Tools and resources for mitigating what has been identified as a high risk

MRO’s mission is to identify, prioritize and assure effective and efficient mitigation of risks to the reliability and security of the North American bulk power system.

Each year, the MRO Security Advisory Council (SAC) conducts a Regional Security Risk Assessment (RSRA) that engages physical, cyber, and operational security subject matter experts in the MRO Region. The identified risks are provided to the MRO for inclusion in the Regional Risk Assessment (RRA). The RRA also offers mitigation strategies for a number of identified risks.

The 2023 RRA identifies Insider Threats as a high risk. At the April board meeting, the board’s Organizational Group Oversight Committee (OGOC) held a closed roundtable on Insider Threats to share information and best practices and identify opportunities for MRO’s organizational groups to address this particular risk.

What is an Insider Threat?

An Insider Threat can be an employee or third party (vendor, consultant, or contractor) that is currently or formerly associated with an organization and has the potential to cause elevated harm due to insider-level knowledge and access to information. Although the majority of Insider Threat breaches are accidental or negligent, the impact of those caused by malicious intent may be greater.

The scope of an Insider Threat is very broad and extends beyond traditional Information Technology (IT) issues. Insider Threats can also manifest as fraud, sabotage, espionage, and workplace violence. Many organizations have risk control processes implemented in a variety of ways depending upon individual role and responsibilities. The scope of Insider Threats, however, requires a holistic approach that shares responsibility across multiple employee groups and business units. Mitigating Insider Threats requires increased focus on people, processes, and technology, and calls for coordination across security, HR, IT, wellness programs, legal, finance, and internal audit.

A ‘see something, say something’ culture is the foundation of an Insider Threat program. It is a tone set from the top where everyone within an organization is empowered to protect the safety of their coworkers and the organization. Developing an Insider Threat program may require working through cultural issues, such as negative perceptions. However, this is not about big brother or tattling – the culture should build upon non-retaliatory principles and provide the means for individuals to raise concerns without fear or judgment. The goal is to ensure a trusted workforce, safe facilities, resilient systems, and the confidentiality/integrity/availability of critical data. Ultimately, it is about protecting an organization’s most important resource, the people.

You may ask yourself, “how is the individual employee an element of an Insider Threat program?” Human intelligence assets (employees) can identify suspicious behavior well before a technical system, and the ‘see something, say something’ culture enables them to do so. The earlier a risk is identified, the more opportunities there are to mitigate and deescalate. Downstream of human observations are the technical controls, which can only detect anomalous behavior, often after the Insider Threat starts down the path of action.

Important considerations for Insider Threat programs include:

Insider Threat Resources

The following Insider Threat resources are open source and cover many aspects of an Insider Threat program:

• Carnegie Mellon Common Sense Guide to Mitigating Insider Threats, 6^th Ed. (link)

This document applies numerous interviews and many years of Insider Threat research into a useful resource for industry.

• The National Counterintelligence and Security Center Insider Threat Mitigation for U.S. Critical Infrastructure Entities (link)

This publication focuses on the human threats to U.S. critical infrastructure, including employees at critical infrastructure organizations who may be exploited by foreign adversaries.  The publication provides guidance on how to incorporate these threat vectors into organizational risk management plans and offers best practices for critical infrastructure entities to mitigate insider threats.

• Center for Development of Security Excellence (CDSE) – Insider Threat Program (InTP) for Industry (Link)

This document is specific to the Department of Defense, but may be used as a resource guide for critical infrastructure industries, such as energy.

This job aid gives Department of Defense (DOD) staff and contractors an overview of the insider threat program requirements for Industry as outlined in the National Industrial Security Program Operating Manual (NISPOM) that became effective as a federal rule in accordance with 32 Code of Federal Regulations Part 117, also known as the “NISPOM Rule.” This job aid addresses policy, responsibilities, requirements, and the procedures consistent with Executive Orders (EO), 12869, “National Industrial Security Program;” EO 10865, “Safeguarding Classified Information and Security;” and 32 CFR Part 2004, “National Security Industrial Security Program.”

• Center for Development of Security Excellence (CDSE) – Insider Threat Potential Risk Indicators (PRI) (link)

This document provides many examples of ‘risk indicators’ that may predict the likelihood of an insider threat.

• Insider Threat Resources compiled by SERC (link)

This is a comprehensive compilation of wide-wide ranging resources relevant to Insider Threats, including resources on: (1) insider threat concepts, (2) building an insider threat program, (3) detection control, and mitigation or insider threats, (4) tools, and (5) blog posts.

– Lee Felter, MRO Principal Security Engineer