Principles of Operational Technology (OT) Security Guide

This publication defines principles for operational technology (OT) cyber security and best practices to mitigate cyber threats. It was developed by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) in cooperation with the following international partners:?

• United States (US) Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC).
• United Kingdom’s National Cyber Security Centre (NCSC-UK).
• Canadian Centre for Cyber Security (CCCS), a part of the Communications Security Establishment (CSE).
• New Zealand National Cyber Security Centre (NCSC-NZ).
• Germany’s Federal Office for Information Security (BSI Germany).
• Netherlands’ National Cyber Security Centre (NCSC-NL).
• Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and National Police Agency (NPA).
• Republic of Korea’s National Intelligence Service (NIS) and NIS’ National Cyber Security Center (NCSC).

Critical infrastructure organisations provide vital services, including supplying clean water, energy, and transportation, to the public. These organisations rely on operational technology (OT) to control and manage the physical equipment and processes that provide these critical services. As such, the continuity of vital services relies on critical infrastructure organisations ensuring the cyber security and safety of their OT.

Due to the extensive integration of OT in the technical environments of critical infrastructure organisations, and the complex structure of these environments, it can be difficult to identify how business decisions may affect the cyber security of OT, including the specific risks attributed to a decision. Decisions may include introducing new systems, processes, or services to the environment; choosing vendors or products to support the technical environment; and developing business continuity and security-related plans and playbooks. This document is designed to assist organisations make decisions for designing, implementing, and managing OT environments to ensure they are both safe and secure, as well as enable business continuity for critical services.This document is designed to assist organizations making decisions for designing, implementing, and managing OT environments to ensure they are safe and secure, as well as enable business continuity for critical services. The guidance is of moderate technical complexity and assumes a basic understanding of OT cyber security.

The 6 Key Principles For OT Cybersecurity

The document describes the 6 principles that guide the creation and maintenance of a safe, secure critical infrastructure OT environment. This includes:

1. Safety is paramount
2. Knowledge of the business is crucial
3. OT data is extremely valuable and needs to be protected
4. Segment and segregate OT from all other networks
5. The supply chain must be secure
6. People are essential for OT cyber security

How To Use This Document

The authoring agencies recommend an OT decision maker apply the six principles presented in this document to help determine if the decision being made is likely to adversely impact the cyber security of the OT environment. If a decision impacts or breaks one or more of the principles of OT cyber security outlined in this document, then it will likely introduce a vulnerability to the OT environment. Such a decision therefore needs to be examined more closely to make sure the right cyber security controls are put in place and that the residual risk after the controls are put in place is acceptable, or, alternatively, the proposal is reconsidered. Quickly filtering decisions to identify those that impact the security of OT will enhance the making of robust, informed, and comprehensive decisions that promote safety, security and business continuity when designing, implementing, and managing OT environments.

The authoring agencies recommend OT decision makers read and understand each principle. This document is intended to be useful for all personnel who need to filter decisions affecting OT, from the leadership of an organisation (including the executives and board members making strategic decisions) down to the technical personnel making tactical and operational decisions.

Download the complete guide here

Download the quick reference guide here