After releasing guidelines to help critical infrastructure providers effectively secure and protect their operational technology (OT) systems, the Australian Signals Directorate’s Australian Cyber Security Centre told organizations that provide critical infrastructure to use the principles to inform the design, implementation, and management of IT ecosystems and the supply chains that support such essential services. The initiative is expected to help prevent cyber threats and address risks that could be potentially faced.
The ACSC’s ‘Principles of Operational Technology Cyber Security’ document provides a framework for securing OT systems, crucial for national security. Strengths include comprehensive coverage, adaptability, and a focus on risk management, while drawbacks include limited attention to emerging technologies and complexity in legacy systems. Challenges in IT-OT integration include differing priorities, and incompatible systems while ensuring communication, and preparing for AI-driven threats, IoT devices, and 5G networks is essential. Organizations can effectively implement the ACSC’s principles and enhance OT cybersecurity resilience by addressing these issues.
The six OT Principles are safety is paramount, knowledge of the business is crucial, OT data is extremely valuable and needs to be protected, OT must be segmented and segregated from all other networks, the supply chain must be secure, and people are essential for OT cyber security.
These OT principles stress integrating cybersecurity into OT environments to boost resilience against cyber threats and offer a comprehensive framework for OT security, promoting a proactive stance. However, varying organizational maturity in implementation can create security blind spots. IT-OT integration presents challenges and opportunities; aligning different security protocols and cultures is difficult, but successful integration enhances security.
Identifying that the Australian Government is dedicated to protecting Australia’s critical infrastructure to secure the essential services all Australians rely on, an ASD spokesperson told Industrial Cyber that designing robust cyber security measures for industrial control systems within OT environments is vital to protect the safety, availability, integrity, and confidentiality of these essential services.
“The Principles of OT Cyber Security were designed to assist decision-makers at all levels to give appropriate weight to cyber security risks and best secure their systems,” according to the spokesperson. “The principles aim to help leaders, developers, and other stakeholders make robust, informed decisions when designing, implementing, and managing cyber security risks in OT environments.”
The spokesperson added that ASD’s ACSC consulted broadly in developing the Principles of OT Cyber Security, which were co-sealed by a range of ASD’s international partners.
Weighing in on ACSC’s OT Principles
Industrial Cyber consulted with industrial cybersecurity specialists to assess how the Australian Cyber Security Centre’s ‘Principles of OT Cyber Security’ influence the cybersecurity stance of OT environments within the industry. Additionally, they aimed to pinpoint the most crucial principles pertinent to the sector.
“At the McCrary Institute, we research and work to mitigate risks across all critical infrastructure sectors, and have recently released a report we hope will guide the next presidential administration in how to secure critical infrastructure from cyber threats,” Kyle D. Klein, deputy director for policy and partnerships at the McCrary Institute for Cyber and Critical Infrastructure Security, told Industrial Cyber. “Having said that, I think the sixth principle shared in the ACSC report, that people are essential for OT cybersecurity, is key. No matter the sector, the knowledge individuals have to identify and respond to cyber incidents within their own networks and systems is critical.”
The Principles as a whole are an important addition to the conversation around the difference between information technology (IT) and OT and how those differences impact cybersecurity considerations, Annie Fixler, director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies (FDD) told Industrial Cyber. “The principles themselves are not surprising or novel for anyone working in OT security and critical infrastructure resilience, but this is precisely why they are core principles.”
“The final principle, ‘people are essential for OT cyber security,’ places an important marker that cybersecurity is not solely a technology problem,” Fixler added. “No amount of capital expenditure to buy new technology products will mitigate cybersecurity risks if companies do not have the trained personnel to respond, mitigate, and recover from cyber incidents.”
Michael Murphy, director for OT and critical infrastructure for APAC at Fortinet identified that “Ultimately, these newly documented principles are fundamental to the protection of our national Critical Infrastructure (CI) and the underpinning OT – None should be neglected or deprioritized. The threat is realized, Australia is and has been exposed to a number of diverse cyber security threat actors that are highly sophisticated and deeply motivated.”
