Malicious Insider Threat

Risk Overview

Malicious insiders are considered to be an employee or a contractor/vendor integrated into the workplace that have motivation, knowledge, and legitimate access to more easily attack a utility’s cyber systems or physical assets. An insider motivated by unmanaged workplace disgruntlement, ideological reasons, or financial gain could compromise systems or render them inoperable which can degrade grid reliability. Utilities should have a robust insider threat program supported by executive management that builds a culture of security that encourages employees to look out for each other and address unusual behavior. Utilities should also limit employee access based their position’s requirements, vet employees before granting access, and segment systems to minimize impact.

Key Drivers and Trends

• Insiders are difficult to detect by technical means, such as endpoint logging.
• There are many examples of financially motivated insiders across other sectors and government, and continuing social and political unrest.
• Utilities are increasing their use of contracted services, which may not be be as heavily scrutinized as employees.

Actions to Reduce Risk

• Create a top-down Insider Threat Program with a focus on security culture, employee well-being, and collaboration. Employees are crucial for early detection.
• Use data analytics on network and endpoint logging.
• Limit the impact of an event by implementing Zero Trust Architecture, using least privilege role-based access control, and dividing networks and systems into smaller pieces.
• Comply with NERC Reliability Standards CIP-005-7 (Electronic Security Perimeter), CIP-009-6 (Recovery Plans for BES Cyber Systems), CIP-007-6 (System Security Management), CIP-010-4 (Configuration Change Management and Vulnerability Assessments), and CIP-011-3 (Information Protection) which collectively provide defense in depth.
• Review Project 2023-03 Internal Network Security Monitoring (INSM) that is creating a new CIP standard to improve detecting anomalous or unauthorized network activity.

Related Resources

• MRO staff and the Security Advisory Council created an Insider Threat Program Checklist to help MRO entities develop or enhance their existing insider threat policies and procedures. Submit a request to receive a copy.
• The National Insider Threat Task Force (NITTF) created the Insider Threat Program Maturity Framework to help government agencies improve their insider threat programs.
• National Insider Threat Awareness Month is a campaign held every year to educate government and industry about insider threats. This website offers tools and training materials to help organizations build insider threat programs.
• Zero Trust Security for Electric Operations Technology is a white paper to inform the sector about Zero Trust concepts and to provide considerations and recommendations on adopting Zero Trust controls in Operational Technology and Industrial Control System environments. Zero Trust is a collection of concepts that drives least privilege further, building upon historical controls and perimeter-based security models, rather than tearing them down.