November 12, 2024 By Josh Nadeau 4 min read

Today’s critical infrastructure organizations rely on operational technology (OT) to help control and manage the systems and processes required to keep critical services to the public running. However, due to the highly integrated nature of OT deployments, cybersecurity has become a primary concern.

On October 2, 2024, the NSA (National Security Agency) released a new CSI titled “Principles of Operational Technology Cybersecurity.” This new guide was created in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD SCSC) to help promote best practices in security OT environments.

Rising concerns over OT security threats

OT security has become a chief concern over recent years as attacks on critical infrastructure organizations have continued to rise. The use of targeted malware, exploitation of supply chain vulnerabilities and reliance on third-party vendors with remote access to maintenance systems have expanded the digital attack surface of operating facilities and plants, making it more accessible to attacks when looking to compromise OT environments.

The potential consequence of OT security breaches is severe, not only causing disruptions to services but also posing a serious public safety threat when compromising energy grids and water supplies or causing irreparable environmental damage.

Recognizing the dangers inherent to OT, the NSA teamed up with multiple international security agencies to create six foundational principles that should be applied to better protect OT environments and the data they store.

1. Safety is paramount

Safety in OT environments is paramount. Unlike traditional business IT systems, where speed or innovation are the highest priority, with OT systems, human safety is on the line. If a cybersecurity incident happens, it can have severe consequences that impact many more people than the organization itself.

To ensure that OT systems are properly secured, the systems themselves need to be deterministic and predictable. This means that engineers need to know exactly how systems operate and be aware of where failures are likely to happen. There also need to be provisions in place to make sure that even in the event of complete power loss, system restarts shouldn’t be restricted.

Some common questions to ask when preparing environments adequately should include:

  • Is it safe for personnel to access affected sites?
  • Are ransom payments a viable option? If not, can the system be restored from backups?
  • How can a system be validated after recovery?

2. Knowledge of the business is crucial

For organizations to put in place adequate security protocols, a strong understanding of OT systems is critical. Organizations should clearly identify all of their critical systems and processes while documenting dependencies and making sure all personnel in charge of OT administration understand them.

Facilitating this level of knowledge requires both top-down and bottom-up thinking. For example, in facilities that use electric generators, categorizing technology like generators, controllers and fuel supply is important, but so is managing the specific OT systems and devices that depend on them. This could include turbine control systems, protection relays and fuel valve actuators.

In addition to understanding all of these elements, organizations need to integrate incident response playbooks into their crisis management plans.

Explore OT security solutions

3. OT data is extremely valuable and needs to be protected

OT data continues to be a highly valuable target for attackers. This is especially the case with engineering configuration data, which rarely changes and can be used by bad actors to create and test targeted malware.

There are also other types of data held in critical infrastructure facilities, such as voltage and pressure levels, which could provide valuable reconnaissance data that provides perspectives into the activities of organizations or their customers as well as how their control systems operate.

NSA has laid out certain steps to protect OT data, including:

  • Defining where and how OT data should be stored
  • Using protected data repositories that are segmented from corporate environments and open Internet access
  • Implementing canary tokens that alert the organization when OT data is viewed or exported
  • Changing passwords regularly and documenting failed login attempts

4. Segment and segregate OT from all other networks

Network segmentation has become a critical step for all organizations when mitigating the amount of damage that cyber breaches can cause. This is especially the case in OT networks where there is a higher risk presented by remote access by system maintenance teams.

Organizations should take steps to segment and segregate their OT environments from all other networks. This includes restricting upstream and downstream data access to vendors, peers and services.

System administration and management services should also be separated from standard IT environments. For example, if a firewall is placed between corporate networks and OT networks, OT security should not be managed from the IT side through privileged accounts.

5. The supply chain must be secure

The NSA has outlined the importance of organizations with OT environments having a supply chain assurance program in place that covers suppliers of software and equipment as well as vendors and managed service providers (MSPs). This means putting in more rigorous efforts when vetting potential partnerships.

Organizations should also invest in solutions that identify the source of all device connections within their OT environments, including portable devices. They should also ensure the firmware is only received from trusted locations and cryptographically signed and that the signatures are verified.

6. People are essential for OT cybersecurity

Trained personnel are an essential asset when looking to defend OT systems. It’s important that all applicable staff members are thoroughly prepared to create defenses, identify incidents that can occur and respond effectively to cyberattacks.

To help ensure there is the right mix of OT professionals, organizations should be hiring a mix of different backgrounds with skills in infrastructure development, cybersecurity professionals, control system engineers, field operations staff and asset managers.

Creating safer OT systems

The “Principle of Operational Technology Cybersecurity” document is a helpful framework that should be used to help build and maintain safer OT systems. By following the principles outlined, organizations can strengthen their cybersecurity posture and continue to ensure the integrity of essential public services.

More from Risk Management

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today