New guidance from government agencies in the US and allied countries provides organizations with details on how to design, implement, and manage safe and secure operational technology (OT) environments.
OT is deeply integrated into critical infrastructure organizations’ complex environments, and business decisions such as adding new processes, services, or systems, selecting vendors for support, or developing business continuity and security-related plans may affect the cybersecurity of OT.
The new guidance (PDF) from government agencies in Australia, Canada, Germany, Japan, Korea, New Zealand, the US, and the UK, details six principles for secure OT: paramount safety, knowledge of the business, OT data value and protection, OT segmentation, secure supply chain, and the importance of people for OT cybersecurity.
“The authoring agencies recommend an OT decision maker apply the six principles presented in this document to help determine if the decision being made is likely to adversely impact the cyber security of the OT environment,” the guidance reads.
Decisions that break one or more principles likely introduce vulnerabilities and need to be either closely examined to put in place cybersecurity controls leading to manageable risks, or reconsidered. Filtering decisions that affect OT security will result in the adoption of decisions promoting safety, security and business continuity, the authoring agencies say.
They also point out that organizations should ensure they have a deep understanding of their OT systems and processes, that cyber incidents are thoroughly investigated and safely responded to, that comprehensive patching processes are implemented, and that OT data is protected to the level of the OT system, given its critical importance and the fact that it rarely changes.
Furthermore, they should ensure that OT networks are segmented and segregated from IT networks and from the internet, that they have a supply chain assurance program covering vendors and MSPs, especially if they have access to OT to provide support.
“A cyber-related incident cannot be prevented or identified in OT without people that possess the necessary tools and training creating defenses and looking for incidents. Once a cyber-related incident has been identified in OT, trained and competent people are required to respond,” the document reads.
The guidance, the authoring agencies point out, is aimed at all personnel involved in making decisions affecting OT, from leadership to the technical personnel. All critical infrastructure organizations are advised to review security best practices and implement recommended actions to improve OT security.
Related: Five Eyes Agencies Release Guidance on Detecting Active Directory Intrusions
Related: Rising Tides: Runa Sandvik on Creating Work that Makes a Difference
Related: Pentagon Wants Feedback on Revised Cybersecurity Maturity Model Certification Program
Related: Smart Cities: Utopian Dream, Security Nightmare, or Political Gimmick?
