Governance & Risk Management , Operational Technology (OT)
Global Cybersecurity Agencies Release OT Security Guidelines
Principles to Ensure Critical Infrastructure's Operational Technology SecurityDon't pull data from an operational technology network: OT networks should push data out. Segment critical OT networks from less critical OT networks. Don't introduce cybersecurity systems into an OT network unless administrators can guarantee they won't hinder a restart after a complete loss of electricity.
See Also: The State of OT Security: A Comprehensive Guide to Trends, Risks, and Cyber Resilience
Those are takeaways from guidance published Tuesday with the backing of nine governments including cyber agencies form the United States, Australia, Germany and Japan.
The guidance outlines six key principles organizations can follow to strengthen cybersecurity protections for critical infrastructure across sectors such as water, energy, transportation and healthcare.
The guidance's six principles focus on the critical aspects of OT security: safety, business knowledge, data protection, network segmentation, supply chain security and the human factor. OT systems, unlike traditional IT networks, control physical processes that could directly affect human life.
Safety paramount principle, the guidance says. First order hazards of a critical infrastructure gone wrong include high voltages, flammable explosions, high velocity crashes and chemical and biological hazards. Those hazards beg the question: is an organization prepared to send staff to a work environment that depends on correctly running software, "knowing that a bad actor has been, or is currently, on the network"? the guidance asks.
Rising geopolitical tensions have converted critical infrastructure and OT networks into "prime targets for cybercriminals and nation-states," said James Neilson, senior vice president of international at OPSWAT (see: Number of Attacks Against Critical Infrastructure Is Growing).
Attackers increasingly seek to disrupt societies by targeting essential services ranging from energy to transportation - all of which depend on OT systems, he added. That makes the oft-touted need for prevention especially important in critical infrastructure settings, Neilson said. "Overreliance on threat detection rather than prevention can leave organizations unduly exposed."
One key principle stresses that OT data, including configuration files, is valuable and needs protection. OT environments, unlike typical IT systems, change slowly, making configuration data particularly attractive to attackers. Any one network configuration is unlikely to change within 5 years and may last two decades or more. An attacker who knows address 1250 is a circuit breaker, or gains other in-depth knowledge of an OT network, "may be likened to the concept of prepositioning in a corporate IT environment," the guidance says.
The guidance underscores the need to secure supply chain elements, vendors, contractors and third parties, as any weak link could compromise the entire system. "Vulnerabilities in any component can compromise entire networks," Neilson said.
"A penny of prevention is worth more than a pound of cure," Neilson added.