Cybersecurity for the Operational Technology Environment (CyOTE)
Incorporating context for better threat detection
Securing the nation’s energy infrastructure – like the electric power grid, renewable energy technology and oil and natural gas systems – from advanced cyber threats is essential to national security. Since most U.S. energy infrastructures are privately owned, access to government intelligence about adversarial tactics and techniques is difficult to obtain and resources for assessing potential malicious activity are limited.
To address these emerging concerns, Department of Energy’s Cybersecurity, Energy Security, and Emergency Response Office (DOE-CESER) has partnered with Idaho National Laboratory and energy companies on a research initiative called Cybersecurity for the Operational Technology Environment (CyOTE). This initiative aims to enhance energy sector threat detection of anomalous behavior potentially indicating malicious cyber activity in operational technology (OT) networks.
CyOTE has created a cyber threat detection method for energy sector companies to independently identify adversarial techniques within their OT environments that could result in physical disruptions to energy flows or damage to equipment. This methodology is unique because it ties in operations information from the initial perception of a triggering event and allows owners and operators to comprehend the information they have and make faster decisions with higher confidence.
CyOTE seeks to build upon existing commercial security monitoring solutions by tying physical effects of a cyberattack to anomalies in the operational technology (OT) environment.
Key aspects of the CyOTE methodology include:
This MITRE ATTACK for ICS Matrix is used to show the identified tactics and associated techniques. The areas marked with checks have Technique Detection Capabilities Sheets developed for asset owners and operators to use.