MITRE and CISA Release OT Attack Emulation Tool

Cyber Security Threat Summary:
A new open source tool designed to emulate cyber-attacks against operational technology (OT) has been released by MITRE and the US Cybersecurity and Infrastructure Security Agency (CISA). The MITRE Calder for OT is now publicly available as an extension to the open-source Caldera platform on GitHub. This will enable cyber professionals working with industrial control systems (ICS) to run automated adversary emulation exercises, with the purpose of consistently testing and boosting their cyber defenses. This also encompasses security assessments and red, blue and purple-teaming exercises” (Info Security Magazine, 2023).

The Caldera extension for OT was developed by MITRE in partnership with the Homeland Security Systems Engineering and Development Institute (HSSEDI). The goal of the project is to harden the security of critical infrastructure that is reliant on operational technology.

Commenting on the announcement, Eric Goldstein, executive assistant director for cybersecurity at CISA, said: “Continued cyber threats to OT systems require a concerted focus on supporting the critical infrastructure community with actionable tools and resources.

Security Officer Comments:
MITRE Caldera is a cyber security platform designed to easily automate adversary emulation, assist manual red-teams, and automate incident response. It is built on the MITRE ATT&CK framework and is an active research project at MITRE.

These plugins are supported and maintained by the Caldera team:

  • Access (red team initial access tools and techniques)
  • Atomic (Atomic Red Team project TTPs)
  • Builder (dynamically compile payloads)
  • Caldera for OT (ICS/OT capabilities for Caldera)
  • Compass (ATT&CK visualizations)
  • Debrief (operations insights)
  • Emu (CTID emulation plans)
  • Fieldmanual (documentation)
  • GameBoard (visualize joint red and blue operations)
  • Human (create simulated noise on an endpoint)
  • Manx (shell functionality and reverse shell payloads)
  • Response (incident response)
  • Sandcat (default agent)
  • SSL (enable https for caldera)
  • Stockpile (technique and profile storehouse)
  • Training (certification and training course)
The OT extension was built upon work from CISA and HSSEDI to automate adversary emulation simulations in CISA’s Control Environment Laboratory Resource (CELR). This enabled the identification of adversary techniques that could be built in Caldera.

The Caldera for OT plugins enable adversary emulation in the OT environment. The Caldera for OT plugins unify and expose open-source OT protocol libraries in the form of protocol specific plugins:
  • bacnet - for the Building Automation and Control Networks (BACnet) protocol
  • dnp3 - for the Distributed Network Protocol 3 (DNP3)
  • modbus - for the Modbus protocol
Suggested Correction(s):
These requirements are for the computer running the core framework: Any Linux or MacOS Python 3.8+ (with Pip3) Recommended hardware to run on is 8GB+ RAM and 2+ CPUs Recommended: GoLang 1.17+ to dynamically compile GoLang-based agents.