Insider Threat Guidelines for Energy-Sector Critical Infrastructure 

By Shawn Wallace, Unlimited Technology on May 28, 2026 |
Shawn Wallace, a member of SIA’s Utilities Advisory Board, serves as director of critical infrastructure at Unlimited Technology.

Insider threats—originating from employees, contractors or partners with legitimate access—pose a uniquely complex risk because they combine human behavior with access to sensitive systems and processes. Mitigating these threats requires a coordinated, cross-functional approach spanning human resources, cybersecurity, physical security and organizational leadership. 

There are three primary insider threat personas: negligent, malicious and compromised. Negligent insiders unintentionally create vulnerabilities through carelessness or poor security practices. Malicious insiders intentionally seek to harm the organization, often motivated by financial gain, revenge or ideology, and can be particularly dangerous due to their familiarity with systems and processes. Compromised insiders, on the other hand, are victims whose credentials or access are exploited by external attackers through techniques such as phishing, malware, social engineering or coercion. While all three pose risks, security teams should focus primarily on malicious and compromised insiders, as they are most likely to result in significant damage. 

Prevention involves stopping high-risk individuals from entering the organization during the hiring or contractor onboarding phase and reducing the likelihood that trusted employees become threats over time. The first phase emphasizes rigorous hiring and screening practices. Organizations are encouraged to adopt a risk-based approach, applying more extensive background checks and verification processes to high-risk roles such as control system operators or engineers. This includes identity verification, criminal background checks, employment and education validation and reference checks. In-person interviews and careful documentation are critical elements to ensure authenticity and compliance. 

Once individuals are hired, the focus shifts to controlling access and monitoring behavior. Role-based access control is a foundational practice in preventing insider threat by ensuring employees only access the systems and data necessary for their roles. Security teams should consider modern, high-trust digital identity solutions replacing outdated badge-based systems with real-time credential validation and monitoring. Employee awareness is another key pillar: training programs on social engineering and coercion tactics help reduce the risk of compromise. Additionally, organizations are advised to monitor for “compelling events”—such as disciplinary actions or layoffs—that might increase the likelihood of a long standing employee converting to a malicious insider. 

The concept of “two-deep work,” where two individuals must be present during sensitive operations, is a highly effective, though resource-intensive, control measure for critical environments like substations and data centers. 

Despite strong prevention measures, insider threats cannot be entirely eliminated, making early detection critical where strategies are divided into two categories: human-based and technology-based. Human-based detection relies on building a culture of trust and accountability, where employees are trained to recognize suspicious behavior and report it through confidential channels such as hotlines. Encouraging reporting and supporting those employees that make a report essential components of this approach. 

On the technology side, user and entity behavior analytics systems can identify deviations from normal behavior, while security information and event management platforms aggregate and analyze logs to detect anomalies. Endpoint detection and response tools provide real-time monitoring and response capabilities on user devices. For operational environments, specialized industrial control system/operational technology monitoring tools track system behavior, configuration changes and network activity to identify anomalies indicative of insider threats. 

A key recommendation is the integration of physical and cybersecurity information and operations centers. By combining data from physical access systems (such as badges and cameras) with digital activity logs, organizations gain a holistic view of user behavior. This integration enables faster detection of malicious or compromised insiders, better correlation of events and more effective incident response. Organizations should aim to keep metrics on their insider threat program effectiveness to support continuous improvement efforts. Measuring detection times, incident rates, training effectiveness and employee engagement can show how the program supports overall business risk reduction. 

An effective insider threat program must go beyond technology, incorporating strong governance, cross-functional collaboration and a culture of security awareness. By integrating preventive controls, detection capabilities and continuous evaluation, energy sector organizations can significantly reduce the risks posed by insider threats and strengthen their overall resilience.

The views and opinions expressed in guest posts and/or profiles are those of the authors or sources and do not necessarily reflect the official policy or position of the Security Industry Association.

This article originally appeared in the Utility Brief, a newsletter presented by the SIA Utilities Advisory Board.