How can Dragos not have OT insider incidents in their OT CERT?

Cyber incidents have been defined as electronic communication between systems or systems and displays that can affect confidentiality, integrity or availability (the familiar “CIA triad”). Professor Ross Anderson’s definition of security engineering is building systems that remain dependable in the face of “malice, error or mischance.” Individuals and organizations such as sector information sharing and analysis centers (ISACs) have been tracking cyber breaches, but not control system cyber incidents, for many years.

Dragos has been issuing annual reports identifying OT cyber incidents for years. Consequently, it was surprising when on May 11, 2026, Dragos’ Head of OT CERT Dawn Cappelli issued a LinkedIn request for OT insider threat cases. Specifically, Dawn stated:

“Have you ever encountered an insider threat in an industrial environment — or heard about one in the news? By insider I mean anyone with current or former access: employees, contractors, third parties. By threat I mean intentional or accidental — theft of information, impact to operations, anything in between. If so, I need your help. I keep hearing that Insider threats rank as a top concern in OT. But how common are they really, and what's the actual impact? Is this fear of the unknown — or fear grounded in reality? I'm launching an informal OT insider threat study for Dragos OT-CERT, collecting real cases to document and analyze. For each incident, we'll develop recommendations for prevention, detection, response, and recovery. I've done this before. As founder and director of the Insider Threat Center at Carnegie Mellon's CERT/CC, I learned that grounding research in real cases — rather than hypotheticals — produces far more powerful results. I want to repeat that process, specifically for OT. Findings will be published as a Dragos report or OT-CERT resource to help industrial organizations understand and mitigate this risk.”

Get your subscription to Control's tri-weekly newsletter.

On the one hand, it was surprising there were no responses to her blog request that dealt with control system cyber incidents. On the other hand, there have been very few control system incidents that have been publicly identified as cyber-related.

I started collecting instrumentation and control system incidents in the early 1990s, initially to understand the scope of compromised nuclear safety sensors (electronic communications) in nuclear safety applications. Once I entered the cybersecurity field in 2000, I expanded my incident collection to include control system electronic communication incidents (malicious and unintentional) that caused actual impacts. I now have identified more than 20 million control system cyber incidents that have killed more than 30,000 people, comprising many sectors globally. The incidents include insiders as well as external threats.

My initial response to Dawn was that I agreed that control system cyber incidents can be either unintentional or malicious. Almost by definition, unintentional incidents are “insider threats”. I informed her I have documented many malicious and unintentional insider control system cyber incidents that have caused significant impacts in multiple sectors. As this is my intellectual property amassed over many years, this information should be valuable but is not free. However, Dawn said Dragos wants the information for free. As a result, I cannot provide the information she wants. Dragos should decide how valuable the Dragos OT CERT can be without actual control system cyber incidents.