ELITEWOLF: NSA’s repository of signatures and analytics to secure OT

Cyber entities continue to show a persistent interest in targeting critical infrastructure by taking advantage of vulnerable OT assets. To counter this threat, NSA has released a repository for OT Intrusion Detection Signatures and Analytics to the NSA Cyber GitHub.


The capability, known as ELITEWOLF, can enable defenders of critical infrastructure, defense industrial base, and national security systems to identify and detect potentially malicious cyber activity in their OT environments.

These signatures/analytics aren’t necessarily malicious activity. They require follow-up analysis to determine if this activity is malicious or not. The rules have been tested, but every system can be configured differently, so ensure that the signature is triggered properly or is adjusted as needed based on the sensors and the environment.

“The threats are real as we have seen enough of different types of attacks as many organizations lack the resources, let alone the lack of qualified personnel with the appropriate experience to manage these attacks and build business resilience into an organization to manage cyber-attacks. It is very challenging to identify, especially if there isn’t a security program in place on the OT side. The IT and OT sides rarely speak to each other, and there is a major lack of TTP’s and technology appropriate for all of the 16 critical infrastructure sectors under CISA/DHS,” Christopher Warner, Sr. Security Consultant, OT/GRC at GuidePoint Security, told Help Net Security.

“Many consultants I work with have pushed private industries to become more resilient to cyber and physical attacks. When over 70% of private organizations protect our serious Critical Infrastructure, then there will need to be more collaboration, not more compliance or other ‘help me’ documents, as many are a regurgitation of what the basic blocking and tackling is in the Cybersecurity Performance Goals (CPGs), NIST CSF, NIST 800-563, C2M2, CIS Controls, IEC 62443 which now maps to NIST,” he concluded.

Don't miss