Risk Overview
Malicious insider threats are presented in trusted employees, contractors, or vendors with knowledge and access to systems and the capability of bypassing security controls to cause harm to the bulk power system. A malicious insider could be manipulated by a threat actor external to an organization or may act on their own. The malicious insider often has underlying motivating factors such as unmanaged workplace dissatisfaction, ideology, or financial motivation. Impacts can be physical or cyber. This risk does not include unintentional insiders because they lack motivation. The risk caused by the unintentional insider should be considered with other cyber risks, such as Phishing/Ransomware/Malware.
Trends
- There have been no known or reported malicious insider threats to the bulk power system to date.
Recommended Actions
- Establish an insider threat program supported by C-suite executives with representatives from all business areas, have clear use and ethics policies, and foster a security-aware culture with safe reporting mechanisms.
- Prioritize mental health and manage employee expectations.
- Limit access privileges, monitor admin accounts, and track employee activity for anomalous behavior and attempts to increase access privileges.
Mitigating Activities
A suite of NERC CIP standards provides limited controls for this risk.
- CIP-004 requires background checks every seven years on personnel with access to BES Cyber Systems, however, the seven-year timeframe is lengthy and provides limited coverage. Role-based access restrictions in CIP-004 Requirement 4 also provide limited control since the malicious insider would be a trusted individual with authorized access.
- CIP-005, CIP009, CIP-010, and CIP-011 provide a defense-in-depth strategy to limit movement of a threat actor to segments of a BES Cyber System. However, a malicious insider with broad, administrative rights may be able to traverse multiple systems easily, which reduces the effectiveness of these standards.
- CIP-006 regarding physical access to BES Cyber Assets or facilities is focused on monitoring for unauthorized access, which in the case of an insider would not apply since they would typically have authorized access. There is an active NERC standards project on internal network security monitoring that could help mitigate this risk by requiring monitoring of activities within a network, helping to identify malicious behavior on a network system even by an insider with authorized access.
MRO staff and the Security Advisory Council created an Insider Threat Program Checklist to help MRO entities develop or enhance their existing insider threat policies and procedures. Submit a request to receive a copy of
Related Resources
