4 vital characteristics of effective threat intelligence in OT/ICS environments

4 vital characteristics of effective threat intelligence in OT/ICS environments

Omar Al Barghouthi, Regional Director,  Middle East, Dragos, looks at CART principles for improving the effectiveness of threat intelligence.

GCC governments have all embarked on national programs to diversify their economies, and heavy industry is intended to play a major role in those stories. But those responsible for the machinery of these enterprises are anxious about global headlines about cyberattacks on critical infrastructure.

There are many challenges in delivering robust OT/ICS security, such as the rarity of comprehensive skillsets and the proprietary nature of the assets to be protected. Gaining access to Complete, Accurate, Relevant, Timely (CART) threat intelligence, can provide valuable focus for security investments, reduce adversary dwell times, and speed up post-incident recovery. By contrast, non-CART intelligence can actually increase risk, waste staff time with false positives, and lead to poor security decisions.

Intelligence, by its very nature, must be for the specific use case and security demands of a unique threat and customer environment. And while threat intelligence for IT environments is becoming more mature, ICS/OT stakeholders do not have the luxury of porting it over to their environments, as IT and OT face very different threat landscapes. OT defenders also must address the realities of different risk frameworks, and the potentially more serious consequences of cyber incidents in their domain.

To ensure OT threat intelligence meets the required standards, we need to look at the providers of the data and assess them periodically against a set of formal criteria. CART itself is useful for this purpose.

  1. Completeness

We must ask if the threat intelligence covers all critical digital forensics domains, including host forensics, malware analysis, network traffic analysis, log analysis, and vulnerability analysis. The threat intelligence should correlate across the entire threat spectrum and incorporate sufficient domain context. Data that is complete allows security analysts to quickly establish the who, what, when, and where of a scenario and plainly see patterns that span broad threat spectrums, as opposed to single exploitations that strike a single victim.

  1. Accuracy

Providers should answer questions about if and how they verify their intelligence. What are the corroborating sources they use and is their intelligence updated when new relevant information becomes available? Do they make it clear when information is time-sensitive? Where conclusions are drawn, how certain are the results and does the provider make alternative hypotheses available so the customer can get a more complete picture? Accuracy is a more nebulous concept than many may think and is a matter of balance. In cybersecurity, perfectly accurate knowledge tends to be well known and may not be as timely, and therefore might provide little additional value to security analysts. On the other hand, intelligence that indulges in too much speculation  is of little use and can do more harm than good.

  1. Relevance

Intelligence focused on IT threats lacks relevance in an OT environment. Information on a strain of malware that targets the infrastructure of one industry may not apply to another industry. Providers of threat intelligence must be transparent on what their methodologies are and whether they are capable of identifying threats that affect a particular customer’s organisation. It’s an advantage if the threat-intelligence provider has experience with the customer’s industry and operations, and it is important for them to demonstrate a clear reporting structure in which the customer can submit requirements and provide feedback to support more relevant intelligence. Relevant intelligence should be easy to find and clear enough that it can enable effective action.

  1. Timeliness

Rapid delivery of intelligence is often vital to establish its value. It is important to know the lag time between the discovery of a threat and customer notification, and whether disclosures might sometimes be delayed to allow the gathering of more data. Timeliness is a critical element in the operationalisation of intelligence, but this does not mean that intelligence received after an incident has occurred is worthless. In fact, timely post-event intelligence is important to ongoing incident response and risk management. In an ICS/OT environment, timeliness must be put in the context of accuracy because the potential negative consequences of making a decision based on bad intelligence are typically greater than in an IT environment.


Organisations operating in the OT/ICS space should always be looking to improve the efficacy of their threat intelligence based on CART principles. Assessments of threat-intelligence providers should be run at least once every six months, and should include a random sampling of intelligence during the period and interviews with the analysts that used the intelligence to discern the quality of their experiences. What value, if any, do they believe was added to the organisation? Did it have a positive or negative effect on the business’s threat posture? To what extent was the intelligence actionable and what were the impacts of the actions? Was the organisation more defensible with the threat intelligence than it would have been without it? And did the intelligence make the goals of the analyst easier to achieve?

As with all such engagements, the value of the partnership with a threat-intelligence provider can only be seen through perpetual evaluation. If they helped create a safer environment, then they should remain in place. If not, it might be time to find another source of intel.