On October 2, 2024, a set of principles titled Principles of Operational Technology Cybersecurity was released by cybersecurity agencies from Australia, the U.S., and other international partners. The guide aims to assist organizations, especially those managing infrastructure, in understanding and securing their operational technology (OT) environments against cyber threats.
Safety at the Forefront of OT Security
Unlike conventional IT systems, which focus primarily on data and business processes, OT is directly tied to physical processes that have a profound impact on safety and security. The guide underscores that safety should be the top priority in managing OT systems. Failures in OT environments can have severe implications, such as malfunctions in energy systems or water supply that threaten human life and disrupt public services. Critical infrastructure is interconnected; thus, disruptions, whether accidental or from malicious cyber activity, could have wide-reaching consequences for society’s functioning.
The focus on safety highlights that any new system, process, or cyber-related decision should undergo rigorous assessment to ensure it does not compromise the security and safety of critical services. For example, in the event of a cyber incident affecting OT safety and protection systems, the organization must have a strategy for safely sending staff to the site and validating system integrity before operations resume. A key consideration is that systems should be “black-start compliant,” meaning they can be safely restarted after a full power loss without reliance on other systems.
Knowledge of the Business is Crucial
For effective OT cybersecurity, understanding the business’s core functions and critical assets is vital. This principle emphasizes that an organization’s ability to defend against cyber incidents is closely linked to how well it understands its essential services, OT processes, and interdependencies. This includes knowing which systems are necessary to maintain critical operations, the significance of each OT process, and potential vulnerabilities that may arise from internal or external networks.
Organizations are encouraged to document their OT systems thoroughly, such as network diagrams, system engineering drawings, and recovery procedures. Regularly assessing and updating these documents help identify risks and establish defenses to minimize the impact of a cyber incident.
Additionally, organizations should integrate OT-specific incident response plans with other emergency management procedures. This includes collaboration across teams, as well as providing comprehensive information packs to third-party responders to speed up incident response. Simple measures like color-coding cables or marking authorized devices can help staff quickly identify anomalies in the OT environment.
Securing OT Data and Segmenting Networks
OT data is a highly valuable asset. Critical engineering configuration data, such as network diagrams, process sequences, and device schematics, can remain unchanged for years, making them prime targets for cyber adversaries. Protecting such data is imperative to prevent cyber-attacks that exploit system configurations or deploy targeted malware. Moreover, even transient OT data, like operational parameters or customer activity, needs safeguarding to prevent unauthorized access or data manipulation.
To mitigate risks, organizations are advised to store OT data securely, segregate it from IT systems, and ensure that access to this information is closely monitored. Another key practice is to implement network segmentation, ensuring that OT networks are separated from IT networks and the internet to reduce exposure. This approach prevents breaches in corporate networks from reaching OT systems, which are often seen as more sensitive.
Further, the guide advises securing connections between a critical infrastructure organization’s OT network and other external OT networks. These connections, if not properly protected, can be used as backdoors by malicious actors to bypass traditional security measures. The Hatman malware incident of 2017 is highlighted as a case where a lack of proper segmentation led to serious vulnerabilities.
Strengthening the Supply Chain and Personnel Competency
An organization’s OT cybersecurity posture is only as strong as its supply chain and the people managing it. With third-party vendors often gaining access to critical OT systems, ensuring that these partners comply with security standards is crucial. The guide recommends comprehensive supply chain assurance programs for equipment, software vendors, and service providers.
One key recommendation is to scrutinize all devices on the network—whether they are core systems like controllers or peripherals like printers. Understanding a device’s origins, any potential connections to untrusted networks, and the risks posed by firmware updates are essential considerations. It’s not just about what a device does now, but also what it could be reconfigured to do if compromised.
People are the final line of defense for OT cybersecurity. Building a culture of safety and awareness within the organization is critical for early detection and response to incidents. Encouraging staff to report anomalies, integrating cybersecurity into safety assessments, and training personnel on new incident response protocols for OT environments are essential steps. Given that traditional fault responses like rebooting devices might erase cyber-incident evidence, new procedures are required to identify and investigate potential cyber-attacks effectively.
Protect OT environments from cyber threats
The release of the Principles of Operational Technology Cybersecurity guide marks an essential step in global efforts to protect OT environments from cyber threats. It emphasizes safety, understanding business processes, data protection, network segmentation, supply chain security, and skilled personnel as fundamental pillars for a secure OT ecosystem. Organizations are urged to adopt these principles proactively to safeguard critical infrastructure and ensure the continuity of essential services in the face of evolving cyber risks.
Image credit: GustavsMD, AdobeStock
