Recently, MITRE and the Cybersecurity and Infrastructure Security Agency (CISA) released the Open-Sourced Extension of MITRE’s Caldera platform, specifically for operational technology. This is meant to be utilized by security teams to run automated adversary emulation exercises that are specifically focused on threats to operational technology.Federal Drive with Tom Temin got the chance to speak with two of the people who helped build it: Alex Reniers, Chief of the Industrial Controls Systems section within CISA’s Cybersecurity Division and John Wunder, the Department Manager of CTI and Adversary Emulation for the MITRE Corporation.
John Wunder MITRE have been working for a few years on something called Caldera. Caldera is our open source adversary simulation platform. Adversary emulation is basically a practice of emulating or pretending to be adversaries on a system or network in order to kind of evaluate our defenses against that. So if we can pretend to be an adversary, we can say, Ok, well, I used the techniques and behaviors that these adversaries really use and here’s how my defenses did. And then that can help us as defenders kind of better understand how we can improve those defenses, and kind of train against them and develop new capabilities for defenses and things like that. And kind of traditionally, Caldera has been more of an enterprise system. We use it on our enterprise systems and networks and things like that. But through this partnership with CISA, through our Homeland Security Systems Engineering and Development Institute, we’ve developed these new capabilities on top of Caldera called Caldera for OT or Caldera for operational technology, that kind of extends that caldera capabilities to also include emulation of attacks on operational technology networks and industrial control systems.
Eric White All right. And so, Alex, obviously critical infrastructure, the protection of their IT systems has been at the forefront of a lot of what CISA has been trying to push forth. What role did the agency play in creating this and how will you be promoting it? I guess will you be encouraging folks to use this tool?
Alex Reniers Yeah, absolutely. So obviously we’ve supported it kind of two facets, one of which is we’ve funded part of it. Obviously, there are other participants, other stakeholders involved and other partners. It’s been quiet and so it funded Caldera. But as far as the OT plug ins, the other way we’ve supported it is using our controlled environment laboratory resource or CELR. CELR is essentially we take control systems environments, we shrink them down to the size of a ping pong table, but we try to emulate the processes as much as possible. So we’ll have physical hardware there. Physical software components that you would see in a control systems virus to include the protocols that they use as well. And so what we’ve done is one of our flagship servers operates within CELR. We do what’s called simulated engagements, we’ll bring it Defenders. We’ll have our live red tape which is our wider have study team as well. They’ll execute a number of actions the environments that our blue team from the IT side all the way through the OT side our blue tape participants, the defenders that track and identify and report that behavior to what we refer to as the white cells of the owner operator, which is us. And so in that process, in developing the scenarios and conducting a number of civilian engagements, MITRE has said he’s got the good taste of what works those departments and also to expand and improve upon those plug ins from the Caldera OT tool.
Eric White And John, in order to emulate an attack on OT, what changes that you have to make to the original Caldera system? You can be as specific as you like, but in layman’s terms if you can.
John Wunder So really we were building on top of Caldera, so we were adding these new capabilities and specifically what we’re doing is developing, I would say like protocol emulation. So on industrial control systems are an operational technology, these systems are like talking to each other using protocols. So they’re sending data back and forth between each other. And so basically what we’ve done is added these plug ins to Caldera that let us speak that language, some of those specific protocols or things like Battle.net or DMP three or Mod Box, and basically by giving Caldera the ability to speak these languages, we can then say, Ok, well now we can interact with these systems in a way that Caldera couldn’t before.
Eric White Ok. And so who is this for? What specific kinds of critical infrastructure, water treatment plans, things of that nature that we think of? Or is this more of for folks that may not even be on the actual site of what you’re trying to protect?
Alex Reniers Yeah. So by open source, we’re trying to obviously to reach this was broad an audience as possible. And I think obviously our main target especially as CISA who we want to help the most is our owner and operators, hopefully their security attempts to adopt and use this to win a safe practiced. Were certainly not encouraging you to practice this in a live production environment. Perhaps you have a localized test, right, or something that you could use to do this and improve your defenses. That’s obviously one of our primary targets for folks that also we’ve used it also internally for our own team as well. So we have hunt teams, we have DoD CPT teams, Coast Guard teams that have come through in CELR. We’ve used Caldera for that to help them practice their response efforts with their threat detection efforts. It is OT environment. So it’s really a wide, broad audience of folks that we’re trying to reach both internally and externally to CISA.
