On Sunday night, Tesla CEO Elon Musk sent an email to all employees alleging there was a saboteur within the company’s ranks. Musk said this person had conducted “quite extensive and damaging sabotage” to the company’s operations, including by changing code to an internal product and exporting data to outsiders. IT security experts commented below.
Chris Morales, Head of Security Analytics at Vectra:
Trusted users always pose the highest risk as they have the means and only lack the motivation. In this instance, the motivation sounds personal, and that is quite often the case in corporate sabotage. It is not clear how this event was detected, but it sounds like it was discovered after the damage already occurred and there is still work to uncover the extent of that damage.
I see this as a problem between approved and unapproved behaviour as it was a trusted user who obfuscated their actions with fakes accounts that clearly should not have existed or should have been used to make changes to production code or to transfer large volumes of data to untrusted third party entities. The challenge is in understanding the difference in approved and unapproved behaviours as they occur and to prioritise the riskiest behaviours so that an immediate response can be formulated, before the damage is done.”
Joseph Carson, Chief Security Scientist at Thycotic:
This will likely be a major lesson for Telsa and hopefully this is not related to the recent accidents with their vehicles which I am sure the regulators will be looking into if they are related, it shows why privileged access was moved to the top #1 project for organisations in 2018 according to Gartner so such incidents are less likely to happen in the future.”
Bill Evans, Director at One Identity:
If ever there has been proof of the need for better cybersecurity, this is it. It appears that even Tesla has not completely solved this challenge. To be clear, the challenge as laid out here likely lives in two areas – first, access governance. Access governance is ensuring the right people have access to only the right stuff at the right time. By ensuring those that create code can’t also insert this code into production environments, organizations can limit their risk and exposure. Second is privileged access management (PAM). PAM is making sure that an organization can control, audit and secure those individuals with elevated or admin access.
While it’s impossible to determine exactly what happened at Tesla, smart organizations have already deployed access governance and privileged access management to help mitigate cyber risk.”
Thomas Richards, Associate Principal Consultant at Synopsys:
“Although companies need to inherently trust their employees, all work should still be monitored and verified before code can enter production. Any unnecessary or unusual access to code and resources should be investigated. All login attempts both successful and not successful should be monitored and reviewed for inconsistencies. Sensitive data including code or other organisational assets should also be protected and segmented from general access inside the environment. Additionally, workstation controls should be put in place to prevent employees from moving data onto removable media. Account creation and authorisation should be handled by a centralised group who will vet and verify requests for account creation and access.”
Thomas Nuth, Director at Nozomi Networks: