In an attempt to help critical infrastructure operators protect themselves from hackers, the U.S. and six other countries have published security guidance for organizations that run operational technology, offering advice on everything from network segmentation to activity logging.
“Exposed and insecure OT connectivity is known to be targeted by both opportunistic and highly capable actors,” the authoring agencies — representing the U.S., Australia, Canada, Germany, the Netherlands, New Zealand and the United Kingdom — wrote in the document, “Secure connectivity principles for Operational Technology.”
Improving OT cybersecurity, the agencies added, “can challenge attackers’ efforts and raise the threshold necessary to cause physical harm, environmental impact, and disruption.”
The document is divided into eight sections, each covering a different OT security principle and offering specific recommendations and warnings. A chapter on risk management recommends phasing out obsolete technology that no longer receives security updates, as well as designing networks to remain resilient even after an OT asset failure. A chapter on protecting network boundaries recommends closing unused ports, using multifactor authentication and enforcing equivalent security measures for third-party vendors.
Other chapters describe how to limit risk exposure, centralize network connections for improved visibility and mitigate the impact of a hack. In the latter section, the document recommends establishing segmented networks that restrict unnecessary communications and thus limit how far hackers can roam after breaching an enterprise.
The section on activity logging emphasizes that organizations should understand their network’s normal baseline so they can quickly identify anomalous behavior.
The document also includes links to other security guidance from the U.K.’s National Cyber Security Centre, the publication’s primary author.
Part of a series
The U.S. and Western allies have published a series of cybersecurity publications over the past several years, each aimed at underscoring the importance of basic security precautions for technology that is either new or mission-critical.
Last May, the FBI, the Cybersecurity and Infrastructure Security Agency and the National Security Agency collaborated with international partners on secure AI development guidance. Three months later, the three organizations, along with others, released a report on creating OT asset inventories, a vital first step in network defense. And last month, the agencies published advice for using AI in OT environments, warning that doing so required careful planning and oversight.