Is your Operational Technology (OT) environment insider safe?

Publish date:

Organisations need to exercise due diligence and care to ensure their vendors, contractors, and trusted business partners have adequate security controls in place to prevent damage and mitigate risk to the organisation.

Safety is the mantra in an operational technology (OT) environment. Accidents that may shut or slow down production are some of the biggest fears manufacturing and production organisations have. These organisations go to great lengths to make their operations as safe as possible. The drive for safety, along with profitability, led to automation and robotics, which allow machines to take the place of people. This led to OT development.

But automation and robotics still need people to make needed automation adjustments and keep the machines running correctly. People are one of, if not the weakest link in this automated, robotic, OT chain. People make mistakes, sometimes act before considering all the consequences, and yes, are sometimes motivated by selfish desires. The organisation necessarily gives people access to its critical resources, the machines that make the product the organisation sells. We call these people who have or had authorised access to the organisation’s critical resources, whether they are employees, contractors, vendors, or trusted business partners, insiders. Bear in mind that as automation increases and the number of people needed decreases, the remaining people are entrusted with greater responsibility. They have greater access to more critical resources, which also provides them the opportunity to cause more harm. If these insiders represent one of the greatest risks to these organisations, shouldn’t the organisation’s insider risk program be one of its most important safety, not to mention security, programs? You’d be surprised to learn that many, if not most, manufacturing and production organisations don’t have a holistic insider risk program, let alone make it one of the most important safety programs for the organisation.

Here are just a few examples to consider:


What’s the worst that an insider could do? In 2014, a telecommunications contract engineer for the Federal Aviation Administration in Chicago accessed and cut wiring for critical communications and radar systems, poured gasoline on them and lit them, causing radar and communications systems blackouts for the Chicago and Midwest area airline and air traffic hubs. The damage cost tens of millions of dollars and took seventeen days to repair. Why did he do this you ask? He blamed his employer for his depression and poor mental health. The final straw for the insider was his employer’s decision to transfer him to another location.[1]

While this incident did not happen in an OT environment, it certainly could have. Imagine one of your organisation’s employees suddenly starts ripping out wiring and destroying consoles in the control room. Depending on how quickly coworkers were able to stop the employee, this could set operations back weeks or even months. Such an incident would certainly affect the organisation’s bottom line, but what about its brand name and reputation? What if the product your organisation was producing was so vital to your customer that they had to go to a competitor, at least temporarily, to mitigate the customer’s losses? I can see how this could happen in nearly any manufacturing or production organisation.

Individuals don’t simply wake up one day and decide they’re going to hurt the organisation they work for. It develops over time, and their ability to adapt to both business-related and individual pressure decreases. During this development, their conduct deviates from what’s typical for them, and they likely don’t realise it is occurring. They might be more irritable, have less patience, display a negative tone in their communication with peers and supervisors. These are things coworkers and managers may see. As these indicators aggregate and their capacity to cope with pressure lessens, they travel down the idea-to-action continuum, and their insider risk increases. A holistic Insider Risk Program can interrupt the idea to action continuum, mitigate the insider risk and harm to the organisation, and possibly allow the organisation to retain a valuable employee.

Trusted business partners/vendors

The mission and focus of OT organisations is to create and sell their products. This focus requires alliances with vendors and other business partners for support functions, especially in automation. Good business practice requires we exercise due diligence and due care standards while choosing vendors, and considerably more so in creating trusted business associations, but are they adequate? Is there a process set up to allow the organisation to verify that the partner or vendor is indeed following the policies and procedures reviewed during due diligence?

We give contractors, vendors, and trusted business partners physical and network access to our critical resources and assets on a regular basis. Like our employees, we trust they will act appropriately and professionally. But, is that trust misplaced? We see in the movies where the spy poses as a telecom worker to gain access to and tap network communications to gain critical intelligence, but have we ourselves conducted a physical pen test to verify our controls would detect and thwart such a ruse? When one of your automation vendors comes into your facility to update software or flash firmware, do you have your own archive of the system software, firmware, and configuration to restore to if you later learn the vendor’s system had corrupted content? If the malware is hidden on the device, as some advanced persistent threat actors have done in the past, the vendor’s representative may not even know they are creating this security breach. Think this can’t happen to you? A 2018 study revealed that 44% of USB devices scanned across 50 industrial sites held files containing malware.[2] Remember that when you let a vendor or trusted business partner in the door, you are also letting in everyone on their supply chain as well.


The above examples illustrate that the OT environment is susceptible to insider risk and needs an insider risk program to oversee and ensure adequate, holistic controls are in place to prevent, detect and respond to the insider risk and threat. While every organissation wants to be able to completely trust its employees, vendors, contractors, and trusted business partners, that just isn’t realistic in today’s world where risk mitigation is a business essential. Balancing the need to give employees the suitable tools, conditions, opportunities, and autonomy to carry out their responsibilities and continuously improve the organisation while maintaining adequate insider risk safety and security controls to detect and mediate when an insider is going down an inappropriate way, is no small feat. It requires adequate organisational resource commitment. Similarly, organissations need to exercise due diligence and care to ensure their vendors, contractors, and trusted business partners have adequate security controls in place to prevent damage and mitigate risk to the organisation. A holistic insider risk program can help organisations with an OT environment to accomplish these objectives.

To find out more about how we can help you visit our cybersecurity services page.

Follow Dan Leyman on LinkedIn.

Related Posts


Unlocking the power of AI and SOAR for end-to-end cybersecurity

Linden, Geert van der
Date icon September 3, 2020

For AI to work effectively, organisations need to build a roadmap that addresses...


Identity access management (IAM) – the new normal

Dino Karanikas
Date icon August 27, 2020

Having an upgraded IAM plan in place will not only let you sleep better at night; it will...


COVID-19: Flattening the cybersecurity curve

Nikita Mahajan
Date icon July 9, 2020

To set up your business for success in this ‘new normal’, there are some capabilities in...