U.S. security agencies and allies in other countries are laying out guideposts for organizations as they design and manage their operational technology (OT) environments, which are increasingly coming under attack by nation-states, financially motivated threat actors, and others.

A 14-page document issued this week by the group lays out six principles enterprises can adhere to for enhancing cybersecurity protections of critical infrastructure in a range of sectors that include water, energy, transportation, and health care.

The principles “are vitally important to anyone wanting to strengthen their cybersecurity posture and especially important for those who work in an operational technology environment supporting our nation’s critical systems,” Dave Luber, cybersecurity director for the U.S. National Security Agency (NSA), said in a statement.

The NSA, FBI, CISA, and Multi-State Information Sharing and Analysis Center (MS-ISAC) were the U.S. representatives contributing to “Principles of Operational Technology Cyber Security,” a Cybersecurity Information Sheet that also included security agencies from Australia, Canada, the UK, New Zealand, Germany, the Netherlands, Japan, and South Korea.

“Due to the extensive integration of OT in the technical environments of critical infrastructure organisations, and the complex structure of these environments, it can be difficult to identify how business decisions may affect the cyber security of OT, including the specific risks attributed to a decision,” they wrote in the document.

Those decisions can include adding new systems, processes, and services to the OT environment, choosing vendors and products, or developing business continuity and security-related plans. The decisions not only can determine how secure the environments are but how well critical services can hold up during and after an incident.

Zeroing in on Security

Critical infrastructure has been a key focus of the Biden Administration since President Biden in 2021 issued his executive order to strengthen the cybersecurity of both government agencies and private organizations. The White House lists 16 critical infrastructure sectors, including emergency services, the defense industrial base, food and agriculture, and IT.

Some sectors have come under attack from nation-state adversaries like China and Iran, including municipal water systems. China-based threat groups have been particularly active, most recently through an actor called Salt Typhoon, which has targeted internet services providers (ISPs) in the United States.

A report by Fortinet found that cyberattacks on OT environments are on the rise this year, even while their security postures are maturing and OT security is getting a spot at the executive table, with more organizations putting it under their CISOs.

In a survey of 550 OT professional, 31% reported six or more intrusions, a significant jump from 11% in 2023. Phishing and business email compromise (BEC) were the most common incidents and all intrusion types grew except for malware.

“Sensitive OT systems were not designed for today’s digital world,” the report’s authors wrote. “They were built for a time and place where they could safely do their thing in relative isolation. As the world changed around them, adopting transformative digital tools brought new conveniences and capabilities, along with all the cybersecurity risks that come with increased network connectivity.”

‘Safety is Paramount’

First among the principles outlined in the document released by the security agencies is that “safety is paramount,” with the authors noting that “in contrast to corporate IT systems, where leaders prioritise innovation and rapid development without concern of threat to life, operational cyber-physical systems’ leaders must account for threat to life in daily decision making. … The interconnected nature of critical infrastructure means that failures, whether by human error or malicious disruption through cyber means, may have wide ranging and unforeseen implications for the day-to-day function of society.”

That can include everything from flammable explosions and “kinetic impacts” like speeding trains to biological hazards that threaten water supplies.

Other principles include organizations having a deep understanding of their business to allow them to better prepare for and protect against cyber risks, knowing that OT data is “extremely valuable” – to both the organization and bad actors if they can steal it – and needs to be protected, and keeping OT networks separate from all other networks. That means not only the internet and their own IT networks, but also less critical OT networks and the OT networks of other enterprises.

Critical infrastructure entities also need to ensure the security of their supply chains, which includes having a supply chain assurance program for equipment and software suppliers, vendors, and managed service providers (MSPs), particularly those with access to OT to deliver support.

The final principle is that people are important for OT cybersecurity. Organizations need a strong security culture.

“A cyber-related incident cannot be prevented or identified in OT without people that possess the necessary tools and training creating defences and looking for incidents,” the authors wrote. “Once a cyber-related incident has been identified in OT, trained and competent people are required to respond.”