Murphy noted that the newly released ACSCs principles benefit CI and OT owners/operators who seek to discover commonly shared values and objectives with industry-recognized methodologies to enhance operational resilience without disrupting critical services that the public frequently takes for granted.
Identifying strengths, weaknesses, and blind spots
The executives examine the key strengths and potential weaknesses of these OT cybersecurity principles in protecting critical infrastructure, identifying any missing or underemphasized aspects.
“I think the most compelling strength I see is the usability and practicality of these principles and the examples laid out in the report. The structure of this document is such that any organization should be able to take action based on these principles, which is incredibly helpful,” Klein mentioned. “For instance, the example of not allowing a more critical environment to be governed by a less critical environment is a very important food for thought for anyone reading this document. Nothing jumps out at me as missing, and I think the breadth of co-sealed international partner agencies speaks to this document’s strength.”
Klein added, “What I will say, and this is something we mention in our own report, is that the growing focus on OT cybersecurity highlights the need for specialized knowledge and tailored coordination mechanisms.”
Fixler said that she would have liked to see a greater focus on supply chains. “While the principles highlight that ‘the supply chain must be secure,’ they do not leverage other existing work the Biden administration and its partners and allies are doing to push manufacturers of critical infrastructure operational technology to build devices with security features baked in. These initiatives include the Secure by Design and Secure by Default efforts led by the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy-led effort to strengthen the cybersecurity of energy supply chains in conjunction with G7 partners.”
“Critical infrastructure owners and operators can only do so much if the products they buy contain cybersecurity vulnerabilities and if the manufacturers do not support patches and updates during the full lifecycle of the device,” according to Fixler. “Instead, the Principles focus on purchasing from trusted vendors. This is important but not sufficient. Too often, well-established, multinational original equipment manufacturers are creating products that are insecure. The onus must also be on vendors to critical infrastructure organizations to build products that are engineered with cybersecurity in mind.”
Murphy observed that, within many customer environments, IT supports the business and OT is the business. “When this distinction is made organizations discover that delegation of ownership and accountability is simplified. The principles outlined are complementary to the ongoing commitment of meeting baseline and enhanced operational resilience.”
“We have observed customers who take the initiative to ‘hug the cactus’ and simply start to invest time, energy and effort to protect OT benefit from both anticipated (Cyber Threat Resilience) and unanticipated (Competitive Advantage) benefits,” Murphy added. “Organizations that are adopting these principles will benefit further when considering the ability to differentiate between a simple network anomaly and/or cyber incident associated with malicious manipulation vs non-malicious (degraded physical hardware or failure).”
Challenges and opportunities of OT cybersecurity integration
The executives evaluate how ready organizations in the industry are to integrate these principles into their existing cybersecurity frameworks, and the impact of organizational culture and cybersecurity maturity on the effective adoption of OT cybersecurity measures.
Frank Cilluffo, director of the McCrary Institute for Cyber and Critical Infrastructure Security, told Industrial Cyber that “there is growing awareness and focus on OT security, which is a good thing, and I would underscore that the level of preparedness can vary widely across sectors, depending on a number of factors like resources, awareness, and technical understanding.”
He added that the culture of an organization, and affiliated cybersecurity maturity, play a massive role in the adoption of OT cybersecurity. “The organization has to have made this a priority in order to be proactive in protecting their networks and understanding how an OT compromise will impact their business or service.”
Fixler assesses that the cybersecurity maturity of critical infrastructure organizations varies widely within sectors let alone across sectors. “The Principles, however, are structured so that regardless of an organization’s maturity, it can begin adopting these best practices. The document not only explains the overarching idea but then provides examples of how the principle can be applied.”
“My interactions with OT security leaders in the energy sector confirm that these types of experts are already sold on the ideas outlined in the new Principles,” she added.
