CyOTE Insights

Two decades of publicly reported OT cyber attacks, decomposed into observable adversary behavior and mapped to MITRE ATT&CK for ICS.

CyOTE Insights is the open-source release of the analytical dashboard developed under the CyOTE program at Idaho National Laboratory. It makes the program’s 27 Precursor Analysis Reports (PARs), every observable behind them, and the CyOTE team’s cross-attack analysis directly explorable. The same datasets serve as the foundational data layer for the other CyOTE tools: ACEBAMOPTIC, and CATCH.

Download from GitHub
What's a PAR?

A Precursor Analysis Report decomposes a documented OT cyber attack into the dated sequence of TTPs, observables, and impact estimates that preceded operational consequences.

About the Dataset

A Precursor Analysis Report (PAR) reconstructs a publicly documented OT cyber incident into the sequence of observable adversary behaviors, techniques, and operational impacts that occurred before consequences were realized. CyOTE Insights makes these reports explorable through a common analytical framework aligned to MITRE ATT&CK for ICS.

The dataset currently includes:

  • 27 PARs spanning 2006–2023
  • 14,000+ observables cataloged
  • 10 ransomware PARs
  • 22 years of attack history
CyOTE Insights v1.1 dashboard
CyOTE Insights v1.1 dashboard

Dataset Highlights

  • 15 Precursor Techniques Per Attack
    On average, adversaries executed roughly 15 distinct precursor techniques before achieving operational impact. Each is a documented opportunity for defenders to detect activity in flight.
  • 185-Day Precursor Window Before Impact
    Across documented PARs, adversary behavior preceded operational impact by an average of 185 days. The observables in this dataset show what defenders could have surfaced during that window.
  • $55M Median Upper-Bound Est. Impact
    Each PAR records financial impact as estimated lower- and upper-bound dollar amounts, each with a 90% confidence interval. The figure above is the median upper-bound estimate across the 26 PARs with monetary data; the median lower-bound estimate is about $940K. Individual incidents range from sub-$10K to multi-billion-dollar events. All figures are estimative.

Notable Attacks Documented

The PAR collection spans more than two decades of publicly reported OT, ICS, and supply-chain cyber incidents, including the attacks highlighted below and 13 additional documented events.

Maroochy Shire
2000
Havex
2014
Ukraine
(BlackEnergy)
2015
Industroyer 1.0
2016
Triton
2017
NotPetya
2017
WannaCry
2017
Norsk Hydro
(LockerGoga)
2019
SolarWinds
2020
Colonial Pipeline
2021
Oldsmar
2021
JBS Foods
2021
Incontroller
2022
Industroyer 2.0
2022
Timeline of notable cyber attacks

Analysis Views

Whether you’re an OT defender, executive, or researcher, CyOTE Insights provides multiple perspectives for exploring documented cyber incidents.

Threat Analysis

  • Threat Analysis Overview
    Summary statistics across the full PAR collection.
  • Cyber Attack Pattern Analysis
    Top techniques, technique pairs, year-over-year activity, attack duration, ransomware PARs.
  • MITRE ATT&CK for ICS Matrix
    TTP coverage across all reports against the ATT&CK for ICS framework.

Financial Impact

  • Financial Summaries Overview
    Program-wide picture of financial impact across documented attacks.
  • Financial Loss by Attack
    Per-incident financial impact across the dataset.
  • Financial Loss by Amount Range
    Distribution of losses grouped into amount ranges.

Single Attack Drill-Down

  • Single Attack Overview
    Top-level summary of one selected attack.
  • Single Attack Technical
    Technical decomposition into TTP sequence.
  • Single Attack Comparison
    Place two or more attacks side-by-side.
  • Bayesian Attack Model (BAM) View
    Per-attack BAM perspective with adversary behavior by phase.

Quick-Start

1

Clone

Pull the repository from GitHub.

git clone https://github.com/idaholab/Insights.git

2

Run with Docker

Follow the repository README to build and launch the stack.

3

Open the dashboard

Visit the local URL printed by Docker and start exploring the PARs.

Dataset

27 Precursor Analysis Reports (PARs) and the observables behind them

Framework

Aligned with MITRE ATT&CK for ICS

License

MIT

Source

github.com/idaholab/Insights

Deployment

Docker (self-hosted)

Stack

React, Vite, Node.js, Express, TypeScript

Maintainer

Idaho National Laboratory

Resources & Documentation

GitHub Repository

Source code, issue tracker, and release downloads.

View on GitHub →

Installation & Setup Guide

Step-by-step instructions for running CyOTE Insights with Docker.

Learn More →

Requests or Questions

File bug reports and feature requests directly on GitHub.

Submit Request →

Get started with CyOTE Insights

Download the latest release from GitHub and start working with 20+ years of documented OT cyber incident data. Installation instructions, user documentation, and supporting resources are included to help you get up and running quickly.

Download from GitHub
Windows Installer (.exe)

Easy installation for Windows 10/11.

macOS Installer (.dmg)

Native installer for macOS.

Questions or feedback?

File bug reports and feature requests directly on GitHub.

CyOTE Insights is distributed under the MIT license and is provided as-is. It is intended for research, education, and defensive cybersecurity use. Idaho National Laboratory is operated by Battelle Energy Alliance for the U.S. Department of Energy. Headline statistics drawn from the public Insights repository dataset.