The active cyber defense cycle: A strategy to ensure oil and gas infrastructure cyber security

Robert M. Lee, co-founder of Dragos Security LLC, shares his insight into the challenges of cyber security in the oil and gas industry with a five-part series on implementing the active cyber defense cycle. This first part presents a general overview.


Figure 1: Example of an active cyber defense cycle. Courtesy: Robert M. LeeOil and gas infrastructure is a prime target for extremists and nation states to inflict economic damage as well as to project their influence. Adversaries' ability to leverage cyber capabilities to achieve this end adds complexity to an already diverse discussion on security. Regardless of the solution identified, protecting against cyber threats requires a strategy. Organizations must understand the purpose of their security strategy before it is developed and implemented. An overly broad goal of "security" or "defense" is not well suited to identify the varying approaches needed and the unique skill sets required. The three categories that can help articulate the needs related to cyber security are architecture, passive defense, and active defense. This five-part series will focus on active defense and how to implement a specific active defense strategy in operations and technology environments.

Cyber security is more than a software patch

The latest trends and buzz terms in the security industry often over-promise quick solutions and plug-n-play type security approaches. This emphasizes only the new and exciting and fails to recognize that security is a process that must be customized to each organization's maturity and needs. Additionally, good security practices build on each other and fill gaps instead of attempting to entirely replace solutions. In this way, an active defense builds on an organization's good architecture and passive defenses.

In this context, "architecture" is defined as, "Those processes and actions that contribute to and result in a system developed and maintained with security in mind." This approach includes:

  • Using the most secure implementation of protocols and systems where feasible
  • Identifying and implementing network data flows to allow for proper monitoring of connections in and out of the network
  • Maintaining patching to the best of the organization's ability for all systems.

Proper security-minded architecture is a difficult challenge. However, investments in this area dramatically increase the effectiveness of passive and active defenses. 

Passive defense

Passive defenses are software or hardware added to the architecture that increase security without consistent and direct interaction from personnel, even if updates and tuning are required over time. Systems, such as firewalls, anti-malware software, intrusion detection and prevention systems, and application whitelisting, are passive defenses. The operations technology environment introduces many challenges toward effectively implementing passive defenses, but even simple actions, such as limiting inbound and outbound connections, requiring authentication from remote locations, and maintaining firewalls with ingress and egress filtering, will prove to be invaluable.

Active defense

When an organization has properly invested in developing and maintaining architecture and passive defenses, it is effective to leverage an active defense. An "active defense" is "the process of security personnel taking an active and involved role in identifying and countering threats to the system." The term is sometimes incorrectly associated with the idea of hacking back or counterstriking an adversary. This inappropriate use of the term has largely been due to poor translations of active defense theory in military strategies into the field of cyber security. Active defense emphasizes empowering security personnel to monitor an organization's infrastructure, identify threats, and neutralize them internal to the network before they impact operations. It is never about accessing or impacting adversary networks.

The active cyber defense cycle (ACDC) consists of four phases that work together to maintain security, contributing to the safety and reliability of operations. The four phases are:

  1. Asset identification and network security monitoring
  2. Incident response
  3. Threat and environment manipulation
  4. Threat intelligence consumption.

The ACDC concept is not complicated:

  • Understand the network topologies so they can be monitored for abnormalities and indications of compromise.
  • Upon identifying a true threat, initiate an incident response to identify the scope of the infection, contain it, and eradicate it to maintain operations.
  • In a safe environment, interact with the threat through skill sets, such as malware analysis to gather information and make recommendations for logical or physical infrastructure changes that would aid security.
  • Collect the information about the threat throughout the cycle and combine it with external information about threats or threat intelligence.

This information is fed back through the process, which helps security personnel develop over time and look at defense not as a series of single encounters with an adversary, but as a prolonged process where growth and innovation can take place. This cycle ensures that security personnel of various talents are contributing to the same strategy and are effectively working together. Ultimately, this ties into the organization's business goals.

Robert M. Lee is the co-founder of the critical infrastructure cyber security company Dragos Security LLC. Courtesy: Robert M. LeeACDC is one strategy for an active defense that has been implemented in industrial control system (ICS) environments in and out of the government with great success. There are many distinctive aspects about ICS that put security personnel in a unique position to effectively and efficiently perform this strategy.

The next four articles in this series will discuss each phase of ACDC in depth, offering high-level and technical guidance for implementing the strategy. Part 2 in June will focus on network security monitoring 

- Robert M. Lee is the co-founder of the critical infrastructure cyber security company Dragos Security LLC, which developed a passive asset discovery and visualization software tool. Lee is a PhD candidate at Kings College London researching control system cyber security. He is the course author of SANS ICS 515: Active Defense and Incident Response, the author of the book SCADA and Me, and a U.S. Air Force Cyber Warfare Operations Officer. Edited by Eric R. Eissler, editor-in-chief, Oil & Gas Engineering, 

For more information on this subject, go online:

One strategy for achieving an active defense is the active cyber defense cycle:

The Top Plant program honors outstanding manufacturing facilities in North America. View the 2015 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
Doubling down on digital manufacturing; Data driving predictive maintenance; Electric motors and generators; Rewarding operational improvement
2017 Lubrication Guide; Software tools; Microgrids and energy strategies; Use robots effectively
Prescriptive maintenance; Hannover Messe 2017 recap; Reduce welding errors
The cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Research team developing Tesla coil designs; Implementing wireless process sensing
Commissioning electrical systems; Designing emergency and standby generator systems; Paralleling switchgear generator systems
Natural gas engines; New applications for fuel cells; Large engines become more efficient; Extending boiler life

Annual Salary Survey

Before the calendar turned, 2016 already had the makings of a pivotal year for manufacturing, and for the world.

There were the big events for the year, including the United States as Partner Country at Hannover Messe in April and the 2016 International Manufacturing Technology Show in Chicago in September. There's also the matter of the U.S. presidential elections in November, which promise to shape policy in manufacturing for years to come.

But the year started with global economic turmoil, as a slowdown in Chinese manufacturing triggered a worldwide stock hiccup that sent values plummeting. The continued plunge in world oil prices has resulted in a slowdown in exploration and, by extension, the manufacture of exploration equipment.

Read more: 2015 Salary Survey

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.
The maintenance journey has been a long, slow trek for most manufacturers and has gone from preventive maintenance to predictive maintenance.
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.
Maintenance Manager; California Oils Corp.
Associate, Electrical Engineering; Wood Harbinger
Control Systems Engineer; Robert Bosch Corp.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me