The biggest challenge for them is often the buy-in and investment from the c-suite and boards of their companies, Fixler highlighted. “To the extent that the concepts in this document are presented in a way that is easily accessible to c-suites and easily understood by decision-makers within companies, it can have a significant impact on the security and resilience of critical infrastructure.”
“Consistent, thorough, and systematic reviews and assessments of architectural pathways being adopted to secure and optimize OT and critical infrastructure networks is a key focus area,” Murphy assessed. “These newly released principles highlight the importance of protecting not only the legacy and brittle systems which have been sweated in the field, but also the newly adopted technology that conforms to the principles of secure by design, secure by deployment, and secure by demand.”
He also noted that IT and OT integration and convergence is not a new phenomenon, and as a result, end-users, and owners and operators must assess not only the current technologies that they have adopted but also the future roadmap for services and support.
Bridging the gap: IT-OT integration challenges in cybersecurity
The executives examine how the integration of IT and OT systems complicates adopting these principles, identify specific challenges faced or anticipated, and assess whether organizations have the necessary resources and skills to address these issues.
“As the ACSC report mentions, it is critical to segment certain OT systems in order to protect them from compromise,” Cilluffo said. “I think any organization can better protect themselves by adopting the principles laid out here, but it will take dedicated focus to truly assess and evaluate what OT systems are crucial to the core functioning of the enterprise and who within the organization knows how to operate them. We have got to get to the point where we can provide unified visibility across both IT and OT systems.”
The Principles acknowledge the convergence of IT and OT systems, and thus include ‘segment and segregate OT from all other networks’ as one of the core six principles, Fixler said. “This is actually the longest section of the document because it is the most nuanced. The idea that OT systems are ‘air-gapped’ or ‘not connected to the internet’ is unrealistic. Devices that are managed remotely are connected to some sort of communications system. If a company is not laying its own fiber network, it is using the internet or some other wireless network.”
She added that instead of focusing on completely disconnecting, the Principles rightly focus on how OT systems are connected and where privileges and settings are managed so that hackers cannot jump from compromised business environments to OT networks.
“No matter where CI and OT owners and operators are on the journey to cyber reliance and network optimization, these principles can be applied at any stage,” Murphy said. “Fortunately, in many end-user and operator cases, the Security of Critical Infrastructure Act (2018) provided a platform and blueprint for the adoption of these principles complimentary to holistic all hazards resilience. These building blocks of comprehensive IT and OT asset visibility, the ability to identify and report a malicious cyber-attack, and enhanced end-user awareness and training activities benefit from common business and operational values.”
OT cybersecurity evolution: Preparing for AI, IoT, and 5G challenges
The executives look into the anticipated long-term benefits of implementing these OT cybersecurity principles for national security and infrastructure resilience. They also consider potential new threats or vulnerabilities that could arise as more organizations adopt these principles, particularly in light of emerging technologies such as AI, IoT, and 5G in OT environments.
Cilluffo thinks that these principles are a great step for critical infrastructure owners and operators to begin thinking about how they protect their OT systems and processes. “This report will undoubtedly be built upon in the coming years as new threats and vulnerabilities inevitably emerge. Systems are only further converging and becoming more interdependent, and, with that, the attack surface and associated risk continue to change and grow.”
“The principles of OT cybersecurity are rather agnostic to technological innovation,” according to Fixler. “Safety is paramount whether systems use 4G or 6G. Segmentation of OT and IT networks is critical whether hackers use artificial intelligence to help develop their malware or not. If anything, the principles will only become more important as emerging technologies like quantum computing provide adversaries with enhanced capabilities.”
Murphy identified that many OT owners/operators are siloed in their approach to addressing cyber risk, predominantly due to a thorough understanding of the goods and services that they produce, generate, and/or deliver. “Mandates, initiatives, and trusted recommendations strengthen our collective position to proactively mitigate threats against our national security and sovereign defensive capabilities. The global partners that collaborated on this document highlight the value of open communication, information, and intelligence sharing across regions,” he concluded.