Cybersecurity is a critical aspect of plant and machine safety, but all the firewalls and airgaps in existence cannot stop an even more insidious threat vector – social engineering. For highly secure processes that cannot risk a data breach, it’s important to look beyond what can be done on a computer.
What Is Social Engineering?
Social engineering is not a ‘hack’, so much as a means of manipulating or coercing someone into giving up access to secure areas or private information. Like phishing, social engineering relies on manipulation to succeed in an attack, rather than brute force or complicated hacks.
Take this example, for instance, of a penetration tester who managed to infiltrate highly secured facilities using only tools like Facebook, a printer, and a phone. Motherboard: How I Socially Engineer Myself into High Security Facilities. And while this breach was a planned test of facility security, it serves as a dramatic example of what is possible for malicious agents to accomplish with only a little time and access.
How to Prevent Social Engineering
To prevent this kind of attack it’s important to make sure that all employees are on the same page in terms of security awareness levels. From IT, to OT, to facility staff in reception areas, it’s important to establish a system of verification and checks to ensure that no unqualified persons have access to facilities or equipment.
Establish traceability for integrators and maintenance personnel – Trust, but verify should be the mantra for anyone who regularly has access to the facility. This includes maintenance personnel, cleaning services, third party sales representatives, or integrators. All visitors should be logged, and their activities should be monitored whenever they’re in proximity to information or equipment. No systems or machines should be accessible without password and username level authentication. For example, when the telephone technician comes to service the lines, make certain that the appointment is verified in advance, and that the person servicing equipment is the same person scheduled by the company. For more informal visits like food delivery, ensure that unauthorized persons are not allowed to travel alone through the facility.
Have Employees Test Media Even From Trusted Sources
Smart social engineering may use roundabout methods of gaining access. This may mean tampering with the hardware of trusted service providers or employees. A social engineer may offer an employee a thumb drive filled with free software or music (and malware), hoping they will later use that drive inside the secured area on trusted computers. Policies should exist to ensure that no media that did not originate from the secure facility is used on the system without being tested by IT.
Build a Culture of Skepticism
Social Engineers use tactics that create pressure on employees. They may demand information that must be delivered by the end of the day for a purpose it is difficult to verify in that time. They may use an emotional entreaty to gain assistance by suggesting a friend or coworker may be in trouble if they don’t get the access they require. They may also say that they have already received approval from a higher ranking employee.
Employees should receive training on which information is acceptable to give over the phone, such as business hours or contact methods for general email accounts. Specify which information is never acceptable, such as verifying employee names or giving direct phone numbers.
As with computers, there is no way to completely avoid a social engineering attack. But by building a culture of ‘Trust but Verify,’ identifying assets that should be protected, and training employees to use a healthy amount of skepticism when being asked for information, it’s possible to reduce the risk of social engineering breaches.