Threat-Hunting in OT Infrastructure: A Case Study

Summary

The Littleton Electric Light and Water Departments (LELWD) needed a cybersecurity platform. As a small public utility established in 1912, LELWD grappled with limited resources and expertise, making it vulnerable to cyber threats targeting its operational technology (OT). The situation escalated when the sophisticated threat group VOLTZITE compromised their networks, underscoring the urgent need for enhanced security measures.



David Ketchen, assistant general manager of LELWD, received a phone call from the FBI on a Friday afternoon alerting the utility of a suspected compromise. The gravity of the situation became evident when FBI agents, accompanied by representatives from the Critical Infrastructure Security Agency (CISA), arrived at LELWD’s offices the following Monday.

To LELWD’s credit, the utility had already taken steps to bolster its cybersecurity posture. It was implementing the Dragos cybersecurity platform to gain visibility of its OT assets, secure IT-OT network traffic and monitor communications between OT devices and systems. Additionally, the utility had initiated the engagement of OT Watch’s threat hunting-as-a-service.

Now prompted to deploy quickly and bypass the planned onboarding timeline, OT Watch gained access to the customer’s platform and identified VOLTZITE actions close to the utility’s OT. Specifically, the Dragos platform confirmed server-message-block traversal maneuvers and remote desktop protocol lateral movement involving LELWD’s Geographic Information System (GIS) server.

OT Watch provided these findings to LELWD, empowering responders to eradicate the adversary and secure the network against additional threats. Further investigation determined that the compromised information did not include any customer-sensitive data, and the utility was able to change its network architecture to remove any advantages for the adversary.

With OT Watch proving its value, LELWD started using the platform for several other cybersecurity activities:

• Asset visibility and inventory. The platform uses passive network monitoring and deep packet inspection to automatically discover and classify OT assets, providing a comprehensive inventory without disrupting operations.
• Threat detection and response. Littleton leverages the platform’s advanced analytics and threat intelligence to identify malicious activities, alerting security teams and providing actionable insights for rapid response.
• Vulnerability management. The platform combines asset information with threat intelligence to prioritize vulnerabilities based on actual risk to the OT environment, enabling focused remediation efforts for LELWD’s small staff.
• Network segmentation analysis. The platform analyzes network traffic patterns to identify potential segmentation issues and recommend improvements.
• Incident response guidance. LELWD can see detailed forensic data, threat intelligence and expert playbooks within the platform to support efficient and effective incident investigation and remediation

Help from the American Public Power Association

LELWD’s decision to partner with a cybersecurity company was driven by the need for specialized OT security expertise and a desire to work with someone with a strong industry reputation. The utility also sought a partner to who could align its goals with those of the American Public Power Association (APPA).

APPA leverages funding to support OT cybersecurity deployments at public power utilities. Through cooperative agreements, APPA members have access to a host of programs and resources, including deployments of monitoring technology like the Dragos Platform. Through its cybersecurity programs to date, APPA has awarded more than $14 million to 32 utilities, funding 78 cybersecurity projects.

The partnership aimed not only to address immediate threats but also to establish a proactive security framework capable of adapting to evolving cyber risks.

According to Josh DeTerra, LELWD supervising engineer, “The improved visibility we gained through [the platform] has been a game-changer for our day-to-day operations. Just being able to see all the IP addresses that we know should or shouldn’t be talking to each other—it’s huge. This level of insight allows us to quickly identify and investigate any unusual network communications, potentially catching security breaches or operational issues before they escalate.”

“It’s not just about cybersecurity, but also operational efficiency,” said DeTerra. “We can now optimize our network configurations, troubleshoot issues faster and ensure that our critical systems are communicating as intended. This visibility has empowered our team to make data-driven decisions, improve our incident response times and maintain a reliable and secure infrastructure for our community,” he said.

LELWD has transformed its approach to cybersecurity, “shifting our mindset to see it as an ongoing process requiring constant adaptation,” said DeTerra. Working with Dragos “has empowered us to take ownership of OT security, equipping us to protect critical infrastructure and foster a culture of security awareness throughout our operations.”

_{This case study originally appeared in the April 2025 issue of Automation.com Monthly.}