Full Report
May 11, 2026 Dawn Capelli from the Dragos OT CERT issued a Linked-In request for OT Insider Threat cases in industrial environments. Dawn said she keeps hearing that insider threats rank as a top concern in OT, but the Dragos OT CERT has no cases. CONTROL SYSTEM cyber incidents can be either unintentional or malicious […]
Analysis Summary
# Incident Report: Meta-Analysis of OT Insider Threat Reporting Gap
## Executive Summary
This report analyzes a public discussion regarding the lack of documented Operational Technology (OT) insider threat cases within the Dragos OT CERT. While insider threats are cited as a top industry concern, a discrepancy exists between perceived risk and documented incidents due to the categorization of "unintentional" vs "malicious" acts and proprietary data silos. The core issue highlights a breakdown in industry information sharing rather than a lack of actual occurrences.
## Incident Details
- **Discovery Date:** May 11, 2026
- **Incident Date:** Ongoing (Reported May 2026)
- **Affected Organization:** Dragos OT CERT / Industrial Control System (ICS) Community
- **Sector:** Critical Infrastructure / Industrial Control Systems
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** May 11, 2026
- **Vector:** Public Industry Outreach (LinkedIn)
- **Details:** Dawn Capelli (Dragos OT CERT) issued a public request for verified OT insider threat cases, noting a zero-count in their current database despite industry sentiment.
### Lateral Movement
- **Details:** The discussion moved from social media to industry blogs (SCADAS.EC / ControlGlobal), highlighting a schism between cybersecurity researchers and independent subject matter experts regarding the "unintentional" nature of control system incidents.
### Data Exfiltration/Impact
- **Details:** No technical data was exfiltrated; however, the "impact" is an identified intelligence gap. The inability to bridge the gap between proprietary private databases and public CERTs hinders the collective defense of OT environments.
### Detection & Response
- **How it was discovered:** Public statement by Dragos OT CERT.
- **Response actions taken:** Independent experts (Joe Weiss) challenged the assertion, claiming the data exists but is withheld due to intellectual property and monetization disputes.
## Attack Methodology
*Note: As this is a report on a reporting discrepancy, "Attack Methodology" refers to the nature of the insider threats discussed.*
- **Initial Access:** Authorized physical or logical access to Control Systems.
- **Persistence:** Legitimate user credentials or physical presence.
- **Impact:** Unintentional misconfigurations or malicious sabotage causing physical process disruptions.
## Impact Assessment
- **Financial:** High (Implicitly); expert-held data on these incidents is valued as high-cost intellectual property.
- **Data Breach:** None (Information withholding rather than theft).
- **Operational:** Potential lack of readiness for OT operators who rely on CERT data to build threat models against insider risks.
- **Reputational:** Potential impact on the perceived comprehensiveness of the Dragos OT CERT database.
## Indicators of Compromise
- **Behavioral indicators:** Discrepancy between "Top Concern" surveys and "Actual Cases" in incident response databases.
- **Procedural indicators:** Classification of unintentional engineering errors as "non-cyber" incidents, despite their impact on system integrity.
## Response Actions
- **Containment measures:** Public debate and clarification of terms (defining unintentional acts as insider threats).
- **Eradication steps:** N/A.
- **Recovery actions:** Call for better collaboration/funding models to move proprietary incident data into the public domain.
## Lessons Learned
- **Key takeaways:** There is a significant disconnect between what is considered a "cyber incident" by security firms (often focusing on malicious actors) versus "control system incidents" (which include high-impact unintentional human error).
- **What could have been done better:** Information sharing in the OT space is currently hampered by the monetization of incident data; a non-commercial framework for sharing anonymized OT failure modes is needed.
## Recommendations
- **Broaden Incident Definitions:** OT CERTs should explicitly include "unintentional human error" leading to loss of control/safety as a reportable insider threat.
- **Incentivize Sharing:** Establish a neutral, non-profit clearinghouse for OT incidents that accounts for the intellectual property value of established expert databases.
- **Cross-Sector Communication:** Bridge the gap between engineering (who see "accidents") and security (who see "incidents") to ensure a holistic view of OT risk.