TDi was awarded a Research and Development contract by DOE to establish a solution that will prevent grid misoperation in both the Utility and Oil & Gas sectors. The objective of this project is to prevent mis-operation by protecting and securing human access to operational assets therefore preventing malicious and inadvertent operational commands leveraging the MITRE ICS ATT&CK framework.
How does this work?
By utilizing the MITRE ICS ATT&CK framework, TDi selected multiple Tactics, Techniques, and Protocols (TTP’s) to build use cases around. The main solution being addressed in this project are:
Extend and enhance ICS ATT&CK framework to include operational TTP’s which can be validated, approved, and automated preventing mis-operation
Improve Commercial industry technology (ConsoleWorks) that provides secure human access which can be captured, interrogated, and validated against operational and adversarial TTP’s defined by MITRE and users of the technology
-
Control and log human access to OT assets
-
Collect and identify current and approved settings of OT Assets
-
Identify, Alarm & Compare human changes to operational technology to prevent human mis-operation
-
Understand & Advise OT Settings as well as configuration changes which define safe operational characteristics and unsafe changes
How can you benefit?
An actor gains access to Critical Assets and issues commands as they interact with those assets, the solution will intercept and evaluate the risk of the command (or increased risk of the sequence of commands) based on the playbooks that represent the various TTP’s. This will prevent the actor from executing an operational command that could change a configuration in a way that could cause disruptive or destructive events(s) to occur which may result in grid failure, production stoppage, or physical damage to humans and/or machines.
How ConsoleWorks is breaking through barriers and is the new state of the art in Cybersecurity
Currently, the ability to Identify, Protect, Detect, Respond, and Recover, from human actions beyond the HMI or Vendor Application is not available. This approach not only considers the NIST cybersecurity impact of an adversary but enhances coverage to include operational considerations for insiders (vendors, privileged actors, and contractors). It minimizes the need for operations to become cybersecurity experts. By combining known adversarial TTPs with business operational TTPs and automation, our solution shortens the process of Observing, Evaluating, Deciding, and Acting which can prevent mis-operation with minimal human interaction.
