Cybersecurity agencies from Australia, the U.S., and other international partners have published a guide describing six principles that guide the creation and maintenance of a safe, secure critical infrastructure OT (operational technology) environment. Titled ‘Principles of Operational Technology Cybersecurity,’ the document outlines that safety is paramount; knowledge of the business is crucial; OT data is extremely valuable and needs to be protected; segment and segregate OT from all other networks; the supply chain must be secure; and people are essential for OT cyber security.
These six principles intend to aid organizations in identifying how business decisions may adversely impact the cybersecurity of OT and the specific risks associated with those decisions. Filtering decisions that impact the security of OT will enhance the comprehensive decision-making that promotes security and business continuity. Global critical infrastructure organizations are encouraged to review the best practices and implement recommended actions that can help ensure that proper cybersecurity controls are in place to reduce residual risk in OT decisions.
Released on Tuesday, the Principles of Operational Technology Cybersecurity document has been authored by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), and co-sealed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), United Kingdom’s National Cyber Security Centre (NCSC-UK), Canadian Centre for Cyber Security (Cyber Centre), New Zealand’s National Cyber Security Centre (NCSC-NZ), Germany’s Federal Office for Information Security (BSI Germany), the Netherlands’ National Cyber Security Centre (NCSC-NL), Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and National Police Agency (NPA), the Republic of Korea’s National Intelligence Service (NIS) and NIS’ National Cyber Security Center (NCSC).
The document emphasized that safety is paramount in physical environments, unlike corporate IT systems where leaders focus on innovation and rapid development without worrying about threats to life. Leaders of operational cyber-physical systems must consider threats to life in their daily decision-making.
“First-order hazards from critical infrastructure include high voltages, pressure releases or flammable explosions, kinetic impacts (e.g., speeding trains), and chemical or biological hazards such as in water treatment,” the guide said. “Further, there are implications for citizens’ way of life if essential services such as energy and drinkable water supply are degraded or disrupted. The interconnected nature of critical infrastructure means that failures, whether by human error or malicious disruption through cyber means, may have wide-ranging and unforeseen implications for the day-to-day function of society.”
Safety of human life, safety of the plant equipment, safety of the environment, and the need to maintain reliability and uptime, are necessary systemic ways of thinking that need to permeate all tasks, even essential and common cyber hygiene tasks potentially considered unrelated,
The guide recognizes that knowledge of the business is crucial, as the more knowledge a business has about itself, the better that business can protect against, prepare for, and respond to a cyber incident. The higher in the organization there is understanding, visibility, and reporting of cyber risks, especially to OT systems, the better the outcome.
All critical infrastructure organizations should ensure they can identify the vital systems the organization needs to continue to provide their crucial services; understand the OT system’s process, and the significance of each part of the process; and create an architecture that allows those vital systems and processes to be defended from other internal and external networks.
They must also ensure that personnel responsible for designing, operating, and maintaining OT systems understand the business context that the OT system operates within, including the physical plant and process connected to the OT system and how it delivers services to stakeholders. Furthermore, they must understand the dependencies vital systems have to be able to operate and where they connect to systems external to the OT system.
The transnational document also acknowledges that OT data is extremely valuable and needs to be protected. From an adversary’s point of view, knowing how a system is configured, including devices and protocols used, is valuable since an OT environment rarely changes. This level of information allows a bad actor to create and test targeted malware, facilitating a greater range of possible malicious outcomes.
Of particular importance is engineering configuration data, such as network diagrams, any documentation on the sequence of operations, logic diagrams, and schematics. Such information is unlikely to change in five years and may last for 20 or more years. As such, engineering configuration data has enduring value and is highly valuable to an adversary. An adversary gaining in-depth knowledge of how an OT system works may be likened to the concept of prepositioning in a corporate IT environment, particularly in the sense of significance and the need to respond.
The document also emphasized the significance of transient OT data, such as voltage or pressure levels, as it can offer valuable insights into the organization’s activities, customer behavior, or the functionality of the control system. “Securing OT data is also important for the protection of intellectual property (IP) and personally identifiable information (PII), such as for metering in electricity, gas or water, or patient records in health. These other types of OT data, such as ephemeral OT values, IP, and PII, also need to be protected. However, OT personnel should also protect the engineering configuration data, which is critical to operations and valuable to malicious actors, but often overlooked,” it added.
The Principles of Operational Technology Cybersecurity document highlighted that the need for segmenting and segregating more critical functions and networks has been common advice for decades. Entities should segment and segregate OT networks from the internet and from IT networks, because the corporate IT network is usually assessed as having a higher risk of compromise due to its internet connectivity, and services like email and web browsing.
It noted that the initial additional area relates to the need to secure connections between the critical infrastructure organization’s OT network and other organizations’ OT networks. These connections from other organizations’ OT networks can be a backdoor into a critical asset, potentially bypassing levels of security protecting the OT network from corporate IT, and the internet. Critical Infrastructure organizations should segment and segregate their OT from all other networks. Fairly well understood in recent times is the need to protect and restrict OT networks from vendors.
Also well understood since 2017’s Hatman malware, is the need to separate more critical OT networks such as those essential to safety, from less critical OT networks. Less well understood is the need to protect and restrict OT networks from peers and services upstream and downstream.
The Principles of Operational Technology Cybersecurity guide emphasizes the importance of enhancing the security of supply chains, a recommendation that has been a focal point for some time. “That advice is covered in many prior and current publications, including the need to have a supply chain assurance program for suppliers of equipment and software, vendors, and managed service providers (MSPs), particularly when they have access to OT to provide support. The requirement to make supply chains more secure has often resulted in a level of rigor in assessing major vendors in an organization’s OT environment. While organizations should still follow existing advice, we call out some additional areas of particular concern for OT environments,” it added.
Lastly, the document noted that a cyber-related incident cannot be prevented or identified in OT without people having the necessary tools and training to create defenses and look for incidents. “Once a cyber-related incident has been identified in OT, trained and competent people are required to respond. A strong safety-based cyber security culture is critical to the ongoing cyber resiliency of OT systems. There is a need for each organization to reframe the requirements from these principles as workplace safety requirements, as opposed to cyber security requirements. Staff, particularly field technicians and all other members of operating staff, are often the front line of defense and detection for an organization.”
Some potential strategies prescribed by the document to enhance security awareness and a cyber-safe culture among staff include integrating cybersecurity into safety assessments, FAT, SAT, and engineering change management using methods like cyber-informed engineering and cyber PHA; encouraging staff to report suspicious behavior and conditioning them to consider cyber compromise when operational faults occur; and recognizing that traditional responses to faults (e.g., rebooting, resetting) may erase evidence of cyber incidents, necessitating new processes for cyber identification and investigation in OT.