CyOTE: Cybersecurity for Operational Technology Environments

Incorporating context for better threat detection
Fact Sheet

Capabilities to Identify Cyber Attack Techniques within Operational Technology (OT) Environments

Securing the nation’s energy infrastructure – like the electric power grid, renewable energy technology and oil and natural gas systems – from advanced cyber threats is essential to national security. Since most U.S. energy infrastructures are privately owned, access to government intelligence about adversarial tactics and techniques is difficult to obtain and resources for assessing potential malicious activity are limited.

To address these emerging concerns, Department of Energy’s Cybersecurity, Energy Security, and Emergency Response Office (DOE-CESER) has partnered with Idaho National Laboratory and energy companies on a research initiative called Cybersecurity for the Operational Technology Environment (CyOTE). This initiative aims to enhance energy sector threat detection of anomalous behavior potentially indicating malicious cyber activity in operational technology (OT) networks.

CyOTE has created a cyber threat detection method for energy sector companies to independently identify adversarial techniques within their OT environments that could result in physical disruptions to energy flows or damage to equipment. This methodology is unique because it ties in operations information from the initial perception of a triggering event and allows owners and operators to comprehend the information they have and make faster decisions with higher confidence.

Approach & Methodology

CyOTE seeks to build upon existing commercial security monitoring solutions by tying physical effects of a cyberattack to anomalies in the operational technology (OT) environment.

Key aspects of the CyOTE methodology include:

  • Aligns to the National Cyber Strategy
  • Aids energy sector asset owners and operators in combining data from sensors with local context from operations and the business to sense indicators of attack within their OT environments
  • Establishes a common lexicon for OT cybersecurity in the energy sector, aligned with MITRE’s ATT&CK® Framework for ICS
  • Improves confidence to make risk-informed business decisions between initiating incident response or fixing a reliability failure
  • Based on the fundamental concepts of perception and comprehension, applied to a universe of knowns and unknowns that are increasingly disaggregated into observables, anomalies, and triggering events

CyOTE Detection Capabilities

This MITRE ATTACK for ICS Matrix is used to show the identified tactics and associated techniques. The areas marked with checks have Technique Detection Capabilities Sheets developed for asset owners and operators to use.