additionally, social engineering exercises highlight how threat actors might exploit digital defences to turn employees into “access points” when targeting a company’s assets. In a recent Red Teaming exercise for a client, S-RM used open source intelligence to build bespoke phishing attacks and gain control over key employee mailboxes. Our social engineering experts subsequently used this information, along with careful physical reconnaissance, to successfully gain access to several client offices. Once inside, the team planted drop devices to maintain access to the client’s internal networks. This facilitated further attacks, such as gaining administrative control and exfiltrating sensitive corporate data.
BREAKING DOWN THE SILOES
Adversaries will continue to exploit known threat pathways – both digital and physical – which serves as an important reminder that cyber and physical security are two sides of the same coin, too often treated in siloes. When physical and cyber security risk management is split amongst security professionals and functions within an organisation, the likelihood of inadequate oversight, alignment and advocacy leading to critical security vulnerabilities increases significantly. Collaborative practices between cyber and physical security professionals play a critical role in securing any organisation’s information systems and infrastructure.
Integrating physical and cyber security practices
Risk, governance and operational security are equally important. Formally constituted, well thought-out policy and plans are the backbone to good physical and cyber security. In addition, the interface between physical and cyber security must be formalised and cohesively and practically applied. This will ensure an organisation’s security controls are able to contain the consequences if a serious risk manifests and ensure organisations are less likely to be blindsided by any new threat or change in the threat landscape.
Penetration tests to encompass both physical and cyber testing. Cyber penetration tests check networks for information security lapses (such as exposed RDP ports) and physical penetration tests identify where physical access controls to a site or facility are inadequate. Penetration tests must be holistic, allowing an organisation to adjust practices based on both physical and information gaps, and based on an informed consensus of risk.
Centralising knowledge gained from risk assessments. Cyber and physical security vulnerabilities should be accounted for in an overall risk assessment and risk register. Only with a thorough risk assessment in place can an organisation be informed about known and reasonably likely threats, identify an effective overall risk management strategy and build resilience.
Align incident response plans. Often cyber and physical security issues combine in complex ways, meaning any security incident and subsequent investigation will require close cooperation by cyber and physical security professionals. There is often a physical security investigation and a cyber incident containment and remediation to deal with, and here, the traditional approach of creating incident response plans in siloes is inefficient and inappropriate. Recognising the overlap and shared planning and resourcing is required for an effective investigation into any security incident.
Building a just culture. Personnel are a known residual weakness when protecting an organisation’s assets from attack. It is therefore paramount to build a good security culture at all levels of the business which invites active participation into a company’s defence. Developing a culture that encourages collaboration, not punishment, should be the desired end state for risk management professionals.