HP in Cybersecurity: CyOTE
- Idaho National Laboratory
The U.S. Department of Energy’s (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER), through the Cybersecurity for the Operational Technology Environment (CyOTE) Program, worked with energy sector asset owners and operators (AOOs), partners, and Idaho National Laboratory (INL) to develop capabilities for AOOs to independently detect adversarial tactics, techniques, and procedures (TTPs) within their operational technology (OT) environments. Unlike the approach taken with commercial security solutions, CyOTE seeks to tie anomalies in cyber operations to a cyber-attack. By stringing together multiple techniques in the OT environment, AOOs can identify attack campaigns with ever decreasing impacts. The CyOTE methodology applies fundamental concepts of perception and comprehension to a universe of knowns and unknowns increasingly disaggregated into observables, anomalies, and triggering events. MITRE’s ATT&CK® Framework for Industrial Control Systems (ICS) is used as a common lexicon to identify a set of triggering events related to three Use Cases – Alarm Logs, Human-Machine Interface (HMI), and Remote Logins – which together account for 87 percent of the techniques commonly used by adversaries. The CyOTE methodology is also appropriate for OT-related anomalies perceived outside the three Use Cases, such as through the energy system itself.
- Research Organization:
- Idaho National Laboratory (INL), Idaho Falls, ID (United States)
- Sponsoring Organization:
- ReliabilityFirst
- DOE Contract Number:
- AC07-05ID14517
- OSTI ID:
- 1894927
- Report Number(s):
- INL/CON-21-63826-Rev000
- Country of Publication:
- United States
- Language:
- English
Similar Records
Cybersecurity for the Operational Technology Environment (CyOTE)
Cybersecurity for the Operational Technology Environment (CyOTE) (Final Technical Report)