Nowadays, vital infrastructure organizations depend on operational technology (OT) to oversee and regulate the systems and procedures needed to sustain essential services to the public. However, given the highly interconnected nature of OT deployments, cybersecurity has emerged as a primary focus.
Upon the date of October 2, 2024, the NSA (National Security Agency) issued a fresh CSI entitled “Principles of Operational Technology Cybersecurity.” This recent guide was formed in partnership with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD SCSC) to advocate prime security practices in safeguarding OT surroundings.
Mounting apprehensions regarding OT security hazards
Concerns revolving around OT security have intensified in recent years as offenses against vital infrastructure organizations have continued to escalate. The utilization of specified malware, exploitation of supply chain vulnerabilities, and dependence on third-party vendors with remote entry to maintenance systems have broadened the digital attack surface of operating establishments and plants, rendering them more susceptible to attacks striving to compromise OT domains.
The likely outcome of OT security breaches is severe, engendering disturbances in services and also posing a substantial peril to public safety through compromising energy networks and water supplies or instigating irrevocable environmental harm.
Acknowledging the inherent risks related to OT, the NSA collaborated with multiple international security agencies to foster six foundational principles that should be implemented to boost fortification of OT environments and the information they retain.
1. Safety takes precedence
In OT settings, safety reigns supreme. Contrary to traditional business IT systems, where pace or novelty are the prime concerns, in OT systems, human safety is at stake. If a cybersecurity incident transpires, it can have grave repercussions affecting far more individuals than just the organization itself.
To guarantee the security of OT systems, these systems must be deterministic and foreseeable. This implies that engineers must comprehend precisely how systems function and be conscious of where failures are prone to transpire. Provisions should be in place to ensure that even in the event of total power loss, system reboots are not hindered.
While preparing environments adequately, some conventional queries to ponder include:
- Is it safe for staff to access afflicted sites?
- Are ransom payments a viable choice? If not, can the system be reinstated from backups?
- How can a system be validated post recovery?
2. Grasping the company is pivotal
For entities to institute suitable security procedures, a profound cognizance of OT systems is vital. Entities ought to distinctly pinpoint all of their critical systems and practices while chronicling interdependencies and ensuring all staff overseeing OT management comprehend them.
Fostering this level of awareness necessitates both top-down and bottom-up ideation. For instance, in establishments utilizing electric generators, classifying technology like generators, controllers, and fuel supply is crucial, but so is tending to the specific OT systems and gadgets contingent on them. This could encompass turbine control systems, protection relays, and fuel valve actuators.
In addition to comprehending all these facets, entities need to incorporate incident response playbooks into their emergency management schemes.
Discover OT security solutions
3. OT data is exceedingly valuable and necessitates safeguarding
OT data continues to represent a highly coveted target for aggressors. This is especially true concerning engineering configuration data, which seldom undergoes alterations and can be utilized by malicious entities to create and trial focused malware.
Other types of data stored in crucial infrastructure establishments, such as voltage and pressure levels, could offer valuable intelligence that unveils insights into the operations of entities or their clientele as well as the operational methods of their control systems.
NSA has delineated specific measures to shield OT data, encompassing:
- Determining where and how OT data should be stored
- Employing sheltered data repositories that are divided from corporate environments and have no open Internet access
- Enforcing canary tokens that notify entities when OT data is accessed or exported
- Regularly changing passwords and documenting failed login attempts
4. Partition and isolate OT from all other networks
Dividing networks has evolved into a crucial stride for all entities when diminishing the extent of harm that cyber infringements can instigate. This is particularly true in OT networks where remote entry by maintenance teams poses a heightened risk.
Organizations should take measures to segment and segregate their OT surroundings from all other networks. This involves restricting upstream and downstream data accessibility to vendors, peers, and services.
System administration and management services should also remain separate from standard IT environments. For example, if a firewall is situated between corporate networks and OT networks, the management of OT security should not be regulated from the IT side via privileged accounts.
5. The supply chain should be reliable
The NSA has highlighted the significance of entities with OT settings having a supply chain assurance program in place that encompasses suppliers of software and equipment as well as vendors and managed service providers (MSPs). This implies deploying more stringent evaluations when assessing prospective partnerships.
Entities should also invest in solutions that pinpoint the origin of all device connections within their OT environments, inclusive of portable devices. They should also confirm that firmware is solely received from trusted sources and is cryptographically signed and verified.
6. Personnel are indispensable for OT cybersecurity
Competent personnel are a paramount asset when fortifying OT systems. It’s crucial that all relevant staff are thoroughly equipped to devise defenses, detect potential incidents, and respond efficiently to cyberattacks.
To ensure there exists an appropriate blend of OT professionals, entities should engage individuals with diverse backgrounds possessing skills in infrastructure development, cybersecurity, control system engineering, field operations, and asset management.
Instituting more secure OT systems
The “Principle of Operational Technology Cybersecurity” document serves as a beneficial framework that should be employed to assist in erecting and preserving more secure OT systems. By adhering to the principles enumerated, entities can bolster their cybersecurity stance and persist in upholding the integrity of indispensable public services.