Today’s critical infrastructure organizations rely on operational technology (OT) to help control and manage the systems and processes required to keep critical services to the public running. However, due to the highly integrated nature of OT deployments, cybersecurity has become a primary concern.
On October 2, 2024, the NSA (National Security Agency) released a new CSI titled “Principles of Operational Technology Cybersecurity.” This new guide was created in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD SCSC) to help promote best practices in security OT environments.
Rising concerns over OT security threats
OT security has become a chief concern over recent years as attacks on critical infrastructure organizations have continued to rise. The use of targeted malware, exploitation of supply chain vulnerabilities and reliance on third-party vendors with remote access to maintenance systems have expanded the digital attack surface of operating facilities and plants, making it more accessible to attacks when looking to compromise OT environments.
The potential consequence of OT security breaches is severe, not only causing disruptions to services but also posing a serious public safety threat when compromising energy grids and water supplies or causing irreparable environmental damage.
Recognizing the dangers inherent to OT, the NSA teamed up with multiple international security agencies to create six foundational principles that should be applied to better protect OT environments and the data they store.
1. Safety is paramount
Safety in OT environments is paramount. Unlike traditional business IT systems, where speed or innovation are the highest priority, with OT systems, human safety is on the line. If a cybersecurity incident happens, it can have severe consequences that impact many more people than the organization itself.
To ensure that OT systems are properly secured, the systems themselves need to be deterministic and predictable. This means that engineers need to know exactly how systems operate and be aware of where failures are likely to happen. There also need to be provisions in place to make sure that even in the event of complete power loss, system restarts shouldn’t be restricted.
Some common questions to ask when preparing environments adequately should include:
- Is it safe for personnel to access affected sites?
- Are ransom payments a viable option? If not, can the system be restored from backups?
- How can a system be validated after recovery?
2. Knowledge of the business is crucial
For organizations to put in place adequate security protocols, a strong understanding of OT systems is critical. Organizations should clearly identify all of their critical systems and processes while documenting dependencies and making sure all personnel in charge of OT administration understand them.
Facilitating this level of knowledge requires both top-down and bottom-up thinking. For example, in facilities that use electric generators, categorizing technology like generators, controllers and fuel supply is important, but so is managing the specific OT systems and devices that depend on them. This could include turbine control systems, protection relays and fuel valve actuators.
In addition to understanding all of these elements, organizations need to integrate incident response playbooks into their crisis management plans.
3. OT data is extremely valuable and needs to be protected
OT data continues to be a highly valuable target for attackers. This is especially the case with engineering configuration data, which rarely changes and can be used by bad actors to create and test targeted malware.
There are also other types of data held in critical infrastructure facilities, such as voltage and pressure levels, which could provide valuable reconnaissance data that provides perspectives into the activities of organizations or their customers as well as how their control systems operate.
NSA has laid out certain steps to protect OT data, including:
- Defining where and how OT data should be stored
- Using protected data repositories that are segmented from corporate environments and open Internet access
- Implementing canary tokens that alert the organization when OT data is viewed or exported
- Changing passwords regularly and documenting failed login attempts
4. Segment and segregate OT from all other networks
Network segmentation has become a critical step for all organizations when mitigating the amount of damage that cyber breaches can cause. This is especially the case in OT networks where there is a higher risk presented by remote access by system maintenance teams.
Organizations should take steps to segment and segregate their OT environments from all other networks. This includes restricting upstream and downstream data access to vendors, peers and services.
System administration and management services should also be separated from standard IT environments. For example, if a firewall is placed between corporate networks and OT networks, OT security should not be managed from the IT side through privileged accounts.
5. The supply chain must be secure
The NSA has outlined the importance of organizations with OT environments having a supply chain assurance program in place that covers suppliers of software and equipment as well as vendors and managed service providers (MSPs). This means putting in more rigorous efforts when vetting potential partnerships.
Organizations should also invest in solutions that identify the source of all device connections within their OT environments, including portable devices. They should also ensure the firmware is only received from trusted locations and cryptographically signed and that the signatures are verified.
6. People are essential for OT cybersecurity
Trained personnel are an essential asset when looking to defend OT systems. It’s important that all applicable staff members are thoroughly prepared to create defenses, identify incidents that can occur and respond effectively to cyberattacks.
To help ensure there is the right mix of OT professionals, organizations should be hiring a mix of different backgrounds with skills in infrastructure development, cybersecurity professionals, control system engineers, field operations staff and asset managers.
Creating safer OT systems
The “Principle of Operational Technology Cybersecurity” document is a helpful framework that should be used to help build and maintain safer OT systems. By following the principles outlined, organizations can strengthen their cybersecurity posture and continue to ensure the integrity of essential public services.