Threat Intelligence

Insider Threat in the Energy Sector: Malicious and Negligent

In 2021 a former employee of a Kansas public water system used credentials that had never been revoked to remotely access plant controls and attempt to tamper with cleaning and disinfection processes, before the access was traced back to him. The case is a textbook reminder that some of the most dangerous access to energy and utility operations sits with people who already hold the keys: current and former staff, contractors and trusted insiders who know exactly which system does what.

A former water-utility employee remotely accessed plant controls in 2021 using credentials never revoked

The two faces of insider risk

Insider threat in energy is not a single problem. Malicious insiders deliberately abuse their access, whether for revenge, financial gain or coercion by an external party. Negligent insiders cause harm through carelessness: misconfiguring a system, mishandling sensitive data, falling for a phishing lure, or bypassing a control to get a job done faster. Both can be devastating in an environment where a single wrong command can affect physical supply.

  • Malicious insiders: sabotage, theft of grid or trading data, or selling access
  • Negligent insiders: misconfiguration, data mishandling and unsafe shortcuts
  • Compromised insiders: legitimate accounts taken over by an external attacker
  • Departing staff and contractors whose access is never properly revoked

Why control rooms amplify the risk

Energy control environments often run on shared accounts, broad standing privileges and long-lived contractor access, because operational continuity has historically trumped least-privilege discipline. Engineers may hold the keys to systems they rarely touch, and offboarding processes frequently fail to revoke OT and remote-access credentials promptly. These conditions mean that a single insider, or a single overlooked former insider, can reach far more than their role requires.

Data exfiltration is the quiet insider attack

Not every insider incident is a dramatic sabotage attempt. A great deal of insider harm is the steady leakage of sensitive information: grid schematics, vulnerability assessments, customer data, or commercially sensitive generation and trading positions copied to personal cloud storage, USB devices or webmail. This kind of slow exfiltration rarely trips traditional alarms, yet it can hand an adversary the blueprint for a far more serious future attack.

Reducing insider risk in practice

Managing insider threat is a blend of process and technology: tightening access so people only hold what they need, removing it promptly when roles change, and watching for the data movement that signals abuse. The goal is to make harmful action difficult and visible rather than to treat staff with suspicion.

  • Enforce least privilege and review standing access to OT and sensitive data regularly
  • Automate joiner, mover and leaver processes so access is revoked on departure
  • Monitor for unusual data movement to USB, personal cloud and webmail destinations
  • Maintain audit trails on critical control actions so anomalies can be investigated

How Kyanite Blue and BlackFog defend against insider data loss

The hardest insider behaviour to catch is data quietly leaving the organisation, whether stolen deliberately or leaked carelessly. Kyanite Blue deploys BlackFog anti-data-exfiltration technology on endpoints, where it monitors and blocks unauthorised outbound transfers in real time, including attempts to send sensitive data to unapproved cloud services, command-and-control infrastructure or suspicious external destinations. Because BlackFog works at the point of egress on the device itself, it catches exfiltration regardless of who initiates it, a malicious insider, a careless one, or an external attacker using stolen credentials. We combine this with access reviews and offboarding discipline so that both the means and the opportunity for insider data loss are reduced.

Frequently Asked Questions

What is the difference between a malicious and a negligent insider?

A malicious insider deliberately misuses their access to cause harm, for example sabotaging a system or stealing data. A negligent insider causes harm unintentionally through carelessness, such as misconfiguring a control, mishandling sensitive files or falling for a phishing email. Both are significant in energy because the consequences of a single error or abuse can affect physical supply, so defences must address each.

How can revoked-on-paper access still cause an attack?

In the 2021 Kansas water case, a former employee retained working remote-access credentials that had not actually been disabled after departure. Many energy operators have similar gaps where OT, VPN and vendor accounts outlive the person's role. Reliable joiner, mover and leaver processes that promptly revoke every form of access are one of the most effective insider-threat controls available.

Why is insider data exfiltration so hard to detect?

Insiders use legitimate access, so their actions often look like normal work, and slow leakage to personal cloud, USB or webmail rarely triggers traditional security alarms. Detecting it requires watching the actual movement of data off endpoints and flagging transfers to unapproved destinations, which is precisely what device-level anti-data-exfiltration controls are designed to do.

Detect and stop insider data loss with Kyanite Blue

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

BlackFog

Learn more

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides