NSA Releases 6 Principles of OT Cybersecurity

Organizations can use this guide to make decisions about designing, implementing, and managing OT environments to ensure they are both safe and secure, as well as to enable business continuity for critical services.

Source: Metamorworks via Shutterstock

The National Security Agency (NSA) joined cybersecurity agencies from Australia, Canada, Germany, Japan, the Netherlands, New Zealand, South Korea, and the United Kingdom to publish a guide outlining six principles that can be used to guide the creation and maintenance of a safe, security critical infrastructure operational technology (OT) environment. “Principles of Operational Technology Cyber Security” offers security practitioners ways to bolster the security of critical infrastructure, including water, energy, and transportation systems.

The document encourages organizations to determine whether making changes to their OT systems will impact or break any of the principles, which would likely introduce vulnerabilities into the OT environment, and to examine whether the right security controls are in place to mitigate risk.

The six principles are as follows:

• Safety is paramount. While changes to corporate IT systems could disrupt business continuity, the stakes are higher for OT environments. Changes to critical infrastructure could lead to deadly threats to human life or significant damage to equipment or the environment. Failures to water and power infrastructure can be catastrophic for communities and individuals. In order to keep communities safe, OT managers should consider how systems are able to be restarted and backed up to minimize potential for downtime. Thinking about safety and reliability needs to permeate all tasks, even the most common cyber-hygiene tasks.

• Knowledge of the business is crucial. Teams should know what needs to be protected and what parts of the business are essential to providing services. And when leadership stakeholders are aware of cybersecurity concerns and practices, outcomes improve. In practice, activities supporting this principle could include creating cybersecurity incident response playbooks and business continuity plans that contain enough information. Color coding types of cables and identifying their functions so that practitioners can work quickly in an emergency is another idea.

• OT data is extremely valuable and needs to be protected. Since OT infrastructure rarely changes, securing information about its configuration is paramount. Engineering configuration data (such as network diagrams), documentation outlining the sequence of operations, logic diagrams, and schematics provide adversaries with information to gain an in-depth knowledge of how the system works or how the network is structured. Even short-lived data, such as pressure gauge settings and voltage levels, can still provide insights into the organization’s activities, customer behavior, and the overall OT environment. OT data should be segregated from corporate environments and the Internet. Keep track of who has access to the data and when and how it is accessed.

• Segment and segregate OT from all other networks. Entities should segment and segregate OT networks from the Internet and from IT networks to decrease the risk of compromise from the Internet or systems, like email or Web browsing. OT networks should also be segregated from vendors. For example, OT networks of electricity transmission networks (ETNs) could be connected to the OT networks of other ETNs or of vendors or electricity distribution networks. Networks could also be managed in corporate environments, allowing for greater risk.

• The supply chain must be secure. Vendors present risk exposure that OT teams need to be aware of and minimize, and they must have awareness of all devices that touch the OT network, down to printers and terminals or building management systems, like HVAC. Know what’s where, who manages it, and what the cybersecurity maturity level of that vendor’s system may be.

• People are essential for OT cybersecurity. In the event of a cybersecurity incident, trained OT professionals must be on hand to respond. A strong cybersecurity culture is imperative, as is having a diverse set of people with different skill sets, knowledge, and experience. Security culture should be emphasized across roles, including IT, control system engineers, field operations staff, and asset managers.

“Public safety and strengthening our cybersecurity posture are at the heart of this particular CSI [cybersecurity information sheet],” said Dave Luber, NSA cybersecurity director, in a statement. “The six principles of operational technology cybersecurity explored in this CSI are vitally important to anyone wanting to strengthen their cybersecurity posture and especially important for those who work in an operational technology environment supporting our nation’s critical systems.”

About the Author

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master’s degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

You May Also Like