The active cyber defense cycle: A strategy to ensure oil and gas infrastructure cyber security

Robert M. Lee, co-founder of Dragos Security LLC, shares his insight into the challenges of cyber security in the oil and gas industry with a five-part series on implementing the active cyber defense cycle. This first part presents a general overview.

By Robert M. Lee February 25, 2015

Oil and gas infrastructure is a prime target for extremists and nation states to inflict economic damage as well as to project their influence. Adversaries’ ability to leverage cyber capabilities to achieve this end adds complexity to an already diverse discussion on security. Regardless of the solution identified, protecting against cyber threats requires a strategy. Organizations must understand the purpose of their security strategy before it is developed and implemented. An overly broad goal of "security" or "defense" is not well suited to identify the varying approaches needed and the unique skill sets required. The three categories that can help articulate the needs related to cyber security are architecture, passive defense, and active defense. This five-part series will focus on active defense and how to implement a specific active defense strategy in operations and technology environments.

Cyber security is more than a software patch

The latest trends and buzz terms in the security industry often over-promise quick solutions and plug-n-play type security approaches. This emphasizes only the new and exciting and fails to recognize that security is a process that must be customized to each organization’s maturity and needs. Additionally, good security practices build on each other and fill gaps instead of attempting to entirely replace solutions. In this way, an active defense builds on an organization’s good architecture and passive defenses.

In this context, "architecture" is defined as, "Those processes and actions that contribute to and result in a system developed and maintained with security in mind." This approach includes:

  • Using the most secure implementation of protocols and systems where feasible
  • Identifying and implementing network data flows to allow for proper monitoring of connections in and out of the network
  • Maintaining patching to the best of the organization’s ability for all systems.

Proper security-minded architecture is a difficult challenge. However, investments in this area dramatically increase the effectiveness of passive and active defenses. 

Passive defense

Passive defenses are software or hardware added to the architecture that increase security without consistent and direct interaction from personnel, even if updates and tuning are required over time. Systems, such as firewalls, anti-malware software, intrusion detection and prevention systems, and application whitelisting, are passive defenses. The operations technology environment introduces many challenges toward effectively implementing passive defenses, but even simple actions, such as limiting inbound and outbound connections, requiring authentication from remote locations, and maintaining firewalls with ingress and egress filtering, will prove to be invaluable.

Active defense

When an organization has properly invested in developing and maintaining architecture and passive defenses, it is effective to leverage an active defense. An "active defense" is "the process of security personnel taking an active and involved role in identifying and countering threats to the system." The term is sometimes incorrectly associated with the idea of hacking back or counterstriking an adversary. This inappropriate use of the term has largely been due to poor translations of active defense theory in military strategies into the field of cyber security. Active defense emphasizes empowering security personnel to monitor an organization’s infrastructure, identify threats, and neutralize them internal to the network before they impact operations. It is never about accessing or impacting adversary networks.

The active cyber defense cycle (ACDC) consists of four phases that work together to maintain security, contributing to the safety and reliability of operations. The four phases are:

  1. Asset identification and network security monitoring
  2. Incident response
  3. Threat and environment manipulation
  4. Threat intelligence consumption.

The ACDC concept is not complicated:

  • Understand the network topologies so they can be monitored for abnormalities and indications of compromise.
  • Upon identifying a true threat, initiate an incident response to identify the scope of the infection, contain it, and eradicate it to maintain operations.
  • In a safe environment, interact with the threat through skill sets, such as malware analysis to gather information and make recommendations for logical or physical infrastructure changes that would aid security.
  • Collect the information about the threat throughout the cycle and combine it with external information about threats or threat intelligence.

This information is fed back through the process, which helps security personnel develop over time and look at defense not as a series of single encounters with an adversary, but as a prolonged process where growth and innovation can take place. This cycle ensures that security personnel of various talents are contributing to the same strategy and are effectively working together. Ultimately, this ties into the organization’s business goals.

ACDC is one strategy for an active defense that has been implemented in industrial control system (ICS) environments in and out of the government with great success. There are many distinctive aspects about ICS that put security personnel in a unique position to effectively and efficiently perform this strategy.

The next four articles in this series will discuss each phase of ACDC in depth, offering high-level and technical guidance for implementing the strategy. Part 2 in June will focus on network security monitoring 

– Robert M. Lee is the co-founder of the critical infrastructure cyber security company Dragos Security LLC, which developed a passive asset discovery and visualization software tool. Lee is a PhD candidate at Kings College London researching control system cyber security. He is the course author of SANS ICS 515: Active Defense and Incident Response, the author of the book SCADA and Me, and a U.S. Air Force Cyber Warfare Operations Officer. Edited by Eric R. Eissler, editor-in-chief, Oil & Gas Engineering, 

For more information on this subject, go online:

One strategy for achieving an active defense is the active cyber defense cycle:

Original content can be found at Oil and Gas Engineering.