MITRE, CISA publish open-source MITRE Caldera for OT plugins, supporting common industrial protocols

MITRE, a not-for-profit organization, has released Caldera for OT, a collection of plugins developed by the MITRE Caldera team, which are designed to provide support for widely used industrial protocols. These initial Caldera for OT (operational technology) extensions were developed in partnership with the Homeland Security Systems Engineering and Development Institute (HSSEDI), a federally funded research and development center that is managed and operated by MITRE for the U.S. Department of Homeland Security (DHS), and the Cybersecurity and Infrastructure Security Agency (CISA) to increase the resiliency of critical infrastructure.

The announcement stems from work that emerged from CISA and HSSEDI’s collaboration to automate adversary emulation simulations in CISA’s Control Environment Laboratory Resource (CELR), a simulated environment for research on operational technology. CISA and HSSEDI identified adversary techniques to emulate and built them into Caldera. These techniques and abilities form the foundation of the Caldera for OT extensions. To date, CISA has used Caldera to help its government and industry partners learn how best to address threats to their OT systems.

Adversary emulation has long helped defenders of information systems exercise and improve their cyber defenses by using real adversary techniques. As an open-source, scalable adversary emulation platform with MITRE ATT&CK as its backbone, Caldera helps cyber defenders save time, money, and energy by automating adversary emulation operations, security assessments, and red-, blue-, and purple-teaming. 

With the release, defenders of industrial control systems (ICS) now have the same benefit. Caldera for OT also enables Factory and Security Acceptance Testing (FAT/SAT), where a reliable and consistent testing process is critical to ensure an accurate and repeatable assessment. 

“Protecting our nation’s critical infrastructure is essential. With Caldera for OT, we are pleased to partner with CISA to help defenders of operational technology exercise and improve the defenses of these critical systems,” Yosry Barsoum, vice president and director, Center for Securing the Homeland at MITRE, said in a media statement.

“Continued cyber threats to OT systems require a concerted focus on supporting the critical infrastructure community with actionable tools and resources,” Eric Goldstein, executive assistant director for cybersecurity at CISA, said. “Through our ongoing collaboration with HSSEDI, we are leveraging our collective expertise and resources to develop innovative measures that safeguard critical systems. Caldera for OT, as well as CELR, can help critical infrastructure owners and operators protect their systems against emerging threats.”

Providing more detail on the announcement, Blaine Jeffries and Misha Belisle wrote in an MITRE Caldera Medium post on Tuesday that the new Caldera plugins now enable practitioners to emulate adversary behavior across both enterprise (IT) and industrial (OT) networks. “In fact, Caldera for OT introduces 29 distinct OT abilities to the hundreds of existing enterprise-focused abilities already included with Caldera. We extend our thanks and recognize the developers of the libraries Caldera for OT is dependent on,” they added. 

They added that the initial release includes support for BACnet, Modbus, and DNP3 protocols, which would not be possible if not for the BACnet-stack, pymodbus, and openDNP3 projects. 

“Our team has prioritized accessibility and documentation with the release of Caldera for OT. General information regarding plugin installation can be found within the plugin repository readme,” the Medium post added. “A thorough description of each plugin is accessible in-app with the Caldera fieldmanual plugin. Alternatively, the same documentation can be accessed directly via <plugin>/docs/<plugin>.md.”

The post also added that “if you are brand new to Caldera or just need a quick refresher, check out the core documentation. There you will find everything you need to get Caldera up and running on your own infrastructure. The Caldera server is intentionally lightweight and portable so that it can be deployed on a standard laptop.”

Publicly available as an extension to the open-source Caldera platform, the MITRE Caldera plugins allow security teams to run automated adversary emulation exercises that are specifically focused on threats to OT. Following MITRE’s commitment to provide for the public good, like Caldera, these OT plugins are completely free to use and open source. 

The Caldera for OT plugins are available to download now on GitHub. As an open-source platform, they will continue expanding to new environments, protocols, and attacks. “MITRE appreciates CISA’s partnership in contributing the first set of modules and is already working internally, with CISA, and other organizations to develop and release the next set of Caldera for OT open-source modules,” the post added.

In April, MITRE released its MITRE Caldera for OT tool that allows security teams to run automated adversary emulation exercises targeted against OT environments. Built on the MITRE ATT&CK for ICS framework, the tool emulates the attack path and attacker capabilities that are defined either through ATT&CK for ICS or other custom-built plug-ins, enabling organizations to assess their cyber risk analysis and adversarial emulation tools to secure critical infrastructure environments.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.