November 12, 2024 By Josh Nadeau 4 min read

Today’s critical infrastructure organizations rely on operational technology (OT) to help control and manage the systems and processes required to keep critical services to the public running. However, due to the highly integrated nature of OT deployments, cybersecurity has become a primary concern.

On October 2, 2024, the NSA (National Security Agency) released a new CSI titled “Principles of Operational Technology Cybersecurity.” This new guide was created in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD SCSC) to help promote best practices in security OT environments.

Rising concerns over OT security threats

OT security has become a chief concern over recent years as attacks on critical infrastructure organizations have continued to rise. The use of targeted malware, exploitation of supply chain vulnerabilities and reliance on third-party vendors with remote access to maintenance systems have expanded the digital attack surface of operating facilities and plants, making it more accessible to attacks when looking to compromise OT environments.

The potential consequence of OT security breaches is severe, not only causing disruptions to services but also posing a serious public safety threat when compromising energy grids and water supplies or causing irreparable environmental damage.

Recognizing the dangers inherent to OT, the NSA teamed up with multiple international security agencies to create six foundational principles that should be applied to better protect OT environments and the data they store.

1. Safety is paramount

Safety in OT environments is paramount. Unlike traditional business IT systems, where speed or innovation are the highest priority, with OT systems, human safety is on the line. If a cybersecurity incident happens, it can have severe consequences that impact many more people than the organization itself.

To ensure that OT systems are properly secured, the systems themselves need to be deterministic and predictable. This means that engineers need to know exactly how systems operate and be aware of where failures are likely to happen. There also need to be provisions in place to make sure that even in the event of complete power loss, system restarts shouldn’t be restricted.

Some common questions to ask when preparing environments adequately should include:

  • Is it safe for personnel to access affected sites?
  • Are ransom payments a viable option? If not, can the system be restored from backups?
  • How can a system be validated after recovery?

2. Knowledge of the business is crucial

For organizations to put in place adequate security protocols, a strong understanding of OT systems is critical. Organizations should clearly identify all of their critical systems and processes while documenting dependencies and making sure all personnel in charge of OT administration understand them.

Facilitating this level of knowledge requires both top-down and bottom-up thinking. For example, in facilities that use electric generators, categorizing technology like generators, controllers and fuel supply is important, but so is managing the specific OT systems and devices that depend on them. This could include turbine control systems, protection relays and fuel valve actuators.

In addition to understanding all of these elements, organizations need to integrate incident response playbooks into their crisis management plans.

Explore OT security solutions

3. OT data is extremely valuable and needs to be protected

OT data continues to be a highly valuable target for attackers. This is especially the case with engineering configuration data, which rarely changes and can be used by bad actors to create and test targeted malware.

There are also other types of data held in critical infrastructure facilities, such as voltage and pressure levels, which could provide valuable reconnaissance data that provides perspectives into the activities of organizations or their customers as well as how their control systems operate.

NSA has laid out certain steps to protect OT data, including:

  • Defining where and how OT data should be stored
  • Using protected data repositories that are segmented from corporate environments and open Internet access
  • Implementing canary tokens that alert the organization when OT data is viewed or exported
  • Changing passwords regularly and documenting failed login attempts

4. Segment and segregate OT from all other networks

Network segmentation has become a critical step for all organizations when mitigating the amount of damage that cyber breaches can cause. This is especially the case in OT networks where there is a higher risk presented by remote access by system maintenance teams.

Organizations should take steps to segment and segregate their OT environments from all other networks. This includes restricting upstream and downstream data access to vendors, peers and services.

System administration and management services should also be separated from standard IT environments. For example, if a firewall is placed between corporate networks and OT networks, OT security should not be managed from the IT side through privileged accounts.

5. The supply chain must be secure

The NSA has outlined the importance of organizations with OT environments having a supply chain assurance program in place that covers suppliers of software and equipment as well as vendors and managed service providers (MSPs). This means putting in more rigorous efforts when vetting potential partnerships.

Organizations should also invest in solutions that identify the source of all device connections within their OT environments, including portable devices. They should also ensure the firmware is only received from trusted locations and cryptographically signed and that the signatures are verified.

6. People are essential for OT cybersecurity

Trained personnel are an essential asset when looking to defend OT systems. It’s important that all applicable staff members are thoroughly prepared to create defenses, identify incidents that can occur and respond effectively to cyberattacks.

To help ensure there is the right mix of OT professionals, organizations should be hiring a mix of different backgrounds with skills in infrastructure development, cybersecurity professionals, control system engineers, field operations staff and asset managers.

Creating safer OT systems

The “Principle of Operational Technology Cybersecurity” document is a helpful framework that should be used to help build and maintain safer OT systems. By following the principles outlined, organizations can strengthen their cybersecurity posture and continue to ensure the integrity of essential public services.

More from Risk Management

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Roundup: The top ransomware stories of 2024

2 min read - The year 2024 saw a marked increase in the competence, aggression and unpredictability of ransomware attackers. Nearly all the key numbers are up — more ransomware gangs, bigger targets and higher payouts. Malicious ransomware groups also focus on critical infrastructure and supply chains, raising the stakes for victims and increasing the motivation to cooperate.Here are the biggest ransomware stories of 2024.Ransomware payments reach record highRansomware payments surged to record highs in 2024. In the first half of the year, victims…

83% of organizations reported insider attacks in 2024

4 min read - According to Cybersecurity Insiders' recent 2024 Insider Threat Report, 83% of organizations reported at least one insider attack in the last year. Even more surprising than this statistic is that organizations that experienced 11-20 insider attacks saw an increase of five times the amount of attacks they did in 2023 — moving from just 4% to 21% in the last 12 months.With insider threats on the rise, it’s critical for businesses to recognize the real dangers that originate from inside…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today