By Chuck Gallagher — Business Ethics Keynote Speaker and Trainer
TL;DR: A recent Industrial Cyber feature argues that insider behavior has become one of the weakest links in critical infrastructure cyber defense, with human error driving 80 to 90 percent of industrial accidents and negligent insiders responsible for roughly 56 percent of breaches. Chuck Gallagher, business ethics keynote speaker and defense ethics trainer, argues that for the defense industrial base this isn’t a monitoring problem or a training problem. It’s a culture problem that shows up in the gap between what people are told to do and what they feel safe reporting when they see something wrong.
The first insider incident I remember working through with a defense contractor didn’t start in the server room. It started in a break room, where a mid-level engineer mentioned to a coworker that he’d been asked to plug in a vendor’s USB drive to speed up a maintenance window. The coworker didn’t say anything. The engineer didn’t say anything. The drive went in. Weeks later, when the forensics team traced the intrusion back to that moment, nobody involved had technically broken a rule. They had just made a long series of small choices that felt like efficiency and looked, from the outside, like sabotage.
That’s the world the Industrial Cyber feature “Rising Cost of Trust as Insider Behavior Becomes a Weak Link in Critical Infrastructure Cyber Defense” is trying to describe. The piece lays out what cybersecurity professionals at Jacobs, Waterfall Security, San Diego Gas & Electric, and Radiflow already see on the ground: in operational technology environments, human behavior is the most unstable variable in the system. Gartner and CISA have both flagged insider threats as a top security risk in OT. The data backs them up. But the data alone doesn’t tell defense leaders what to do about it.
Why does the defense industrial base inherit every insider risk in the OT supply chain?
As a defense ethics keynote speaker and trainer, I’ve spent time in rooms with primes, subs, utilities, and integrators who all share the same uncomfortable truth: the defense industrial base doesn’t just depend on its own employees behaving well. It depends on the OT floor at every subcontractor, every integrator, every third-party vendor who touches a SCADA server, a PLC, or an HMI. The Industrial Cyber article quotes Gabriel Agboruche of Jacobs on exactly this point, observing that third-party vendors often have the same level of access to critical control systems as internal staff, and cybersecurity is rarely their primary focus. For a defense program, that means every cleared facility is only as trustworthy as the least careful contractor with remote access to a controller.
This is where the ethical problem becomes a national security problem. In a purely commercial OT environment, a negligent insider might cause downtime or a safety incident. In the defense industrial base, that same negligent insider can become the unintended pivot point for a nation-state adversary. Lior Frenkel, CEO of Waterfall Security, makes the argument explicit in the article when he warns about remote contractors who are actually foreign agents, and about “living off the land” attacks where outsiders impersonate insiders with startling accuracy. That threat vector doesn’t care whether the insider meant any harm. It cares whether the insider left the door cracked open.
The Ponemon Institute and DTEX’s 2025 Cost of Insider Risks Report put the average cost of a single insider-driven incident at $17.4 million. In a defense context, that number understates the real damage, because the downstream losses of a compromised program — schedule slips, classified data exposure, congressional scrutiny, prime-level suspensions — don’t show up in a standard cost model. What shows up instead is the slow erosion of customer confidence. And in defense contracting, customer confidence is the product.
What should defense leaders actually do when monitoring and morale collide?
The Industrial Cyber piece is honest about the tension that every program manager eventually runs into. Surveillance works, up to a point. Past that point, it corrodes the exact culture it was supposed to protect. Veronica Rauch at San Diego Gas & Electric puts it plainly in the article: the goal is to detect concerning behaviors without creating a culture of fear. Ilan Barda at Radiflow argues the same thing from a different angle, saying trust grows when monitoring is clearly tied to safety and reliability, not to control. I agree with both of them, and I’d add one piece that ethics training in defense tends to miss.
People don’t stop reporting problems because they’re afraid of being monitored. They stop reporting problems because they’ve watched what happened to the last person who reported one. Every insider incident I’ve studied — and I’ve studied quite a few — has at least one person in the middle who saw something, hesitated, and decided the personal cost of speaking up was higher than the organizational cost of staying quiet. That calculation is not a character flaw. It’s a cultural signal. And it’s the single most predictive data point you have about whether your insider threat program is actually working.
