Description:

An insider threat involves employees, contractors, or vendors who leverage their legitimate access and specialized knowledge to launch physical or cyber attacks against corporate networks or operational control systems. Whether motivated by personal grievances, financial gain, or external manipulation, these individuals are particularly dangerous because their authorized status allows them to bypass traditional security perimeters and remain undetected.

This risk encompasses both malicious actors who intentionally sabotage critical infrastructure, including field assets, and negligent individuals whose unintentional mistakes result in significant security breaches.

Key Drivers and Trends:

There are limited detective controls during the precursory stages of an attack. Technical indicators, such as computer logging of suspicious events, typically occur after an insider has begun their attack. Industry security experts from across the region suggested classifying this risk as high because of the access a malicious insider might have to control systems that operate the bulk power system.

Trends include:

• Across all sectors in 2024, 65% of insider incidents were unintentional mistakes, while malicious actions contributed to 31%.
• Across all sectors, the malicious insider threats trended downward from approximately 8% in 2023 to 6% in 2024.
• Some utilities in the region have developed insider threat programs and are increasing background checks.
• Social and political unrest contributes to motivation to do harm.
• Utilities are increasing the use of contracted services, which may not be subject to the same controls as direct employees.

Event History:

• Between January 30 and February 1, 2024, an employee at a Canadian nuclear plant in Ontario made online posts about security vulnerabilities at the plant. The employee was charged under Canadian law that prohibits communicating “safeguard information” to a foreign entity or terrorist group.
• An infrastructure engineer at an industrial company locked systems, deleted backups, and changed passwords to extort the company for a $750,000 ransom to restore access. This event is provided to highlight the type of impact workers could have on systems used to control bulk power system assets.

Actions to Reduce Risk:

The following mandatory NERC Reliability Standards exist, or are under development, to help mitigate this risk:

Other recommended actions include:

• Apply the Secure Connectivity Principles for Operational Technology (OT) framework listed in Nation-State Threats.
• Collaborate with others across the company to develop an Insider Threat Program with support from top management.
• Build a culture of security within your organization through employee training, policies on the acceptable use of company resources, and reporting mechanisms for suspicious behavior. (Concerned employees are the best early detector of insider threats.)
• Offer employee support programs for mental health and wellness to reduce the risk of insider threats by managing dissatisfaction.
• Subject to applicable laws and regulations, consider the use of behavioral analytics on employees’ activities to help identify changes in work patterns and follow up on those changes.
• Move towards Zero Trust architecture, starting with operational control systems of the bulk power system. Verify each access request as if it originates from an untrusted network, as opposed to the perimeter method that assumes everything from within the trusted network is safe.
• Limit access to the least privilege for a job role.
• Limit the use of administrator accounts, review access grants, and monitor for access creep.
• Limit lateral movement by implementing more granular systems and network segmentation.