Cybersecurity for the Operational Technology Environment

Incorporating context for better threat detection and cyberattack techniques

The Department of Energy’s Cybersecurity, Energy Security, and Emergency Response Office (CESER) has partnered with Idaho National Laboratory (INL) to lead a research initiative that addresses energy sector cybersecurity threats against operational technology (OT) environments (CyOTE). Through coordinated research with the national lab complex and energy sector companies, researchers have developed new capabilities to improve national OT cybersecurity posture.

CyOTE provides a number of benefits to the energy sector, including:

  • Increased awareness of OT cybersecurity threats and attack surface
  • Enhancing threat detection capabilities for continuous improvement
  • Access to shared information about adversarial tactics and techniques that is identified in historical compromises
  • Opportunities to collaborate with other energy sector organizations on cybersecurity

Benefits of CyOTE

CyOTE provides a number of benefits to the energy sector, including:

  • Increased awareness of OT cybersecurity threats and attack surface
  • Enhancing threat detection capabilities for continuous improvement
  • Access to shared information about adversarial tactics and techniques that is identified in historical compromises
  • Opportunities to collaborate with other energy sector organizations on cybersecurity

Tools and Technology Development

Disclaimer: By requesting / accessing these free tools, you agree that you will not use or modify the tool(s) for commercial purposes.

Announcements

The cybersecurity tools used for information technology (IT) environments cannot equally protect the operational technology (OT) environment from cyber threats.

Reports and Papers

Precursor Analysis Reports

Operational technology (OT) systems are increasingly at risk from cyberattacks. This paper introduces a Bayesian network model that helps identify and understand cyber threats in OT environments. The model is built around a process that maps how attackers behave, using the MITRE ATT&CK® for ICS framework to link observed events to possible tactics and techniques. Due to limited public data on OT cyberattacks, the model combines expert insights with information from 27 documented incidents. Two real-world case studies—the Colonial Pipeline ransomware attack and the Thyssenkrupp blast furnace incident—demonstrate how the model works. The goal is to help OT cybersecurity teams detect and respond to threats earlier and more effectively.

For more information please contact cyote@inl.gov.

Sponsor and Participating Organizations