Last week at DistribuTECH 2019, I had the opportunity to participate in a panel discussion on How AI and Machine-to-Machine Learning Are Enabling Cybersecurity Threat Intelligence. I was joined by fellow members of the California Energy Systems for the 21st Century (CES-21) program. Over the past 4 years, my team at New Context have been collaborating with technical experts from California’s three largest investor-owned electric utilities — Pacific Gas and Electric, Southern California Edison and San Diego Gas and Electric — the Idaho National Laboratory, Lawrence Livermore National Laboratory.

The CES-21 program focused on establishing and demonstrating concepts on machine-to-machine automated threat response for control systems.

For my portion of the panel, I provided an overview of New Context’s accomplishments which focused on 2 areas:

  1. The creation of a standardized machine readable language using common data structures and communications for expressing indicators and remediations. For the CES-21 project, we selected Structured Threat Information Expression (STIX).
  2. The creation of a software appliance capable of ingesting observables, indicators and taking automated remediation actions on control systems networks.

Demonstrating machine-to-machine automated threat identification and response is difficult enough on an enterprise IT network. The complexities and risks of performing full automation on OT control systems networks is even more difficult. So much of what goes on today in these networks is specialized and carries the safety risk of potential harm to persons.

A number of the challenges we were able to overcome included:

  1. Many threat formats are too simplistic for control systems
  2. Actionable remediation tasks are rarely provided
  3. There are many different formats for threat information
  4. The ability to provide enough context so indicators and remediations may be applicable to a wide array of networks and systems

In January of 2015, as part of CES-21, New Context strategically performed a review of existing machine readable threat feed frameworks to ascertain if they could be used or adapted for control system networks. The results of our study identified STIX as the best adaptable cyber threat intelligence framework for the CES-21 program.

Over the past 4 years, New Context has been able to identify and complete over 12 automated threat identification and response for control systems use cases. Our development process has included development and testing on a small substation network and collaboration with national laboratories to test the technology on different utility equipment as well as testing at grid scale using simulation. With the use cases completed, we have been able to take our extensions to STIX to the Cyber Threat Information Technical Committee where they are being incorporated into the STIX standard.

A few example use cases included:

  1. Buffer Overflow attacks
  2. Infrastructure expression
  3. Malicious configuration changes
  4. Man-in-the-middle (MITM) attacks

Development of an industry-wide standards framework for Cyber Threat Intelligence (CTI) is crucial for the information security industry to be able to define and share threats. By using a machine readable format, cybersecurity analysis will be able to collaborate more quickly to detect and address threats in an interoperable way. New Context is a proud sponsor of OASIS and believes strongly in open and transparent standards frameworks.

Contact us for more information at