In an age of growing convergence of information technology (IT) and operational technology (OT) systems, it is more important than ever to ensure that both are sufficiently protected against cyberthreats. Recent attacks on critical infrastructure like water utilities and telecommunications highlight pressing OT vulnerabilities.
These growing risks with global stakes have prompted seven international agencies to collaborate in an effort to protect essential systems. The National Cyber Security Centre (NCSC) organizations of the UK, New Zealand, and the Netherlands, Australian Signals Directorate (ASD), US Cybersecurity and Infrastructure Security Agency (CISA), Canadian Centre for Cyber Security (Cyber Centre), US Federal Bureau of Investigation (FBI), and Germany’s Federal Office for Information Security have collaborated to produce new guidance on securing OT environments.
The Five Core Principles
The new guidance lays out five core principles in detail for maintaining the visibility and understanding necessary to protect OT environments against rising threats. The principles are:
- Definitive Record: Establishing and maintaining a master source of truth for all components of an OT environment, including hardware, software, and virtual systems.
- Security Management Program: Building a structured OT information security framework to protect the definitive record and OT information.
- Asset Identification and Categorization: Supporting risk-based decision making by identifying and classifying assets based on criticality, exposure, and availability.
- Connectivity Mapping: Documenting system interdependencies, protocols, and operational constraints to maintain visibility into connections within the system.
- Third-Party Risks: Managing risks by understanding and documenting external dependencies and supply chain exposures.
From Principles to Practice
While fundamental security principles are important for organizations to understand, it is not always easy to translate them into practice. The new multi-national guidance turns abstract security principles into concrete, step-by-step tasks for organizations to follow, including the questions they should be considering and how to answer them in the process. This can help take the potentially overwhelming task of securing OT systems and break it down into digestible actions to be taken.
Each section outlines not just the relevant ideas for OT security to be interpreted and carried out by security experts, but also the specific routes to take to turn those ideas into plans. The guidance places an emphasis on continuous updates and audits to ensure ongoing OT resilience, rather than simply establishing compliance once.
Global Context
The Five Eyes—Australia, Canada, New Zealand, the United Kingdom, and the United States—and partner nations Germany and the Netherlands joined forces on this guidance to address increasing risks. Widespread IT/OT convergence and globally interconnected systems mean that threats to critical infrastructure have global stakes, demanding coordinated defense as a deterrent to state and non-state threat actors. The collaboration of multiple nations is indicative of a growing need to protect the globally connected digital landscape.
This guidance builds on previous multi-national advisories by detailing the ways in which organizations can leverage information they may already have in order to maintain visibility and gain insight into their OT systems. “There is a shift and consensus towards prescriptive requirements across Five Eyes and international partners that points to enhancing visibility across OT environments as non-negotiable,” according to Kevin E. Greene, Chief Cybersecurity Technologist, Public Sector at BeyondTrust. “These prescriptive requirements will become foundational to inform the implementation of security controls like patching, segmentation, identity protection, and security monitoring.”
Impact for OT Practitioners
OT practitioners and defenders can be impacted by this guidance in a number of ways if they take it to heart and look to it for advice on securing OT environments. It offers valuable information on establishing and maintaining practical benefits like system visibility, resilience, and incident response readiness.
There are barriers in place for many organizations to adopt these principles, such as the difficulty and cost of updating legacy systems, limited resources for investing in new measures, and organizational silos preventing full visibility. Vendors and third parties play an important role in supporting the implementation of the guidance.
Raising the Bar for Critical Infrastructure Security
The joint guidance demonstrates a crucial shift from reactive defenses to proactive resilience, emphasizing the necessity of establishing and maintaining effective measures to protect OT environments. Collective international action is more important than ever in an interconnected OT landscape. This guidance serves as a living document that will evolve with emerging threats in an attempt to continue providing helpful information as time goes on.
