When people hear “insider threat,” they picture a movie villain. Someone stealing files at midnight. Someone selling secrets to a foreign power. Someone with dramatic music playing while a USB stick slowly slides into a laptop. In real engineering environments, especially OT, it’s almost never like that. Your next insider threat probably won’t look dangerous at all. They’ll look tired. Quiet, withdrawn. A bit checked out.
They might even be your best engineer.
The Dangerous Type of Disgruntled
We all know the loud kind of unhappy employee. They complain. They argue. They tell everyone the system is broken (sometimes they’re right). They’re visible. They’re also not usually the biggest risk. The bigger risk is the disappointed high performer.
The person who:
Used to volunteer for outages
Used to fix things no one else could
Used to care deeply about “doing it properly”
Then one day:
They stop speaking up
They stop pushing back on bad decisions
They stop correcting mistakes
Not because they don’t know better, but because they’ve decided it’s no longer worth the effort. That’s not sabotage. That’s resignation, emotionally speaking.
And in OT environments, resignation plus access is a could be a bad combination.
A Real World Example (Not from Hollywood)
A few years ago, 2022 to be exact, a former researcher at Hydro-Québec was charged with economic espionage. His testimony included something that should make any engineering manager uncomfortable: he said he applied to universities in China as a backup plan.
Why?
Because he was unhappy at work. And because his work visa had been left in limbo for over a year. From his point of view, he wasn’t betraying anyone. He was protecting his future. Prosecutors later alleged links to China’s “Thousand Talents” programme and improper use of Hydro-Québec research. He maintains he only shared general material, not secrets. The court will decide who’s right. But the organisational lesson is already clear: Insider risk often starts as career planning, not malice. That applies just as much in power stations, water treatment plants, manufacturing lines, and refineries as it does in research labs.
OT Is Especially Vulnerable to This
Operational technology environments are built on trust. The engineer who understands:
- Why ‘this’ PLC must never be rebooted
- Which alarm you should ignore during startup
- Which vendor remote access VPN tunnel still “just works”
is trusted because they have to be. You can’t rotate OT staff like passwords. You can’t document decades of tribal knowledge in a SharePoint folder and you can’t easily tell when someone has mentally checked out.
That makes OT environments perfect places for quiet insider risk.
Early Warning Sign: Dissatisfaction
Dissatisfaction isn’t HR fluff. It’s a technical risk indicator. When people feel:
- Boxed into a role
- Passed over
- Invisible
- Treated as replaceable
they start looking elsewhere for validation. Sometimes that “elsewhere” is just another employer. Sometimes it’s a competitor, a supplier, a research partner, or a “friendly” third party who happens to be very interested in how your process works.
In OT, this can look harmless:
- Explaining your architecture at a conference
- Sharing “sanitised” diagrams with a vendor
- Reusing old project slides for an external presentation
None of this feels like wrongdoing in the moment. It just feels like being recognised again.
Early Warning Sign: “I Didn’t Share Secrets”
This sentence appears in almost every insider incident review and it’s usually true, especially from the employee’s point of view. People don’t wake up thinking: “Today I will leak proprietary information.”
They think:
- “This is just high level.”
- “They already know this stuff.”
- “It’s not like I gave them the source code.”
- “This diagram doesn’t even show tag names.”
That’s how IP leaks actually happen. One harmless explanation. One old document. One “general” discussion. In OT, it might be:
- Control philosophy documents
- Alarm rationalisation logic
- Safety interlock descriptions
- Network diagrams with “approximate” detail
Each item feels safe on its own. Together, they tell a very complete story.
Early Warning Sign: The Grey Zone of Ownership
OT engineers often blur the line between:
- My experience
- My work
- The company’s IP
Especially when research, optimisation, or custom logic is involved. Questions that rarely get answered clearly:
- Can I reuse this ladder logic pattern elsewhere?
- Can I publish lessons learned from this plant?
- Can I take my simulation models with me?
When organisations don’t define the boundary, engineers define it themselves.
And here’s the uncomfortable bit: Disappointed people draw that boundary in their favour. Not because they’re evil, but because they feel owed.
Early Warning Sign: Mood Changes Judgment
Many organisations rely on “professional judgment” to protect sensitive information. That works until mood enters the picture. Policies that are vague get interpreted emotionally.
A happy engineer thinks: “Better not share that, just in case.”
A disengaged engineer thinks: “They never appreciated this work anyway.”
Same policy. Different mood. Very different outcome.
OT Examples You’ll Recognise
This isn’t theoretical. Variations of this show up in real incidents:
- Water utilities where long serving engineers shared detailed treatment process data with external consultants without contracts in place.
- Manufacturing plants where control engineers reused proprietary recipes at a new employer because “I wrote it, not them.”
- Energy sites where remote access credentials were kept alive “to help out” after someone had mentally checked out months earlier.
None of these involved malware. None involved nation state actors at the start. They involved people who stopped feeling connected to the organisation.
The Awkward Question Leaders Avoid
Here’s a question most organisations never ask out loud:
Who is the most disengaged person in the room, and what do they have access to? Not the angriest. Not the noisiest. The quiet one who:
- Still knows everything
- Still has credentials
- But no longer believes this place is ‘their’ place
That’s not an accusation. It’s a risk assessment.
What Actually Helps
This isn’t solved with more posters, another annual policy refresher or emails which ask the ‘temperature’ or satisfaction levels. Practical steps that actually help in OT environments:
Be Explicit About Boundaries - Don’t assume people know where “general knowledge” ends.
Spell out:
- What can be shared externally,
- What requires approval,
- What stays inside forever.
Engineers respect clarity.
Treat Disengagement as a Risk Signal - If someone stops contributing, don’t just log it as “performance.”
Ask:
- Are they blocked?
- Are they stuck?
- Are they planning an exit?
That’s not micromanagement. That’s asset protection.
Be Human, not a Corporate Machine - Relationships can dwindle for a number of reasons, at home, at the pub, the workplace is no different.
Remember:
- Team dynamics plays a critical role
- Be authentic, sympathetic and trustworthy
- Address team members who underperform
Tune in your emotional intelligence antenna.
Reduce Silent Access - If someone no longer needs access to the crown jewels day to day, reduce it. Not as punishment, this is good cyber hygiene.
Exit Planning Is Security Planning - When people leave, assume they’ll talk about their work. Help them understand what not to take with them, clearly and calmly.
Final Thought
The most dangerous insider threat isn’t the villain. It’s the person who once cared deeply and now doesn’t. Not because they’re bad. But because they’re tired of repetition, disappointed and potentially mentally exhausted. In operational technology, disappointment plus access is often the loudest warning sign you’ll ever get… if you’re willing to notice it.
