Full Report
May 11, 2026 Dawn Capelli from the Dragos OT CERT issued a Linked-In request for OT Insider Threat cases in industrial environments. Dawn said she keeps hearing that insider threats rank as a top concern in OT, but the Dragos OT CERT has no cases. CONTROL SYSTEM cyber incidents can be either unintentional or malicious […]
Analysis Summary
# Incident Report: Analysis of OT Insider Threat Reporting Discrepancy
## Executive Summary
This report summarizes a public inquiry and subsequent debate regarding the lack of documented Operational Technology (OT) insider threat cases within the Dragos OT CERT. While industry experts claim substantial evidence of both malicious and unintentional insider incidents, a gap exists between private intelligence repositories and public CERT databases due to data valuation and information-sharing barriers. The primary outcome is a highlighted visibility gap in OT-specific threat landscapes.
## Incident Details
- **Discovery Date:** May 11, 2026
- **Incident Date:** Ongoing (Reporting period up to May 2026)
- **Affected Organization:** Dragos OT CERT (Reporting gap); Various Industrial Organizations (Historical incidents)
- **Sector:** Industrial Control Systems (ICS) / Critical Infrastructure
- **Geography:** Global
## Timeline of Events
### Initial Request
- **Date/Time:** May 11, 2026
- **Vector:** Public solicitation via LinkedIn.
- **Details:** Dawn Capelli of Dragos OT CERT requested industry cases of OT Insider Threats, noting that while ranked as a top concern, the CERT had zero documented cases in their database.
### Industry Feedback
- **Date/Time:** May 11 – May 19, 2026
- **Details:** Experts (Joe Weiss/Infracritical) responded, confirming the existence of documented malicious and unintentional OT cyber incidents across multiple sectors.
### Data Deadlock
- **Date/Time:** May 19, 2026
- **Details:** Information exchange stalled. Subject matter experts declined to provide detailed incident data for free, citing the material as proprietary intellectual property.
## Attack Methodology
*Note: This specific article discusses the reporting of incidents rather than a single specific breach. Based on the "Insider Threat" context provided:*
- **Initial Access:** Authorized physical or logical access by employees or contractors.
- **Persistence:** Legitimate credentials and system permissions.
- **Impact Methodology:**
- **Unintentional:** Human error, misconfiguration, or accidental logic changes in Control Systems.
- **Malicious:** Purposeful manipulation of setpoints, unauthorized logic changes, or sabotage of physical processes.
## Impact Assessment
- **Financial:** High valuation placed on OT incident data; Dragos faces potential "value" loss if the CERT remains empty of such cases.
- **Data Breach:** Knowledge gap in public/private threat intelligence sharing.
- **Operational:** Potential for unmitigated risks in industrial environments if defenders lack case studies to build protections.
- **Reputational:** Questioning of the comprehensiveness of OT-specific CERT databases.
## Indicators of Compromise (Behavioral)
- **Unverified Logic Changes:** Unauthorized modifications to PLC/DCS configurations.
- **Anomalous Access Times:** Authorized personnel accessing OT networks during off-hours without maintenance tickets.
- **Process Deviation:** Unexpected changes in physical output (pressure, temperature, flow) not aligned with HMI commands.
## Response Actions
- **Inquiry:** Dragos attempted to crowd-source historical data to fill visibility gaps.
- **Data Protection:** Industrial experts retained specific incident data behind paywalls/consultancy agreements.
## Lessons Learned
- **The Definition Gap:** There is a discrepancy in how "Insider Threats" are defined; many "unintentional" incidents qualify as insider threats but are often categorized as operational errors.
- **Incentive Alignment:** Private entities may not share critical OT security data with CERTs without reciprocal value or financial compensation.
- **Visibility vs. Reality:** A lack of cases in a specific threat intelligence feed does not equate to a lack of real-world occurrences.
## Recommendations
- **Broaden Incident Definitions:** Standardize the definition of OT Insider Threats to include "unintentional" cyber-physical events.
- **Information Sharing Programs:** Develop formal data-exchange agreements between private researchers and CERT organizations that honor intellectual property rights.
- **Internal Monitoring:** Industrial operators should implement behavioral monitoring focused on "human-in-the-loop" actions within the OT environment.