New CyOTE Tools Support Better Risk-Informed Cybersecurity Decision-Making

The cybersecurity tools used for information technology (IT) environments cannot equally protect the operational technology (OT) environment from cyber threats. IT and OT networks, once maintained as two separate siloes, are converging with the modernization of the energy sector, affording industry partners access to important operational data. However, without the proper OT cybersecurity tools, OT environments are at increased risk of cyber attacks from malicious individuals who could leverage cybersecurity tactics to cause an operational disruption or unplanned outage.  

The Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) addresses that gap with its Cybersecurity for the Operational Technology Environment (CyOTE™) research program. Formed through a public-private partnership between CESER, Idaho National Laboratory (INL), and a handful of forward-thinking energy companies, CyOTE developed tools to detect potential cyber threats in OT networks and empower energy partners to act with little to no impact on their operations. These tools help users from across the sector understand how an attack could happen, including if a technological gap exists, and then prepare them for handling such an event.

The CyOTE team debuted a suite of new tools at a live demonstration and feedback session with industry partners at INL in November 2023. Training energy asset owners and operators on using CyOTE tools play a pivotal role in improving resilience by: 

• Building trust among stakeholders through comprehensive understanding and demonstration of the tools 
• Speeding up the development of cybersecurity solutions through public-private collaboration 
• Reducing the risk of cyber attacks through a comprehensive threat-informed OT cybersecurity approach 

Read more about CyOTE’s newest tools in the technology readiness assessment phase:  

1. CyOTE Executive’s Dashboard: This web platform translates information from a comprehensive database of indicators from 27 publicly reported cyber attacks to offer valuable, actionable insights honed specifically for high-ranking decision-makers. Focused on quick access to critical data, this dashboard equips Vice Presidents of Engineering or Chief Information Security Officers (CISOs) with the foundational awareness and understanding they need to fortify their OT security posture. 
2. Operational Process for Trigger Identification and Comprehension (OPTIC) Tool: The CyOTE™ OPTIC application helps users determine the appropriate action to a cyber attack or threat by guiding professionals through more than 65,000 possible decision paths about the event. When leveraged across an entire organization, OPTIC improves cyber awareness and communication of events, identifying potential threats earlier and sharing information across business units.  
3. Collection and Analysis of Telemetry for CyOTE™ Heuristics (CATCH): CATCH provides a structured approach to collecting, storing, analyzing, and reporting data about cyber threats and activities. It gathers information from two key toolsets, Collection Engines and Analysis Modules, to analyze telemetry data and identify potential threats.  
4. Bayesian Attack Model (BAM): This model outlines the progression of a cyber attack across the Early, Middle, Late, and Impact phases. It centers around the cyber attack process and explains the tactics, techniques, and procedures relevant to each stage. A defining component of BAM is its ability to correlate historical events and adversary techniques leveraged over years of cyber attacks. 
5. CyOTE Ontology: Since its inception, the CyOTE program generated over 4,000 pages of information and 14,000 indicators that can be used to inform a strong OT cybersecurity posture. The CyOTE Ontology makes it easier for organizations to use this data by leveraging technologies such as Deep Lynx, a data warehouse, to maintain accurate, relevant, and simplified data. Keep an eye out for a future blog about the Cybersecurity Operations Research, Experimentation, Integration, and Innovation (COREII) platform, which synthesizes this information into a user-friendly dashboard. 

The CyOTE program is always looking to expand its industry partnerships in testing and enhancing its tools, methods, and approaches. If you would like to join the CyOTE network, please use the contact information on the CyOTE website and actively participate in this innovative research program. Please contact the CyOTE team through CyOTE.Program@hq.doe.gov.