Eric White And how important is being able to actually emulate these attacks. With guarding a modern, critical infrastructure. Alex, if you can just describe on how helpful they can be rather than just kind of putting up walls, you’re actually showing where those walls weaknesses are.
Alex Reniers Yeah, I think it’s absolutely critical, especially in the sense that you have the desire to fight back to the control systems environment that you as you as the adversary trying to enact. There’s a lot of sophistication behind that. And I think more and more, unfortunately for coordination states, not more protesters, but key nation states that we’re very keen on are putting more and more resources to improving their capabilities to do this as the barrier to entry and to do the lower so to the other number of folks that are willing to wanted to do this. So whether it be a nation state actor or a cybercriminal actor doing ransomware, I think the impetus is on the defenders to really step up their game. But I think that’s where CISA and our partnership with wider and various other [Federally Funded R&D Centers (FFRDC)] that’s really what we’re trying to do is help out the defenders as much as possible.
Eric White And John, how do you make sure that these attacks that you’re emulating are up to date themselves? Alex just laid out how the bad actors are always looking for new ways to infiltrate. How do you make sure that these attacks are genuine?
John Wunder So one of the things we do is really stay oriented on the adversary. And we look at reporting called cyber threat intelligence about like what adversaries are doing. That includes both on the enterprise side, how are they talking IT systems and networks, and even really on the OT side there’s thankfully fewer attacks to OT that we see reported publicly. But there are none, and we can kind of look at what those attacks look like. And then that’s how we emulate our attacks is basically by repeating that. And we do a little bit also of kind of pivoting from that and saying, if adversaries are typically doing this, they’re probably or likely to also do that. And then therefore, we can kind of ventilate that as well.
Alex Reniers I think that’s also the added benefit of keeping it as an open source project as you don’t have other people partnering on it with you and their exchange of information. MITRE has just been wonderful as far as engaging those folks, those repository to get approaches, etc.. So having an open source gives us that advantage of people contributing to expand the project.
John Wunder Yeah. And Alex’s point, we partnered with CISA initially on some of these capabilities or partnering with others and have some internal research as well just to kind of keep this moving across the whole community.
Eric White And I thank you, gentlemen, for providing a good segue to my next question, which was what are you hearing from the actual users of this tool? Are they satisfied or are they saying, hey, it could have some more teeth?
Alex Reniers It obviously depends. I think, and I’m going to speak squarely for we use it for in CELR, there’s probably other things I think John that are speak to that. I’ll speak squarely to how we’ve been using it, our seller environment, all the participants that we’ve had up through, which I think is about 15, 15 roughly at this point said so far, 22 to now overwhelmingly positive. I think when you have your very well advanced, well structured teams, obviously they want a little bit more. But the ability to have this environment OT test range of operational technology test range that have this ability to plug it, connect it to controllers in a safe space is incredibly rare. So being able to have this tool, Caldera OT and also the CELR test range, it provides our participants a very unique opportunity to experience essentially what you call live fire in a safe environment. We’ve had utility owner operators come through, we’ve had a few utilities come through, like I said, DoD teams, our Coast Guard teams, our internal folks, and overwhelmingly positive. Obviously there’s always other areas to improve upon, but overwhelmingly pretty positive.
John Wunder I would say one of the biggest expansions we’re looking at is just like, what is the set of protocols and therefore what the set of target infrastructure that this can operate on. We’ve kind of kicked this off with three, but obviously or maybe not obviously, like different sectors and very different types of infrastructure and controllers and things like that. And the capability to operate on an electric grid is going to be very, very different than to operate on water, tree and or chemical manufacturing or something like that. And so all of those things require different capabilities in Caldera for OT, just because those environments are so different and they use different protocols and different controllers and things like that.
Eric White Alex I’m an OT operator who’s listening to this interview and is trying to see if the tool can work for me. How do I get in touch with you guys?