As a defense ethics keynote speaker and trainer, my strongest recommendation to defense leaders who have read the Industrial Cyber piece is this: stop thinking of insider threat as a surveillance problem and start thinking of it as a truth-telling problem. The technical controls matter. Hardware-enforced unidirectional gateways, micro-segmentation, behavioral analytics trained on OT telemetry — all of it matters. SANS and MITRE are right to push behavioral analytics that use each PLC and HMI’s normal pattern as a baseline. But none of those controls compensate for a workforce that has learned silence is safer than honesty. You can find more of my thinking on this at ChuckGallagher.com, where I’ve written about how the first vulnerability in any defense program is almost never technical. It’s psychological.
If you lead a defense contractor right now, the NIST CSF 2.0 alignment is a starting point, not a finish line. The framework handles the technical scaffolding. It does not handle the moment when an engineer has to decide whether to flag the vendor who skipped a step. That decision will happen. It is happening somewhere in your organization today. The question is whether the culture you’ve built makes that decision easier or harder. Everything else — the analytics, the red teams, the policy documents — rides on the answer.
Frequently Asked Questions
What percentage of industrial cyber incidents involve insider behavior?
According to data referenced in the Industrial Cyber feature, human error accounts for 80 to 90 percent of industrial accidents, and negligent insiders are responsible for approximately 56 percent of breaches in OT environments. Gartner and CISA both identify insider threats as a top security risk in operational technology. The Ponemon Institute and DTEX’s 2025 Cost of Insider Risks Report calculates the average cost of a single insider-driven incident at $17.4 million.
How do insider threats in defense industrial OT differ from insider threats in standard IT?
The difference is consequence. IT insider incidents typically produce business harm such as fraud or data theft, while OT insider incidents can directly affect physical processes, safety systems, and production. In the defense industrial base, a negligent OT insider can also become the unintended entry point for a nation-state adversary, turning an operational misstep into a national security incident. Frameworks such as NIST CSF 2.0 and ISA/IEC 62443 address parts of this, but the human layer still gets underweighted.
What role do third-party contractors play in critical infrastructure insider risk?
Third-party vendors, integrators, and OEM maintenance contractors often hold the same level of access to SCADA servers, PLCs, and HMIs as full-time staff, but operate under weaker oversight. The Industrial Cyber feature quotes Gabriel Agboruche of Jacobs noting that vendor cybersecurity practices rarely align with the contracting organization’s practices. For defense programs, this means every facility inherits the insider-risk posture of its least careful subcontractor, which is why prime-level accountability for supply chain behavior is now a compliance expectation, not a preference.
Can AI and behavioral analytics actually catch insider threats in OT environments?
AI can meaningfully assist by detecting anomalies in login patterns, data access, and PLC or HMI telemetry, which SANS recommends as a layer across industrial control systems. But both Gartner and CISA have emphasized that AI should be viewed as an enabler, not a replacement for process controls, behavioral monitoring, and healthy culture. Business ethics keynote speaker Chuck Gallagher argues that AI-driven detection is most effective when it sits on top of a workforce that already feels safe reporting concerns directly, because the best early warning signal in any insider case is still a coworker who speaks up.
What is the single most overlooked element of an insider threat program in the defense industry?
The reporting climate. Most defense contractors have hotlines, policies, and annual training, but few measure whether employees actually trust the system enough to use it. When retaliation is implicit rather than explicit, reporting drops, and insider incidents proceed without warning. The Industrial Cyber feature underscores that monitoring only works when paired with transparency, clear purpose, and a culture where honest reporting is rewarded rather than punished.
Your take
If you work in the defense industrial base, you’ve probably watched some version of this tension play out in real time — the balance between oversight and trust, between technical controls and human judgment. What have you seen actually work? Where have surveillance-first approaches backfired inside your organization, and where has a culture of honest reporting prevented something worse? Share your experience in the comments. I read and respond to every one. Before you go, a few questions worth sitting with for a few minutes before your next security review.
Five Questions for Further Thought and Consideration
- If an employee saw a vendor skip a security step on your OT network this afternoon, would they tell someone — and would they believe the organization would respond well when they did?
- What does your organization measure about its insider threat program besides the number of alerts it generates? How do you know the program is actually building trust rather than eroding it?
- How much of your current insider risk sits outside your employee base, in the hands of third-party integrators and OEM maintenance contractors with OT access?
- If a prime contractor audited your reporting climate tomorrow and interviewed your engineers privately, what would they learn about what happens to people who raise concerns?
- What would it cost your program if the next insider incident you face turns out to have been visible to three people who decided not to say anything? And what would it cost to build a culture where that never happens again?
Related Articles:
The Ethics of Aggregation: Why Harmless Posts Become Intelligence
Defense Contractor Ethics: When Shared Responsibility Becomes No Responsibility
