The Elephant in the Room: Internal Threats to OT Networks

Insider risk is 100% of users—whether intentional or unintentional. Gartner said it best: “Not every insider risk becomes an insider threat; however, every insider threat started as an insider risk.” The 2023 Ponemen Cost of Insider Threats Global Report stated that 75% of incidents resulted from non-malicious insiders (55% negligent, 20% careless), and 25% were malicious insiders.

Understanding Insider Risks in OT Networks

Negligent employees fail to protect their systems, click on invalid links (phishing), get infected with malware, or have their credentials stolen through external hacks. For this reason, all employees are an insider risk - any employee may fall for a phishing email, MFA bombing, or some other external factor and have their accounts turn into an insider threat (even if the employee is not malicious).

Disgruntled employees may do this intentionally, especially ex-employees or employees leaving the company on bad terms. When employee or contractor credentials are left active once an employee leaves, the risk of compromise escalates. Malicious insider incidents are far more expensive and take longer to recover from than external hacks because these employees know how to do the most damage to the OT network.

Lateral Movement: A Unique Challenge for OT Networks

OT has a different problem than IT when it comes to lateral movement. Classic OT networks are utterly vulnerable to lateral movement when someone gains access to any system because they are flat Layer 2 environments (or can get physical access). Even today, many OT networks are flat, often because they avoid segmentation to limit performance impact. With IT networks, it doesn’t matter if your email arrives in 3 seconds, but in OT, milliseconds matter. The Purdue model promotes segmentation to fight this challenge. Still, many OT networks struggle because segmentation done with firewalls takes an excruciatingly long time and requires network downtime, which is unacceptable in many OT networks. The desired outcome is that lateral movement is complex (some OT devices need to talk to each other) or impossible between OT devices, even if they are on the same LAN segment.

Interested in preventing as much insider risk as possible? Download our whitepaper and/or register for our webinar on Zero Trust Protection for OT.