Cybersecurity for the Operational Technology Environment (CyOTE)

Incorporating context for better threat detection and cyberattack techniques

The Department of Energy’s Cybersecurity, Energy Security, and Emergency Response Office (CESER) has partnered with Idaho National Laboratory (INL) to lead a research initiative, called CyOTE, that addresses energy sector cybersecurity threats against operational technology (OT) environments. Through coordinated research with the national lab complex and energy sector companies, researchers analyze ICS/OT attack surfaces, develop new capabilities to evolve the national OT Cybersecurity posture, and share information about adversarial tactics and techniques. CyOTE improves the sector’s ability to detect and respond to anomalous behavior that indicates potential malicious activity in OT networks.

OT applications, radio frequency (RF) environments, OT supporting infrastructure and connecting wired and wireless networks are increasingly becoming targets of cyberattacks. These attacks can have devastating consequences, such as disruption to energy supplies, damage to critical infrastructure, significant financial loss, and risk to human life. CyOTE can be used as a methodology and a suite of supporting tools to aid in the protection of OT networks in the energy sector.

Benefits of CyOTE

CyOTE provides a number of benefits to the energy sector, including:

Increased awareness of OT cybersecurity threats and attack surface
Enhancing threat detection capabilities for continuous improvement
Access to shared information about adversarial tactics and techniques that is identified in historical compromises
Opportunities to collaborate with other energy sector organizations on cybersecurity

Tools and Technology Development

Disclaimer: By requesting / accessing these free tools, you agree that you will not use or modify the tool(s) for commercial purposes.

CyOTE Executive’s Dashboard

This web platform translates information from a comprehensive database of indicators from 27 publicly reported cyber attacks to offer valuable, actionable

CyOTE Practitioner’s Dashboard (Retired)

Bayesian Attack Model (BAM)

Collection and Analysis of Telemetry for CyOTE Heuristics (CATCH)

CyOTE Operational Process for Trigger Identification and Comprehension (OPTIC)

Announcements

New CyOTE Tools Support Better Risk-Informed Cybersecurity Decision-Making

The cybersecurity tools used for information technology (IT) environments cannot equally protect the operational technology (OT) environment from cyber threats.

Research Papers/Case Studies

Please use this form to request access to the following content. Full access registration is coming soon.

Report – Industroyer Targeting Ukraine Electric Power Transport Utility (Ukrenergo) – 2014

In 2016, the Industroyer malware was used to disrupt the Ukrainian power grid which impacted a single transmission level substation, resulting in electric power outages in the city of Kyiv and the Kyiv region that lasted for over an hour. The attackers gained access to Ukrenergo’s enterprise networks through a spearphishing campaign and then captured credentials allowing them to access the industrial control system (ICS) environment at the Pivnichna electric transmission substation.

Report – Insider Attack on the Maroochy Shire Sewerage Control System – 2000

In 2000, a disgruntled former employee conducted a cyberattack on the Maroochy Shire sewerage control system in Australia, releasing millions of liters of raw sewage into local waterways. This early example of an insider cyber threat illustrated the potential for significant environmental and public health consequences.

Report – SQL Slammer Worm Infection of Davis-Besse Nuclear Power Plant – 2003

The 2003 infection of the Davis-Besse Nuclear Power Plant by the SQL Slammer worm disrupted safety monitoring systems for nearly five hours. This early example of a cyber threat to nuclear infrastructure highlighted the vulnerabilities in critical systems and the need for improved cybersecurity practices.

Report – Baku-Tbilisi-Ceyhan (BTC) Pipeline Explosion in Refahiye, Turkey – 2008

In 2008, a cyberattack was believed to have caused an explosion on the Baku-Tbilisi-Ceyhan (BTC) pipeline in Turkey. The attack disabled safety and monitoring systems, leading to significant environmental and economic damage, and highlighting the potential catastrophic consequences of cyber threats to critical energy infrastructure.

Report – Night Dragon Campaign – 2007-2011

The Night Dragon campaign, active from 2007 to 2011, saw a series of coordinated cyberattacks against global oil, energy, and petrochemical companies. These attacks aimed at stealing sensitive proprietary information and intellectual property, highlighting the persistent cyber threat to the energy sector from state-sponsored actors.

Report – Use of Havex Against a U.S. Manufacturing Facility – 2014

In 2014, the Havex malware targeted a U.S. manufacturing facility, compromising industrial control systems. This attack, part of a broader campaign against the energy sector, underscored the persistent threats to industrial operations and the necessity of securing operational technology environments.

Report – Cyber Attack on Thyssenkrupp Blast Furnace – 2014

In 2014, German steelmaker Thyssenkrupp faced a cyberattack targeting its blast furnaces. The attack, attributed to sophisticated hackers, caused significant damage to production equipment, underlining the risks to industrial control systems in manufacturing environments.

Report – Ukraine Energy Sector Cyber Attack – 2015

In December 2015, a cyberattack on Ukraine’s energy sector led to widespread power outages, affecting hundreds of thousands of residents. This attack, executed using the BlackEnergy malware, marked a significant escalation in cyber warfare, targeting critical infrastructure and disrupting civilian life.

Report – Conficker Infection of Gundremmingen Nuclear Power Plant – 2016

In 2016, the Conficker worm infected systems at Germany’s Gundremmingen nuclear power plant. While no critical operations were impacted, the incident raised alarms about the cybersecurity of nuclear facilities and the need for robust defenses against malware infections.

