Critical Infrastructure: Six Principles for OT Cyber Security

Essential services like water, energy, and transportation, depend heavily on operational technology (OT). The security of these OT systems is paramount, as disruptions could have significant impacts on human life, the environment, and the functioning of society. The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), in collaboration with international cybersecurity agencies, recently outlined six principles to guide the creation and maintenance of secure OT environments for critical infrastructure:

● Safety is Paramount: Recognizing that OT systems directly impact human life and environmental safety, this principle emphasizes a safety-first approach. Cyber security measures should not compromise the safe operation of critical infrastructure. For instance, organizations must consider the safety implications of a cyber incident, such as whether it's safe to send staff to a site after a breach or if restoring from a potentially compromised backup is a viable option. This safety-first mindset should extend to all tasks, including backups, asset discovery, patching, and change management.

● Knowledge of the Business is Crucial: A thorough understanding of the OT systems, processes, and their criticality to the organization's operations is vital. This includes identifying vital systems, understanding their dependencies, and recognizing potential vulnerabilities. Knowing what needs to be protected, including system architectures, asset lists, network diagrams, and recovery procedures, is paramount for implementing effective cybersecurity measures. Understanding the minimal set of equipment necessary for critical functions, like electricity generation, helps prioritize protection efforts. Regularly reviewing and updating incident response plans, playbooks, and third-party information packs is also crucial.

● OT Data is Extremely Valuable and Needs to be Protected: Recognizing that OT data, including engineering configurations, network diagrams, and operational data, is highly valuable to adversaries, this principle emphasizes data protection. Organizations must carefully control and secure data storage and access, considering both internal and external threats. Minimizing data distribution and storage locations, implementing strict information destruction protocols, and being vigilant about potential data leaks through vendors, consultants, or staff practices are essential.

● Segment and Segregate OT From All Other Networks: This principle emphasizes isolating OT networks from the internet, corporate IT networks, and even other organizations' OT networks to prevent unauthorized access and limit the potential impact of breaches. Connections from vendors, peers, and upstream/downstream service providers can act as backdoors for attackers, bypassing existing security measures. This principle underscores that the security of interconnected OT networks is only as strong as its weakest link. Additionally, organizations should carefully consider the placement and security of administrative and management systems, ensuring they are not vulnerable to compromise from less secure environments.

● The Supply Chain Must be Secure: Acknowledging that the entire OT supply chain, including vendors, service providers, and equipment manufacturers, can pose risks, this principle emphasizes the importance of supply chain security. Organizations should scrutinize all devices and software introduced into the OT environment, regardless of vendor size or perceived engineering significance. Knowing the source and provenance of all devices, verifying firmware integrity, and remaining vigilant about vendor practices that might introduce vulnerabilities are crucial.

● People are Essential for OT Cyber Security: Highlighting the human element of cybersecurity, this principle emphasizes the need for a skilled and security-aware workforce. Developing a robust cybersecurity culture within the organization, especially among field technicians and operating staff, is crucial. This includes training, clear communication channels for reporting suspicious activity, and fostering an environment where staff feel empowered to raise security concerns without fear of blame. Organizations should integrate cybersecurity awareness into safety assessments, factory/site acceptance testing, and the engineering change management process.