CyOTE: Cybersecurity for Operational Technology Environments

Incorporating context for better threat detection
Tools

Capabilities to Identify Cyberattack Techniques within Operational Technology (OT) Environments

Fact Sheet

The Department of Energy’s Cybersecurity, Energy Security, and Emergency Response Office (CESER) has partnered with Idaho National Laboratory (INL) to lead a research initiative, called CyOTE, that addresses energy sector cybersecurity threats against operational technology (OT) environments. Through coordinated research with the national lab complex and energy sector companies, researchers analyze ICS/OT attack surfaces, develop new capabilities to evolve the national OT Cybersecurity posture, and share information about adversarial tactics and techniques. CyOTE improves the sector’s ability to detect and respond to anomalous behavior that indicates potential malicious activity in OT networks.

Why is CyOTE Important?

OT applications, radio frequency (RF) environments, OT supporting infrastructure and connecting wired and wireless networks are increasingly becoming targets of cyberattacks. These attacks can have devastating consequences, such as disruption to energy supplies, damage to critical infrastructure, significant financial loss, and risk to human life. CyOTE can be used as a methodology and a suite of supporting tools to aid in the protection of OT networks in the energy sector.

What are the Benefits of CyOTE?

  • CyOTE provides a number of benefits to the energy sector, including:
    • Increased awareness of OT cybersecurity threats and attack surface
    • Enhancing threat detection capabilities for continuous improvement
    • Access to shared information about adversarial tactics and techniques that is identified in historical compromises
    • Opportunities to collaborate with other energy sector organizations on cybersecurity

 

Tools and Technology Development 

Contact Us

Disclaimer: By requesting / accessing these free tools, you agree that you will not use or modify the tool(s) for commercial purposes.

OPTIC

CyOTE Operational Process for Trigger Identification and Comprehension (OPTIC)

The CyOTE OPTIC application helps users determine the appropriate action to a cyber attack or threat by guiding professionals through more than 65,000 possible decision paths about the event. When leveraged across an entire organization, OPTIC improves cyber awareness and communication of events, identifying potential threats earlier and sharing information across business units.

+ READ MORE
CATCH

Collection and Analysis of Telemetry for CyOTE Heuristics (CATCH)

CATCH provides a structured approach to collecting, storing, analyzing, and reporting data about cyber threats and activities. It gathers information from two key toolsets, Collection Engines and Analysis Modules, to analyze telemetry data and identify potential threats.

+ READ MORE
BAM

Bayesian Attack Model (BAM)

This model outlines the progression of a cyber attack across the Early, Middle, Late, and Impact phases. It centers around the cyber attack process and explains the tactics, techniques, and procedures relevant to each stage. A defining component of BAM is its ability to correlate historical events and adversary techniques leveraged over years of cyber attacks.

+ READ MORE
CyOTE Executive’s Dashboard

CyOTE Executive’s Dashboard

This web platform translates information from a comprehensive database of indicators from 27 publicly reported cyber attacks to offer valuable, actionable insights honed specifically for high-ranking decision-makers. Focused on quick access to critical data, this dashboard equips Vice Presidents of Engineering or Chief Information Security Officers (CISOs) with the foundational awareness and understanding they need to fortify their OT security posture.

+ READ MORE
Practitioner's Dashboard

CyOTE Practitioner’s Dashboard (Retired)

The CyOTE Practitioner’s Dashboard is a web application designed to facilitate efficient threat analysis in the realm of operational technology environments. This tool is built upon a comprehensive observable database, crafted through in-depth analysis of 27 publicly reported cyber attacks. Its primary purpose is to empower cybersecurity practitioners with a user-friendly and highly searchable capability to delve deep into these threats.

+ READ MORE
previous arrow
next arrow

Announcements

Research Papers/Case Studies

Registration required for access to full content (coming soon)

Contact Us
Industroyer2 and Wiper Malware Targeting Ukrainian Energy Provider
2022
BlackMatter Ransomware Attack on New Cooperative
2021
Conti Ransomware Attack on the Health Service Executive
(HSE) 2021
Darkside Ransomware Attack on Colonial Pipeline
2021
JBS Foods Ransomware Attack
2021
Remote Access Attack on Oldsmar Water Treatment Facility
2021
Ryuk Ransomware Attack on Universal Health Services (UHS)
2020
SolarWinds Software Supply Chain Compromise Against a U.S. Energy Provider
2020
EKANS Ransomware Attack on Honda
2020
Mumbai Power Outage – Reliability Failure Exposes Malware Intrusion
2020
DoppelPaymer Ransomware Attack on Petroleos Mexicanos (PEMEX)
2019
Kansas Water Utility Insider Cyber Attack
2019
LockerGoga Ransomware Attack on Norsk Hydro
2019
NotPetya Malware Attack on AP Moller-Maersk
2017
Shamoon Malware Campaign Against Sadara Chemical Company
2017
Triton Malware Attack Against Petro Rabigh
2017
WannaCry Ransomware Attack on Renault-Nissan
2017
WannaCry Ransomware Attack on Renault-Nissan
2017
Conficker Infection of Gundremmingen Nuclear Power Plant
2016
Ukraine Energy Sector Cyber Attack
2015
Cyber Attack on Thyssenkrupp Blast Furnace
2014
Use of Havex Against a U.S. Manufacturing Facility
2014
Night Dragon Campaign
2007-2011
Baku-Tbilisi-Ceyhan (BTC) Pipeline Explosion in Refahiye, Turkey
2008
SQL Slammer Worm Infection of Davis-Besse Nuclear Power Plant
2003
Insider Attack on the Maroochy Shire Sewerage Control System
2000

Related Programs

previous arrow
Cybersecurity for the Operational Technology Environment (CyOTE)

Cybersecurity for the Operational Technology Environment (CyOTE)

Incorporating context for better threat detection

Read More
Cyber Testing for Resilient Industrial Control Systems (CyTRICS)

Cyber Testing for Resilient Industrial Control Systems (CyTRICS)

Testing cyber resilience of energy technologies

Read More
Operational Technical Defender Fellowship (OT Defender)

Operational Technical Defender Fellowship (OT Defender)

Elite training for energy sector front-line managers

Read More
Securing Energy Infrastructure Executive Task Force (SEI ETF)

Securing Energy Infrastructure Executive Task Force (SEI ETF)

Partnering with energy sector entities to identify and defend critical control systems

Read More
Energy Sector Software Bill of Materials (SBOM)

Energy Sector Software Bill of Materials (SBOM)

Exploring a proof of concept for the energy community

Read More
next arrow
For more information:
Contact Us