3 Key Takeaways
- Insider threats in operational technology (OT) environments can tank production, cause safety and quality incidents, and cripple your commercialisation pathway—often without leaving a digital trace.
- Most insider threat programs are built for IT, not for OT environments with legacy equipment, safety risks, and fragmented data across OT and physical systems.
- A smart detection approach—still emerging and adopted by only a few leading organisations—combines behavioural, scenario-based, and contextual signals across IT, OT, and physical domains to reduce risk without disrupting operations.
Insider Threats easily go unnoticed in Operational Technology (OT) environments
A few days ago, hackers opened the valve at Lake Risevatnet dam in Norway and no-one noticed for 4 hours (Security News Weekly). If a technician sabotaged your production line or quietly walked out with sensitive process data from your R&D facility, would you know? Would your systems flag it?
In my experience advising critical infrastructure and research-intensive companies, the answer is usually no. The maturity of cybersecurity in OT environments is backed up by a recent global study commissioned by Forescout (Takepoint Research). Insider threats are one of the most under-recognised risks in OT-heavy businesses. Unlike external hacks, insider incidents are often slow, subtle, and devastating. And they don’t just compromise data—they can damage physical assets, halt operations, and put lives at risk.
Unfortunately, most businesses are still using insider threat models built for IT environments. But OT (operational technology), where physical processes are controlled and monitored, is an entirely different beast. If your business depends on production, engineering, or commercialising proprietary research, it’s time to rethink how you detect insider threats—before it’s too late.
What Is an Insider Threat Program (and why OT gets left behind)
An insider threat program is a coordinated set of processes, technologies, and cultural practices to prevent, detect, and respond to harmful actions from trusted individuals—employees, contractors, vendors, or partners.
These programs typically include:
- Policy and governance
- Risk and asset identification
- Monitoring and detection
- Incident response and recovery
- Training and culture
Problem is, most insider threat programs focus on IT environments. They monitor email, file transfers, login patterns, and endpoint activity. That’s all great, but in OT settings, insider threats play by a different rulebook.
In an OT-heavy business, critical systems might be unpatchable, unmonitored, or physically exposed. A contractor could swap out a device, reprogram a controller, or sabotage a process, and you wouldn’t see it in your SIEM or Quality Management System (QMS).
Worse, many companies treat OT, IT, and physical security as separate silos. That means no one has the full picture—and malicious insiders know it.
Insider Threat Risks in OT Environments
It’s not just OT environments that are different, the trusted insider risks are different too. Here’s some examples of what plays out in real incidents:
| Risk Category | Real-World Example |
|---|---|
| Sabotage | A maintenance worker disables sensors on a production line, causing costly downtime. |
| Data compromise | A disgruntled engineer uses a USB drive or other removable media to copy sensitive R&D data, which is subsequently leaked. In OT, USB devices are often used for legitimate tasks—making them a real risk for both data theft and malware introduction. |
| Theft (equipment / data) | A contractor walks off-site with control modules or exports trade secrets via USB. |
| Espionage | An insider working for a foreign entity records processes and measures over weeks – the ‘know how’ you build into your processes is often a Trade Secrets which you haven’t patented, so you’re exposed. |
| Accidental / negligent | A misconfigured PLC leads to an emissions breach and regulatory fines. |
| Credential compromise | A phishing victim gives attackers access to production systems. Phishing is not just an IT problem—it’s a leading cause of credential compromise in OT-heavy industries, providing a foothold for attackers into production systems. |
| Process disruption | A technician delays batch runs, quietly costing millions in lost output. |
| Physical safety risks | A bypassed safety interlock leads to a serious injury on the shop floor. Integrating physical security data (badge logs, CCTV, visitor management) is crucial for correlating physical actions with digital events. |
If you’re commercialising a new technology or scaling research into production, these aren’t just operational hiccups. They’re existential threats. They compromise intellectual property (IP), slow down time-to-market, and damage investor confidence.
OT detection is hard
Think of a real-world example. An power station detects a technician repeatedly accessing a substation after hours. Alone, it looked like overtime. But cross-referenced with badge logs, config changes, and HR notes? It could match a potential workplace sabotage scenario.
Unfortunately, OT environments like this example aren’t designed for visibility. Here are the 6 main detection challenges I see:
| OT Detection Challenge | Description |
|---|---|
| Legacy Systems | Many OT assets run on unsupported platforms that can’t be patched, monitored, or logged. They might also run proprietary protocols or custom integrations. Trying to install endpoint detection software? Good luck. |
| Mixed Connectivity | Some devices are air-gapped. Others connect via Wi-Fi or cloud APIs. You might not even know how many assets are online. |
| Fragmented Data | Access logs live in one system, telemetry in another, badge swipes in a third—with no correlation between them. To see the big picture, you need HR, physical security / facilities, IT and OT data in one place |
| Physical Access Gaps | Unlike IT assets, OT systems are often in physical spaces where people can tamper with hardware or override processes without leaving a digital trace. Many devices have no logging or remote monitoring. Integrating physical security data (badge logs, CCTV) is crucial for correlating physical actions with digital events. |
| Insider Familiarity | Insiders know your systems. They know the blind spots. They know when no one’s watching. If you’re only monitoring digital access or looking at corporate IT logs, you’re missing half the story. Don’t forget vendors and contractors, who often have privileged access. |
| Poor documentation | Most orgs can’t trace how an alarm triggers a shutdown, and documentation for legacy systems might have been lost or poorly written. You might even find there’s no-one alive who can code in that language anymore! |
This complexity means malicious insiders can chain actions together: badge in, disable a sensor, reboot a system, send a USB payload, walk away. If you want to understand how an insider could compromise your operation? You need to map attack paths across IT, OT, and physical layers.
