The active cyber defense cycle: A strategy to ensure oil and gas infrastructure cyber security

Robert M. Lee, co-founder of Dragos Security LLC, shares his insight into the challenges of cyber security in the oil and gas industry with a five-part series on implementing the active cyber defense cycle. This first part presents a general overview.


Figure 1: Example of an active cyber defense cycle. Courtesy: Robert M. LeeOil and gas infrastructure is a prime target for extremists and nation states to inflict economic damage as well as to project their influence. Adversaries' ability to leverage cyber capabilities to achieve this end adds complexity to an already diverse discussion on security. Regardless of the solution identified, protecting against cyber threats requires a strategy. Organizations must understand the purpose of their security strategy before it is developed and implemented. An overly broad goal of "security" or "defense" is not well suited to identify the varying approaches needed and the unique skill sets required. The three categories that can help articulate the needs related to cyber security are architecture, passive defense, and active defense. This five-part series will focus on active defense and how to implement a specific active defense strategy in operations and technology environments.

Cyber security is more than a software patch

The latest trends and buzz terms in the security industry often over-promise quick solutions and plug-n-play type security approaches. This emphasizes only the new and exciting and fails to recognize that security is a process that must be customized to each organization's maturity and needs. Additionally, good security practices build on each other and fill gaps instead of attempting to entirely replace solutions. In this way, an active defense builds on an organization's good architecture and passive defenses.

In this context, "architecture" is defined as, "Those processes and actions that contribute to and result in a system developed and maintained with security in mind." This approach includes:

  • Using the most secure implementation of protocols and systems where feasible
  • Identifying and implementing network data flows to allow for proper monitoring of connections in and out of the network
  • Maintaining patching to the best of the organization's ability for all systems.

Proper security-minded architecture is a difficult challenge. However, investments in this area dramatically increase the effectiveness of passive and active defenses. 

Passive defense

Passive defenses are software or hardware added to the architecture that increase security without consistent and direct interaction from personnel, even if updates and tuning are required over time. Systems, such as firewalls, anti-malware software, intrusion detection and prevention systems, and application whitelisting, are passive defenses. The operations technology environment introduces many challenges toward effectively implementing passive defenses, but even simple actions, such as limiting inbound and outbound connections, requiring authentication from remote locations, and maintaining firewalls with ingress and egress filtering, will prove to be invaluable.

Active defense

When an organization has properly invested in developing and maintaining architecture and passive defenses, it is effective to leverage an active defense. An "active defense" is "the process of security personnel taking an active and involved role in identifying and countering threats to the system." The term is sometimes incorrectly associated with the idea of hacking back or counterstriking an adversary. This inappropriate use of the term has largely been due to poor translations of active defense theory in military strategies into the field of cyber security. Active defense emphasizes empowering security personnel to monitor an organization's infrastructure, identify threats, and neutralize them internal to the network before they impact operations. It is never about accessing or impacting adversary networks.

The active cyber defense cycle (ACDC) consists of four phases that work together to maintain security, contributing to the safety and reliability of operations. The four phases are:

  1. Asset identification and network security monitoring
  2. Incident response
  3. Threat and environment manipulation
  4. Threat intelligence consumption.

The ACDC concept is not complicated:

  • Understand the network topologies so they can be monitored for abnormalities and indications of compromise.
  • Upon identifying a true threat, initiate an incident response to identify the scope of the infection, contain it, and eradicate it to maintain operations.
  • In a safe environment, interact with the threat through skill sets, such as malware analysis to gather information and make recommendations for logical or physical infrastructure changes that would aid security.
  • Collect the information about the threat throughout the cycle and combine it with external information about threats or threat intelligence.

This information is fed back through the process, which helps security personnel develop over time and look at defense not as a series of single encounters with an adversary, but as a prolonged process where growth and innovation can take place. This cycle ensures that security personnel of various talents are contributing to the same strategy and are effectively working together. Ultimately, this ties into the organization's business goals.

Robert M. Lee is the co-founder of the critical infrastructure cyber security company Dragos Security LLC. Courtesy: Robert M. LeeACDC is one strategy for an active defense that has been implemented in industrial control system (ICS) environments in and out of the government with great success. There are many distinctive aspects about ICS that put security personnel in a unique position to effectively and efficiently perform this strategy.

The next four articles in this series will discuss each phase of ACDC in depth, offering high-level and technical guidance for implementing the strategy. Part 2 in June will focus on network security monitoring 

- Robert M. Lee is the co-founder of the critical infrastructure cyber security company Dragos Security LLC, which developed a passive asset discovery and visualization software tool. Lee is a PhD candidate at Kings College London researching control system cyber security. He is the course author of SANS ICS 515: Active Defense and Incident Response, the author of the book SCADA and Me, and a U.S. Air Force Cyber Warfare Operations Officer. Edited by Eric R. Eissler, editor-in-chief, Oil & Gas Engineering, 

For more information on this subject, go online:

One strategy for achieving an active defense is the active cyber defense cycle:

EUGENIO , Non-US/Not Applicable, Mexico, 03/04/15 11:41 PM:

I am very interested with the subject and i will be ready to learn more. my company it's not prepare with this kind of real problems.
Anonymous , 03/14/15 12:46 PM:

It`s very interesting,
The Top Plant program honors outstanding manufacturing facilities in North America. View the 2015 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
Safer human-robot collaboration; 2017 Maintenance Survey; Digital Training; Converting your lighting system
IIoT grows up; Six ways to lower IIoT costs; Six mobile safety strategies; 2017 Salary Survey
2016 Top Plant; 2016 Best Practices on manufacturing progress, efficiency, safety
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Big Data and bigger solutions; Tablet technologies; SCADA developments
Automation modernization; Predictive analytics enable open connectivity; System integration success; Automation turns home brewer into brew house
Commissioning electrical systems; Designing emergency and standby generator systems; Paralleling switchgear generator systems
Natural gas for tomorrow's fleets; Colleges and universities moving to CHP; Power and steam and frozen foods

Annual Salary Survey

Before the calendar turned, 2016 already had the makings of a pivotal year for manufacturing, and for the world.

There were the big events for the year, including the United States as Partner Country at Hannover Messe in April and the 2016 International Manufacturing Technology Show in Chicago in September. There's also the matter of the U.S. presidential elections in November, which promise to shape policy in manufacturing for years to come.

But the year started with global economic turmoil, as a slowdown in Chinese manufacturing triggered a worldwide stock hiccup that sent values plummeting. The continued plunge in world oil prices has resulted in a slowdown in exploration and, by extension, the manufacture of exploration equipment.

Read more: 2015 Salary Survey

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.
Motion control advances and solutions can help with machine control, automated control on assembly lines, integration of robotics and automation, and machine safety.
Compressed air plays a vital role in most manufacturing plants, and availability of compressed air is crucial to a wide variety of operations.
Maintenance Manager; California Oils Corp.
Associate, Electrical Engineering; Wood Harbinger
Control Systems Engineer; Robert Bosch Corp.
click me