PUBLIC
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 1
They’re People Not Data!The Human Side of Insider Cyberthreats
Dawn M. Cappelli, VP and Chief Information Security OfficerRockwell Automation
Susan Schmitt, Senior Vice President Human ResourcesRockwell Automation
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 2PUBLIC
Rockwell Automation Industries
Automotive
FoodBeverage Entertainment
Life Sciences
Marine Metals
Household & Personal
Care
Fibers & Textiles
Mining, Minerals &
Cement
Oil & Gas
Power Generation
Pulp & Paper
Tire &Rubber
Infrastructure
Print & Publishing
Semiconductor & Electronics
Water Wastewater
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 3PUBLIC
Agenda Convince you that insider risk cannot be mitigated unless your team,
processes, and technical tools are people-focused
Describe how Human Resources (HR) and managers are critical partners in providing a people-focused approach for Rockwell Automation’s insider risk program
Provide practical tips that you can use at your company next week to start building this type of a people-focused program
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 4PUBLIC
Who Are You?
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 5PUBLIC
Potential Insider Threat?
https://www.youtube.com/watch?v=6AlqHORFFaE
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 6PUBLIC
Essential Participants in an Insider Risk Program
Human Resources
IT / Information
SecurityManagementInsider Risk
TeamLegal
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 7PUBLIC
What Does Your Insider Risk Program Look Like?
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 8PUBLIC
Are You Stopping Your IP From Walking Out Your Door?
Symantec, 2013: What's Yours Is Mine: How Employees are Putting Your Intellectual Property at Risk. http://bit.ly/XFjYwQ
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 9PUBLIC
Are You Stopping Your IP from Walking Out Your Door?
Statistically, half of the people leaving your company are taking confidential corporate information with them!
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 10PUBLIC
What You Don’t Know CAN Hurt You!
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 11PUBLIC
Focus on the PEOPLE!
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 12PUBLIC
Turn Research into a Practical Program
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 13PUBLIC
Focus Your Limited Resources
• 50% of insiders who steal IP do it within 1 month of leaving the company
• 70% within 2 months• Over 80% within 3 months
Software Engineering Institute, 2013. Justification of a Pattern for Detecting Intellectual Property Theft by Departing Insiders: http://repository.cmu.edu/cgi/viewcontent.cgi?article=1731&context=sei
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 14PUBLIC
An Unusual End to a Theft of IP Case!
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 15PUBLIC
The Scene of the Attack
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 16PUBLIC
The Weapons
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 17PUBLIC
Lessons Learned CERT’s 90 day window works! HR’s role is essential Beware of social engineering by insiders, not just outsiders
Understand and be on the watch for cultural norms surrounding authority
Never give up! Communicate carefully - especially when there are
language / cultural issues Trust but verify
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 18PUBLIC
SCADA System –Insider Cyber Sabotage
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 19PUBLIC
Medical System –Insider Cyber Sabotage
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 20PUBLIC
Financial System - Insider Cyber Sabotage
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 21PUBLIC
A New People Focus –Insider Cyber Sabotage
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 22PUBLIC
HR: Your Global Team
If you can educate HR to understand the warning patterns of behavior and contextual issues, then they can be your eyes and ears across the globe
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 23PUBLIC
Early Warning of Employees at Risk for
Sabotage is Critical!
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 24PUBLIC
Early Warning of Organizational Risk of Sabotage is Critical!
If a technical team like IT or a software engineering team is under significant stress, it is important for the managers to take a step back and carefully consider whether they have anyone exhibiting these behavioral patterns.
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 25PUBLIC
Employee sabotaged his team by shutting down their server …
Rockwell Automation Insider Cyber Sabotage Case
They had to rebuild all of their virtual machines and it cost them 3 days as they worked on a tight customer deadline
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 26PUBLIC
Your Action Plan – The Next 3 Months
Get HR and Legal on Board
Work with IT to create auditing capability
Begin training HR
Build the Foundation
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 27PUBLIC
Your Action Plan – Month 4
Begin a Pilot REMEMBER
You have a 50/50 chance of discovering someone trying to take confidential information every time you do an audit!!
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 28PUBLIC
Your Action Plan – Months 5-6
GO GLOBAL!
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 29PUBLIC
Your Action Plan – Months 7 and Beyond
Create investigations playbook
Train HR and management on Insider Cyber Sabotage
Automate
Mature the Program
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 30PUBLIC
Final Thoughts -The Changing Threat Landscape
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 31PUBLIC
Emerging Threat: Arrest of Engineers Associated with ISIS
Energy Sector Infrastructure SW Development Digital Business
• Engineer working for Indian Oil Corporation arrested (6/16)
• UK Navy Officer who managed oil fields for ISIS arrested in Kuwait (7/16)
• Petroleum engineer from Britain moved to Syria to work in oil production for the Islamic State arrested in Kuwait (7/16)
• Civil engineering dropout arrested in India (7/16)
• Former Flight Engineer arrested in Malaysia (5/16)
• Software Engineer – the Amir of an ISIS cell - arrested in India (1/16)
• Computer engineer in UAE arrested (6/16)
• Electronics engineer from India arrested in Saudi Arabia (7/16)
• Web designer arrested in India (1/16)
2
1
4
5
6
78
9
3
1
2
4
5
6
7
8
9
3
PUBLIC
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 32
We all need to work together to predict and defend against emerging threats
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 33PUBLIC
Change the Perception of Insider Risk from this…
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 34PUBLIC
To This!
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved. 35PUBLIC
Contact Information
Please direct comments and questions to:
Susan SchmittSenior Vice President Human Resources
Rockwell Automation
Dawn CappelliVice President and Chief Information Security
OfficerRockwell Automation