On Tuesday, CISA, the FBI, and the NSA joined eight international partners to publish a guide for critical infrastructure organizations called “Principles of Operational Technology Cyber Security”. The guidance is primarily for the water, energy, and transportation sectors and outlines six principles to be used in the creation of a safe and security-minded OT environment. They are intended to aid organizations in identifying how business decisions may adversely impact the cybersecurity of OT and the specific risks associated with those decisions. CISA encourages OT decision makers to apply these six principles when making impactful decisions that may affect the cybersecurity of the OT environment. It is further recommended that critical infrastructure organizations review the best practices and implement recommended actions which can help ensure the proper cybersecurity controls are in place to reduce residual risk in OT decisions.
Below are the six principles for OT decision makers. The descriptions provided for each principle are excerpts from the complete guide. For a more detailed and comprehensive explanation of each, refer to the full guide.
Principle 1: Safety is paramount.
Safety is critical in physical environments. In contrast to corporate IT systems, where leaders prioritize innovation and rapid development without concern of threat to life, operational cyber-physical systems’ leaders must account for threat to life in daily decision making (e.g. chemical or biological hazards in water treatment, drinkable water).
Principle 2: Knowledge of the business is crucial.
The more knowledge a business has about itself, the better that business can protect against, prepare for and respond to a cyber incident. The higher in the organization there is understanding, visibility and reporting of cyber risks, especially to OT systems, the better the outcome.
Principle 3: OT data is extremely valuable and needs to be protected.
From an adversary’s point of view, knowing how a system is configured, including devices and protocols used, is valuable since an OT environment rarely changes. This level of information allows a bad actor to create and test targeted malware, facilitating a greater range of possible malicious outcomes.
Principle 4: Segment and segregate OT from all other networks.
Segmenting and segregating more critical functions and networks has been common advice for decades. That advice is covered in many prior publications. Entities should segment and segregate OT networks from the internet and from IT networks, because the corporate IT network is usually assessed as having a higher risk of compromise due to its internet connectivity, and services like email and web browsing. We add to, rather than change, prior advice in two main areas.
Principle 5: The supply chain must be secure.
Making supply chains more secure has been a focus of advice for some time. That advice is covered in many prior and current publications, including the need to have a supply chain assurance program for suppliers of equipment and software, vendors and managed service providers (MSPs), particularly when they have access to OT to provide support. The requirement to make supply chains more secure has often resulted in a level of rigor assessing major vendors in an organization’s OT environment. While organizations should still follow existing advice, we call out some additional areas of particular concern for OT environments.
Principle 6: People are essential for OT cybersecurity.
Staff, particularly field technicians and all other members of operating staff, are often the front line of defense and detection for an organization. A cyber-related incident cannot be prevented or identified in OT without people that possess the necessary tools and training creating defenses and looking for incidents. Once a cyber-related incident has been identified in OT, trained and competent people are required to respond.
