NSA Releases 6 Principles of OT Cybersecurity

Safety is paramount. While changes to corporate IT systems could disrupt business continuity, the stakes are higher for OT environments. Changes to critical infrastructure could lead to deadly threats to human life, or significant damage to equipment or the environment. Failures to water and power infrastructure can be catastrophic for communities and individuals. In order to keep communities safe, OT managers should consider how systems are able to be restarted and backed up to minimize potential for downtime. Thinking about safety and reliability needs to permeate all tasks, even the most common cyber hygiene tasks.

Knowledge of the business is crucial. Teams should know what needs to be protected and what parts of the business are essential to providing services. And when leadership stakeholders are aware of cybersecurity concerns and practices, outcomes improve. In practice, activities supporting this principle could be something like creating cybersecurity incident response playbooks and business continuity plans that contain enough information, or color coding types of cables and identifying their functions so that practitioners can work quickly in an emergency.

OT data is extremely valuable and needs to be protected. Since OT infrastructure rarely changes, securing information about its configuration is paramount. Engineering configuration data such as network diagrams, documentation outlining the sequence of operations, logic diagrams, and schematics provide adversaries with information to gain an in-depth knowledge of how the system works, or how the network is structured. Even short-lived data such as pressure gauge settings, and voltage levels can still provide insights into the organization's activities, customer behavior, and the overall OT environment. OT data should be segregated from corporate environments and the internet. Keep track of who has access to the data, how and when, and when and how it is accessed.

Segment and segregate OT from all other networks. Entities should segment and segregate OT networks from the internet and from IT networks to decrease the risk of compromise from the internet or systems like email or web browsing. OT networks should also be segregated from vendors. For example, OT networks of electricity transmission networks could be connected to the OT networks of other ETNs, or of vendors or electricity distribution networks. Networks could also be managed in corporate environments, allowing for greater risk.

The supply chain must be secure. Vendors present risk exposure that OT teams need to be aware of and minimize, and they must have awareness of all devices that touch the OT network, down to printers and terminals, or building management systems like HVAC. Know what’s where, who manages it, and what the cybersecurity maturity level of that vendor’s system may be.

People are essential for OT cybersecurity. In the event of a cybersecurity incident, there must be trained OT professionals on hand to respond. A strong cybersecurity culture is imperative, as is having a diverse set of people with different skill sets, knowledge and experience. Security culture should be emphasized across roles, including IT, control system engineers, field operations staff, and asset managers.