Capabilities to Identify Cyber Attack Techniques within Operational Technology (OT) Environments

Securing the nation’s energy infrastructure – like the electric power grid, renewable energy technology and oil and natural gas systems – from advanced cyber threats is essential to national security. Since most U.S. energy infrastructures are privately owned, access to government intelligence about adversarial tactics and techniques is difficult to obtain and resources for assessing potential malicious activity are limited.

To address these emerging concerns, Department of Energy’s Cybersecurity, Energy Security, and Emergency Response Office (DOE-CESER) has partnered with Idaho National Laboratory and energy companies on a research initiative called Cybersecurity for the Operational Technology Environment (CyOTE). This initiative aims to enhance energy sector threat detection of anomalous behavior potentially indicating malicious cyber activity in operational technology (OT) networks.

CyOTE has created a cyber threat detection method for energy sector companies to independently identify adversarial techniques within their OT environments that could result in physical disruptions to energy flows or damage to equipment. This methodology is unique because it ties in operations information from the initial perception of a triggering event and allows owners and operators to comprehend the information they have and make faster decisions with higher confidence.

CyOTE Methodology and Approach

CyOTE seeks to build upon existing commercial security monitoring solutions by tying physical effects of a cyberattack to anomalies in the operational technology (OT) environment.

Key aspects of the CyOTE methodology include:

  • Aligns to the National Cyber Strategy
  • Aids energy sector asset owners and operators in combining data from sensors with local context from operations and the business to sense indicators of attack within their OT environments
  • Establishes a common lexicon for OT cybersecurity in the energy sector, aligned with MITRE’s ATT&CK® Framework for ICS
  • Improves confidence to make risk-informed business decisions between initiating incident response or fixing a reliability failure
  • Based on the fundamental concepts of perception and comprehension, applied to a universe of knowns and unknowns that are increasingly disaggregated into observables, anomalies, and triggering events.

Description of Methodology terms available when rollover with mouse.

CyOTE Case Studies

These case studies support continued analysis of cyber incidents and events targeting OT environments through the application of the CyOTE Methodology.

CyOTE Technique Detection Capabilities

This MITRE ATTACK for ICS Matrix is used to show the identified tactics and associated techniques. The areas marked with checks have Technique Detection Capabilities Sheets developed for asset owners and operators to use. 

CyOTE_Software Attack Mapping_V8

Technique Detection Capability Sheets [PDFs]


Presentations and Media

CyOTE Methodology Application to the Oldsmar Water Facility Breach (INTERACTIVE)

Human Performance Community of Practice: CyOTE

VCU Cybersecurity Center Speaker Series

Accelerating R&D and Demonstration of Next-Gen Critical Infrastructure

Papers and Reports

CyOTE Recipes

Impact Resistance - CyOTE and CCE [PDF]

Detection Technique Prioritization Report [PDF]

How CyOTE Tools and Methodology Work Together

CyOTE Additional Resources

The CyOTE program is partnering with energy sector asset owners and operators to look for anomalies in your environments, identify anomalies that would trigger further investigations, correlate data sources (if available), associate additional anomalies, and determine if you are in the early stages of an attack campaign.

If you are interested in working with the CyOTE program, contact:

CyOTE Methodology Application to the Oldsmar Water Facility Breach (INTERACTIVE)

Here is an interactive decision tree applying CyOTE Methodology to the Oldsmar, FL water treatment plant breach. 

Comic Bee Oldsmar graphic

Human Performance Community of Practice: CyOTE

Sam Chanowski, Idaho National Laboratory
August 26, 2021

This session covers the history of CyOTE to explain how the key insights came about, and then walks through the methodology as a way to put those insights into practice, showing how it complements other high-priority investments and activities in energy sector OT cybersecurity.

VCU Cybersecurity Center Speaker Series

Edward Rhyne, Senior Technical Advisor, U.S. Department of Energy
April 29, 2021

Accelerating R&D and Demonstration of Next-Gen Critical Infrastructure

Edward Rhyne, Senior Technical Advisor, U.S. Department of Energy
January 21, 2021

How CyOTE Tools and Methodology Work Together

Consider: What amount of visibility do you need to evaluate an anomaly with high confidence?


CyOTE Case Study Graphic

CYote CaseStudy graphic

  • B1 – Available Data – From currently deployed Cyber Defense capabilities
  • B2 – CyOTE Available Data – From a CyOTE provided tool associated to Tactics and Techniques Matrix
  • B3 – CyOTE Target Data – Currently not accessible. Targets for Analysis and Tool Development

cyote attack scenarion


  • T842: Network Sniffing
  • T812: Default Credentials
  • T867: Remote File Copy
  • T884: Connection Proxy
  • T882: Theft of Operational Information

nhs Methodology

For More Information

DOE CyOTE Contact

CyOTE Program



INL Energy Cyber Programs

Virginia Wright



INL Media Contact

Ethan Huffman

Phone: 208-526-5015



DOE logoThe Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) addresses the emerging threats of tomorrow while protecting the reliable flow of energy to Americans today by improving energy infrastructure security and supporting the Department of Energy’s national security mission. CESER’s focus is preparedness and response activities to natural and man-made threats, while ensuring a stronger, more prosperous, and secure future for the nation.


Participating Laboratory

inlIdaho National Laboratory is a world leader in providing industrial control system (ICS) cybersecurity research and development. The laboratory’s distinctive history in protecting critical infrastructure systems puts the lab at the forefront of thought leadership and applied innovation in critical infrastructure cybersecurity testing. INL uses a comprehensive approach to developing ICS cybersecurity research to meet the energy sector’s needs identified by the DOE, utilities, and other organizations.