Principles of Operational Technology Cyber Security
SecurityPrinciples of Operational Technology Cyber Security
On October 1, 2024, cybersecurity agencies from Australia,the U.S., and other global partners released a guide titled "Principles ofOperational Technology Cybersecurity." The document highlights six keyprinciples for maintaining safe and secure critical infrastructure OT(Operational Technology) environments. These principles emphasize safety, theimportance of understanding the business, the value of OT data, networksegmentation, securing the supply chain, and the crucial role people play in OTcybersecurity.
The guide aims to help organizations assess how businessdecisions can affect OT cybersecurity and the associated risks. It encouragescritical infrastructure sectors worldwide to adopt best practices to strengthentheir cybersecurity defenses and reduce risks.
Authored by the Australian Signals Directorate’s AustralianCyber Security Centre (ASD’s ACSC) and endorsed by multiple internationalcybersecurity agencies, including the U.S. Cybersecurity and InfrastructureSecurity Agency (CISA), the document stresses that safety is a primary concernfor OT systems, given their potential impact on human life, plant equipment,and the environment. Unlike corporate IT, where innovation often takespriority, OT systems must always consider life-threatening risks when makingdecisions.
The document outlines six core guidelines to strengthencybersecurity in OT (Operational Technology) environments, which are essentialfor critical infrastructure. The principles emphasize:
1. Safety as the top priorityin OT environments, unlike IT systems, where innovation often overshadowssecurity concerns.
2. Understanding businessprocesses to improve protection and response to cyber incidents.
3. Securing OT data, whichincludes valuable and often static information such as engineeringconfiguration data.
4. Segmenting OT networks fromIT and other networks to limit exposure and prevent unauthorized access.
5. Ensuring a secure supplychain, with a focus on assessing vendors and managed service providers (MSPs).
6. Skilled personnel, who playa vital role in identifying and responding to cyber threats in OT environments.
The guide explains that understanding the business contextis crucial. Organizations should know which systems are vital for deliveringessential services, recognize the processes involved, and design architecturesthat safeguard these systems from external threats. Personnel responsible forOT systems should be well-versed in both the technical and business aspects ofOT operations.
OT data, which includes configuration information, networkdiagrams, and operational metrics, is highly valuable and must be protected.This data often remains unchanged for many years, making it a prime target forattackers. In addition to protecting critical OT data, organizations must alsosafeguard intellectual property (IP) and personal information (PII), which canbe exposed through metering and other OT functions.
The guide also stresses the importance of segmenting andsegregating OT networks from corporate IT and the internet, as IT systems tendto be more vulnerable. Special attention should be paid to connections betweenOT networks and those of other organizations, as these can provide potentialbackdoor access for attackers.
Securing the supply chain is another critical focus.Organizations should rigorously assess the security of their vendors,suppliers, and managed service providers, especially those with access to OTenvironments.
Finally, the document underscores the importance ofwell-trained personnel in preventing, detecting, and responding to OTcybersecurity incidents. A strong cybersecurity culture, particularly amongfield technicians and other operational staff, is essential for maintaining thesecurity and resilience of OT systems. Organizations are encouraged tointegrate cybersecurity into safety assessments and encourage staff to reportsuspicious activities and consider cybersecurity as part of everydayoperations.
