Cybersecurity agencies in several countries have teamed up to create new guidance for operational technology (OT) organizations, specifically for building and maintaining a definitive view of their architecture.
In mid-August, agencies from the United States, Canada, Australia, New Zealand, the Netherlands, and Germany released asset inventory guidance for OT owners and operators.
Joined by the United Kingdom, these countries have now published a follow-up document that explains how organizations can leverage asset inventories, SBOMs and other data sources to create and maintain definitive records, a collection of continually updated documents that represent an accurate and up-to-date view of their OT systems.
“Establishing a definitive record of your organisation’s OT will allow you to effectively assess risks and implement the proportionate security controls. Rather than focusing solely on individual assets, a holistic approach enables you to consider the broader context which leads to a better assessment of the criticality and potential impacts of compromises,” the guidance explains.
The authoring agencies admit that creating a definitive record of all OT systems can be complex and time consuming, and recommend prioritizing systems based on their impact to business functions and potential national impact, based on third-party connections that can change configurations or directly control processes, and based on the overall exposure of the system.
The guidance focuses on five principles. The first is related to defining processes for establishing and maintaining a definitive record. This includes establishing data sources, setting up a process for validating the collected information, and determining how the definitive record will be maintained.
The second principle is related to establishing an OT information security management program. Keeping in mind that the definitive record will contain information that can be highly valuable for threat actors, organizations need to establish the scope of the program, determine the value of the OT information to an attacker, and ensure that the information is secure.
The third principle focuses on identifying and categorizing assets to support informed risk-based decisions. This includes defining the criticality, exposure, and availability of each asset, enabling the organisation to take effective decisions when considering new or updated security controls.
Identifying and documenting connectivity within the OT network is covered by the fourth principle. Organizations need to determine asset communication requirements, determine which communication protocols are required and how to secure them, learn what architectural security controls are currently implemented, document network constraints, and determine whether existing security controls could be bypassed by an attacker in case of compromise.
The fifth and final principle focuses on documenting third-party risks to OT systems. This involves determining the level of trust for each entity associated with an external connection, contractual requirements imposed by the third party, and whether the third party is installing equipment for out-of-band access.
“Maintaining updated OT systems is vital for effective cybersecurity protection since security teams cannot detect vulnerabilities, apply controls, or respond effectively to incidents without a clear understanding of which assets exist, how they’re connected, or what roles they play,” Joshua Roback, principal security solution architect at Swimlane, told SecurityWeek.
“One key takeaway from the guidance includes fostering coordination between OT and IT teams. This is especially important now, as the two traditionally separate domains now face multiple shared threats, including the rise of insider threats and the growing popularity of ransomware groups like ShinyHunters and Scattered Spider,” Roback added. “Combined efforts between the two teams can bridge IT teams’ knowledge of cybersecurity practice and OT teams’ knowledge of industrial processes and operational constraints to create a vastly improved OT architecture that benefits organizations as a whole.”
Related: CISA Requests Public Feedback on Updated SBOM Guidance
Related: US, Allies Release Guidance on Securing OT Environments
Related: Western Security Agencies Share Advice on Selecting OT Products