Case Study – WannaCry Ransomware Attack on Renault-Nissan – 2017

In 2017, the WannaCry ransomware attack struck Renault-Nissan, forcing the automaker to halt production at several plants. The widespread cyberattack exploited vulnerabilities in outdated software, disrupting operations and highlighting the need for stronger cybersecurity measures.

Case Study – Triton Malware Attack Against Petro Rabigh – 2017

The Triton malware attack on Petro Rabigh, a Saudi-based petrochemical plant, targeted industrial safety systems in an attempt to cause physical damage. This incident highlighted the potential for cyberattacks to endanger human lives by compromising industrial safety mechanisms.

Report – Shamoon Malware Campaign Against Sadara Chemical Company – 2017

The 2017 Shamoon malware campaign targeted Sadara Chemical Company, a joint venture between Saudi Aramco and Dow Chemical. This destructive malware attack aimed at crippling operations, underscoring the ongoing cyber threats to the chemical and energy sectors.

Report – NotPetya Malware Attack on AP Moller-Maersk – 2017

In 2017, the NotPetya malware caused widespread disruption to AP Moller-Maersk, a major global shipping conglomerate. The attack crippled IT systems, halted operations at ports worldwide, and resulted in substantial financial losses, showcasing the devastating impact of destructive malware on global trade.

Report – LockerGoga Ransomware Attack on Norsk Hydro – 2019

The 2019 LockerGoga ransomware attack on Norsk Hydro, a Norwegian aluminum producer, disrupted operations across multiple countries and resulted in substantial financial losses. This incident demonstrated the severe operational and economic impacts of ransomware on industrial organizations.

Report – Kansas Water Utility Insider Cyber Attack – 2019

In 2019, an insider cyberattack on a Kansas water utility threatened water safety and supply. This incident emphasized the risk posed by disgruntled employees and the importance of robust insider threat detection and prevention measures in critical infrastructure sectors.

Report – DoppelPaymer Ransomware Attack on Petroleos Mexicanos (PEMEX) – 2019

In 2019, Petroleos Mexicanos (PEMEX), Mexico’s state oil company, was hit by a DoppelPaymer ransomware attack. The incident disrupted administrative operations and showcased the increasing frequency of ransomware attacks targeting the oil and gas industry.

Report – Mumbai Power Outage – Reliability Failure Exposes Malware Intrusion – 2020

In 2020, Mumbai experienced a major power outage, later attributed to a combination of reliability issues and a suspected malware intrusion. The incident underscored the interconnected nature of cybersecurity and physical infrastructure reliability, highlighting the need for comprehensive security strategies.

Case Study – EKANS Ransomware Attack on Honda – 2020

In 2020, Honda faced a crippling EKANS ransomware attack that disrupted its global operations. The cyberattack forced the automaker to halt production and impacted its ability to access critical systems and data.

Report – SolarWinds Software Supply Chain Compromise Against a U.S. Energy Provider – 2020

The 2020 SolarWinds software supply chain compromise affected numerous organizations, including a U.S. energy provider. The attack, attributed to state-sponsored actors, demonstrated the far-reaching implications of supply chain vulnerabilities and the need for rigorous software security practices.

Report – Ryuk Ransomware Attack on Universal Health Services (UHS) – 2020

In 2020, Universal Health Services (UHS), one of the largest healthcare providers in the U.S., suffered a Ryuk ransomware attack. The attack disrupted hospital operations, delayed patient care, and highlighted the critical vulnerabilities in healthcare cybersecurity.

Report – Remote Access Attack on Oldsmar Water Treatment Facility – 2021

In 2021, hackers remotely accessed the Oldsmar water treatment facility in Florida and attempted to poison the water supply by increasing the levels of sodium hydroxide. The attack was thwarted, but it highlighted the critical need for securing remote access systems in public utilities.

Report – JBS Foods Ransomware Attack – 2021

In 2021, JBS Foods, the world’s largest meat processing company, fell victim to a ransomware attack that disrupted operations in several countries. The attack highlighted the vulnerability of the food supply chain to cyber threats and the significant economic impact such incidents can have on global markets.

Report – Darkside Ransomware Attack on Colonial Pipeline – 2021

In 2021, the Colonial Pipeline, a major fuel supply line in the U.S., fell victim to a DarkSide ransomware attack. The breach led to significant fuel shortages and panic buying, underscoring the vulnerability of critical infrastructure to cyber threats.

Report – Conti Ransomware Attack on the Health Service Executive – (HSE) 2021

In 2021, the Health Service Executive (HSE) of Ireland was struck by a devastating Conti ransomware attack. This incident severely disrupted healthcare services across the country, forcing cancellations of appointments and critical procedures. The attack underscored the vulnerabilities in healthcare cybersecurity and the rising trend of ransomware targeting vital public services.

Report – BlackMatter Ransomware Attack on New Cooperative – 2021

In 2021, BlackMatter ransomware targeted New Cooperative, an Iowa-based grain cooperative, disrupting operations critical to the agricultural supply chain. The attackers demanded a hefty ransom, emphasizing the growing threat to food security posed by cybercriminals targeting agricultural entities.

Report – Industroyer2 and Wiper Malware Targeting Ukrainian Energy Provider – 2022

In 2022, the Ukrainian energy sector faced a severe threat from Industroyer2 and wiper malware, aiming to cripple critical infrastructure. These sophisticated cyberattacks highlighted the escalating cyber warfare tactics in the ongoing conflict, risking widespread power outages and national security.