Capabilities to Identify Cyber Attack Techniques within Operational Technology (OT) Environments

Securing the nation’s energy infrastructure – like the electric power grid, renewable energy technology and oil and natural gas systems – from advanced cyber threats is essential to national security. Since most U.S. energy infrastructure is owned by the private sector, access to government intelligence about adversarial tactics and techniques is difficult to obtain. And energy companies have limited resources for assessing potential malicious activity.

The Department of Energy’s Cybersecurity, Energy Security, and Emergency Response Office partnered with Idaho National Laboratory and energy sector partners to develop the Cybersecurity for Operational Technology Environment (CyOTE) methodology to enhance energy sector threat detection of anomalous behavior potentially indicating malicious cyber activity in operational technology (OT) networks. They jointly created a cyber threat detection method for owners and operators of energy sector operational technology. CyOTE helps the energy industry independently identify adversarial techniques within their operational technology environments that could result in physical disruptions to energy flows or damage to equipment. This methodology is unique because it ties in operations information from the initial perception of a triggering event to be able to comprehend and decide faster and with higher confidence to understand the information you have, not get more data.

CyOTE Methodology and Approach

CyOTE seeks to build upon existing commercial security monitoring solutions by tying physical effects of a cyberattack to anomalies in the operational technology (OT) environment.

Key aspects of the CyOTE methodology include:

  • Aligns to the National Cyber Strategy
  • Aids energy sector asset owners and operators in combining data from sensors with local context from operations and the business to sense indicators of attack within their OT environments
  • Establishes a common lexicon for OT cybersecurity in the energy sector, aligned with MITRE’s ATT&CK® Framework for ICS
  • Improves confidence to make risk-informed business decisions between initiating incident response or fixing a reliability failure
  • Based on the fundamental concepts of perception and comprehension, applied to a universe of knowns and unknowns that are increasingly disaggregated into observables, anomalies, and triggering events.

Description of Methodology terms available when rollover with mouse.

CyOTE Detection Capabilities

This MITRE ATTACK for ICS Matrix is used to show the identified tactics and associated techniques. The areas marked with checks have Detection Capabilities Sheets developed for asset owners and operators to use. 

CyOTE Tactics and Techniques Web Page


VCU Cybersecurity Center Speaker Series

Accelerating R&D and Demonstration of Next-Gen Critical Infrastructure

Additional Resources

CyOTE Methodology Paper

How CyOTE Tools and Methodology Work Together

CyOTE Fact Sheet


CyOTE Resources and Materials

The CyOTE program is partnering with energy sector asset owners and operators to look for anomalies in your environments, identify anomalies that would trigger further investigations, correlate data sources (if available), associate additional anomalies, and determine if you are in the early stages of an attack campaign.

If you are interested in working with the CyOTE program, contact:

cyote banner

VCU Cybersecurity Center Speaker Series

Edward Rhyne, Senior Technical Advisor, U.S. Department of Energy
April 29, 2021

Accelerating R&D and Demonstration of Next-Gen Critical Infrastructure

Edward Rhyne, Senior Technical Advisor, U.S. Department of Energy

January 21, 2021

How CyOTE Tools and Methodology Work Together


Consider: What amount of visibility do you need to evaluate an anomaly with high confidence?


CyOTE Case Study Graphic

CYote CaseStudy graphic

  • B1 – Available Data – From currently deployed Cyber Defense capabilities
  • B2 – CyOTE Available Data – From a CyOTE provided tool associated to Tactics and Techniques Matrix
  • B3 – CyOTE Target Data – Currently not accessible. Targets for Analysis and Tool Development

cyote attack scenarion


  • T842: Network Sniffing
  • T812: Default Credentials
  • T867: Remote File Copy
  • T884: Connection Proxy
  • T882: Theft of Operational Information


abstract manufacturingCOMING SOON – the CyOTE program is working on these for industry use. 

nhs Methodology


DOE logoThe Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) addresses the emerging threats of tomorrow while protecting the reliable flow of energy to Americans today by improving energy infrastructure security and supporting the Department of Energy’s national security mission. CESER’s focus is preparedness and response activities to natural and man-made threats, while ensuring a stronger, more prosperous, and secure future for the nation.
>> Read more on CyOTE

Participating Laboratory

INL Logo Centered Two ColorIdaho National Laboratory is a world leader in providing industrial control system (ICS) cybersecurity research and development. The laboratory’s distinctive history in protecting critical infrastructure systems puts the lab at the forefront of thought leadership and applied innovation in critical infrastructure cybersecurity testing. INL uses a comprehensive approach to developing ICS cybersecurity research to meet the energy sector’s needs identified by the DOE, utilities, and other organizations.
>> Read more on INL Cyber


DOE CyOTE Contact

CyOTE Program


Send a Message

INL Energy Sector Adviser

Virginia Wright


Send a Message

INL Media Contact

Ethan Huffman

Phone: 208-526-5015

Send a Message