So what can you do about it? Let’s start with detection.
Insider Threat detection that fits OT
There are 3 main approaches to detection in mixed IT / OT / physical environments. Whether you can use one or all of them depends on your capability maturity, available data, and technology stack on the one hand, and your inherent risk on the other.
Basic: Pattern-of-Life / Anomaly Detection
Many businesses start here. They look for simple red flags of what shouldn’t be happening, or what looks unusual. It’s a good starting point, and it’s where many corporate insider threat detection solutions start by looking at indicators out of the box, without being configured for your business
- How it works: Builds a baseline of what “normal” looks like across users and devices. Flags deviations.
- Good for: Stable operations with predictable activity.
- Watch out for: False positives. No context. Easy to overwhelm your team.
Intermediate Advanced: Scenario-Based and Multi-Step Detection
In my experience there’s a big step up between basic and intermediate. This requires not only tools and data, but also people with different skillsets, such as intelligence analysis and data science. Achieving this successfully is much harder than it sounds.
- How it works: Looks for sequences of actions that match known attack paths (e.g., badge-in → PLC access → config change).
- Good for: Catching subtle or sophisticated attacks. Lower false positives.
- Watch out for: Requires upfront work. Needs good integration.
This work goes by many names, but I use the term ‘typologies’ which is what we refer to in fraud and financial crime to detect a range of complex threats in a dataset. The global financial services industry invests millions each year in this capability to avoid huge fines.
Advanced: AI and Hybrid Models
Last is where AI takes us. I still see organisations using a mix of rule-based detection and AI. Also, there are some applications where you simply can’t use AI yet, such as to identify unknown unknowns or truly ‘novel’ threats. You still need a ‘human in the loop’ here:
- How it works: Combines behavioural detection with scenario logic. Surfaces unknown patterns.
- Good for: Dynamic environments with lots of data.
- Watch out for: Over-alerting. Needs good context and tuning.
It’s worth noting many organisations are only at the start of the insider threat detection journey, so intermediate and advanced detection capabilities are still the exception, not the norm. However, a handful of advanced organisations are combining behavioural, scenario-based, and contextual analysis across IT, OT, HR and physical domains. They’re leading the way—helping develop the tools and methods to implement this at scale.
Detection-Driven Best Practices
Now you understand the problem we’re trying to solve, let’s talk action. Here’s what I recommend to every business trying to catch insider threats in OT:
- Map critical assets and who has access – You can’t protect what you don’t know. Prioritise systems with trade secrets, safety impact, or production value.
- Integrate cross-domain data – HR, IT, physical security, OT telemetry. Break down the silos.
- Use blended detection methods – Pair anomaly detection with scenario logic to balance breadth and depth.
- Segment networks and enforce least privilege – Don’t let operators access systems they don’t need. Limit shared credentials.
- Build OT into your incident response playbooks – Include safety, environmental, and operational contingencies.
- Train staff beyond cyber basics – Teach operators, engineers, and third parties how insider threats work—and how to report them.
- Continuously refine – Systems change. People change. Threats evolve. So should your models.
Final Word: You Can’t Protect What You Don’t Watch
If your business depends on operational tech, research, or manufacturing IP, you can’t afford to run blind.
Insider threats are rising. According to Ponemon, the average insider incident costs US$15.4M per year, but OT remains a blindspot for many organisations.
So here’s the question I always ask my clients: If someone inside your business tampered with a key process, would you know? Would your systems tell you? Would your people speak up?
If you can’t confidently say yes, it’s time to rethink your detection game.
Further Reading
- Curwell, P (2025). The 3 SMB Risk Management frameworks you need to protect your business.
- Curwell, P (2025). Continuous Control Monitoring: Your SMB Security Game Changer.
- Curwell, P (2023). Mitigating risks from workplace sabotage.
- Curwell, P. (2022). Alert management and insider risk continuous monitoring systems
- Security Week News (2025). In Other News: Norway Dam Hacked, $177M Data Breach Settlement, UNFI Attack Update
- Takepoint Research (2025). Global Industrial Cybersecurity Benchmark 2025: Insights on OT Cyber Risk, Maturity, and Strategic Imperatives, commissioned for Forescout Technologies, https://www.forescout.com/resources/global-industrial-cybersecurity-benchmark-2025/
DISCLAIMER: All information presented on paulcurwell.com is intended for general information purposes only. The content of paulcurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon paulcurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.