(U//FOUO) DHS Utility-Sector Employee Insider Threats Warning

Office of Intelligence and Analysis (I&A), Cyber, Infrastructure, and Science Division, Strategic Infrastructure Threat Branch and Cyber Threat Analysis Branch

  • 6 pages
  • For Official Use Only
  • July 19, 2011


(U//FOUO) Disgruntled current and former utility-sector employees have successfully used their insider knowledge to damage facilities and disrupt site operations.

(U//FOUO) Outsiders have attempted to solicit utility-sector employees to obtain specific information about utility infrastructure site operations and facilities that could be useful in conducting physical and cyber attacks.

(U//FOUO) Because of their knowledge and authorized access to company information systems, insiders conducting cyber attacks have the potential to cause significant damage and disruption to utility facilities and operations.

(U//FOUO) Insider Threat

(U//FOUO) Disgruntled employees and adversaries seeking to use employees to obtain specific information about facility operations continue to pose a threat to utilities and other critical infrastructure. Current and former utility-sector employees often have detailed knowledge of site designs, layout, vulnerabilities, security protocols, and access procedures that could prove useful in planning attacks. Several recent incidents highlight the threat to infrastructure in the utility sectors from insiders and by outsiders seeking facility-specific information that might be exploited in an attack.

(U//FOUO) Cyber Attacks

(U//FOUO) Insiders often possess detailed operational and system-security knowledge, as well as authorized physical and systems access to utilities. Insiders can be employees, contractors, service providers, or anyone with legitimate access to utility systems. They often are self-motivated, know system security measures, and raise no alarms due to their authorized systems access. With knowledge of and access to a utility’s network, malicious actors could seize control of utility systems or corrupt information sent to plant operators, causing damage to plant systems and equipment. Systems and networks used by utilities are potential targets for a variety of malicious cyber actors. Threat actors who target these systems may be intent on damaging equipment and facilities, disrupting services, stealing proprietary information, or other malicious activities. The greater the individual’s knowledge and authorized systems access, the greater risk the individual poses. Furthermore, any individual with access to a plant’s systems could unwittingly or inadvertently introduce malware into a system through portable media or by falling victim to socially engineered e-mails.

— (U//FOUO) In 2009, a disgruntled former information technology employee of a Texas power plant allegedly disrupted the company’s energy-forecast system when the company failed to deactivate the employee’s account access and confiscate his company-issued laptop after firing him weeks earlier. The cyber intrusion resulted in a $25,000 loss to the company.

— (U) In 2006, a drinking water treatment plant in Harrisburg, Pennsylvania was compromised by a threat actor operating outside of the United States. Access was gained through a vulnerability in an employee’s laptop, which allowed the installation of malware on the plant’s internal system. The plant sustained no physical damage and the actual water system was not targeted in this particular incident. The objective was to use the plant’s computer system to distribute e-mails.

— (U) In 2000, a contract employee, who became disgruntled after being turned down for a permanent position at an Australian wastewater services company, used his insider access and expertise to attack the facility’s supervisory control and data acquisition (SCADA) systems. The attack disabled system functions and allowed a total of 800,000 liters of untreated sewage to spill into receiving waters over a period of several weeks.

(U) Violent Extremists with Insider Access

(U//FOUO) When violent extremists are able to gain access to an insider or acquire an insider position, this increases the likelihood of success and impact of an attack. Violent extremists have, in fact, obtained insider positions, and al-Qa‘ida in the Arabian Peninsula (AQAP) has highlighted insider access as useful in attack planning.

— (U//FOUO) A US citizen who was arrested in Yemen in a March 2010 roundup of suspected al-Qa‘ida members worked for several contractors performing non-sensitive maintenance at five different US nuclear power plants from 2002 to 2008. This individual was able to pass federal background checks, as recently as 2008, before becoming a contracted employee.

— (U//FOUO) The fall 2010 edition of AQAP’s Inspire magazine encourages followers to conduct attacks using “specialized expertise and those who work in sensitive locations that would offer them unique opportunities” to conduct attacks.

— (U//FOUO) Senior al-Qa‘ida officials have expressed interest in members acquiring positions that would provide access to sensitive or specialized information useful in attack planning.

Share this: