4 min read
Today’s critical infrastructure organizations rely on operational technology (OT) to help control and manage the systems and processes required to keep critical services to the public running. However, due to the highly integrated nature of OT deployments, cybersecurity has become a primary concern.
On October 2, 2024, the NSA (National Security Agency) released a new CSI titled “Principles of Operational Technology Cybersecurity.” This new guide was created in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD SCSC) to help promote best practices in security OT environments.
OT security has become a chief concern over recent years as attacks on critical infrastructure organizations have continued to rise. The use of targeted malware, exploitation of supply chain vulnerabilities and reliance on third-party vendors with remote access to maintenance systems have expanded the digital attack surface of operating facilities and plants, making it more accessible to attacks when looking to compromise OT environments.
The potential consequence of OT security breaches is severe, not only causing disruptions to services but also posing a serious public safety threat when compromising energy grids and water supplies or causing irreparable environmental damage.
Recognizing the dangers inherent to OT, the NSA teamed up with multiple international security agencies to create six foundational principles that should be applied to better protect OT environments and the data they store.
Industry newsletter
Stay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with the Think newsletter. See the IBM Privacy Statement.
Your subscription will be delivered in English. You will find an unsubscribe link in every newsletter. You can manage your subscriptions or unsubscribe here. Refer to our IBM Privacy Statement for more information.
Safety in OT environments is paramount. Unlike traditional business IT systems, where speed or innovation are the highest priority, with OT systems, human safety is on the line. If a cybersecurity incident happens, it can have severe consequences that impact many more people than the organization itself.
To ensure that OT systems are properly secured, the systems themselves need to be deterministic and predictable. This means that engineers need to know exactly how systems operate and be aware of where failures are likely to happen. There also need to be provisions in place to make sure that even in the event of complete power loss, system restarts shouldn’t be restricted.
Some common questions to ask when preparing environments adequately should include:
For organizations to put in place adequate security protocols, a strong understanding of OT systems is critical. Organizations should clearly identify all of their critical systems and processes while documenting dependencies and making sure all personnel in charge of OT administration understand them.
Facilitating this level of knowledge requires both top-down and bottom-up thinking. For example, in facilities that use electric generators, categorizing technology like generators, controllers and fuel supply is important, but so is managing the specific OT systems and devices that depend on them. This could include turbine control systems, protection relays and fuel valve actuators.
In addition to understanding all of these elements, organizations need to integrate incident response playbooks into their crisis management plans.
OT data continues to be a highly valuable target for attackers. This is especially the case with engineering configuration data, which rarely changes and can be used by bad actors to create and test targeted malware.
There are also other types of data held in critical infrastructure facilities, such as voltage and pressure levels, which could provide valuable reconnaissance data that provides perspectives into the activities of organizations or their customers as well as how their control systems operate.
NSA has laid out certain steps to protect OT data, including:
Network segmentation has become a critical step for all organizations when mitigating the amount of damage that cyber breaches can cause. This is especially the case in OT networks where there is a higher risk presented by remote access by system maintenance teams.
Organizations should take steps to segment and segregate their OT environments from all other networks. This includes restricting upstream and downstream data access to vendors, peers and services.
System administration and management services should also be separated from standard IT environments. For example, if a firewall is placed between corporate networks and OT networks, OT security should not be managed from the IT side through privileged accounts.
The NSA has outlined the importance of organizations with OT environments having a supply chain assurance program in place that covers suppliers of software and equipment as well as vendors and managed service providers (MSPs). This means putting in more rigorous efforts when vetting potential partnerships.
Organizations should also invest in solutions that identify the source of all device connections within their OT environments, including portable devices. They should also ensure the firmware is only received from trusted locations and cryptographically signed and that the signatures are verified.
Trained personnel are an essential asset when looking to defend OT systems. It’s important that all applicable staff members are thoroughly prepared to create defenses, identify incidents that can occur and respond effectively to cyberattacks.
To help ensure there is the right mix of OT professionals, organizations should be hiring a mix of different backgrounds with skills in infrastructure development, cybersecurity professionals, control system engineers, field operations staff and asset managers.
The “Principle of Operational Technology Cybersecurity” document is a helpful framework that should be used to help build and maintain safer OT systems. By following the principles outlined, organizations can strengthen their cybersecurity posture and continue to ensure the integrity of essential public services.