Now on Demand: Zero Trust Strategies Summit - Access All Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

US, Allies Release Guidance on Securing OT Environments

New guidance provides information on how to create and maintain a secure operational technology (OT) environment.

New guidance from government agencies in the US and allied countries provides organizations with details on how to design, implement, and manage safe and secure operational technology (OT) environments.

OT is deeply integrated into critical infrastructure organizations’ complex environments, and business decisions such as adding new processes, services, or systems, selecting vendors for support, or developing business continuity and security-related plans may affect the cybersecurity of OT.

The new guidance (PDF) from government agencies in Australia, Canada, Germany, Japan, Korea, New Zealand, the US, and the UK, details six principles for secure OT: paramount safety, knowledge of the business, OT data value and protection, OT segmentation, secure supply chain, and the importance of people for OT cybersecurity.

“The authoring agencies recommend an OT decision maker apply the six principles presented in this document to help determine if the decision being made is likely to adversely impact the cyber security of the OT environment,” the guidance reads.

Decisions that break one or more principles likely introduce vulnerabilities and need to be either closely examined to put in place cybersecurity controls leading to manageable risks, or reconsidered. Filtering decisions that affect OT security will result in the adoption of decisions promoting safety, security and business continuity, the authoring agencies say.

They also point out that organizations should ensure they have a deep understanding of their OT systems and processes, that cyber incidents are thoroughly investigated and safely responded to, that comprehensive patching processes are implemented, and that OT data is protected to the level of the OT system, given its critical importance and the fact that it rarely changes.

Furthermore, they should ensure that OT networks are segmented and segregated from IT networks and from the internet, that they have a supply chain assurance program covering vendors and MSPs, especially if they have access to OT to provide support.

“A cyber-related incident cannot be prevented or identified in OT without people that possess the necessary tools and training creating defenses and looking for incidents. Once a cyber-related incident has been identified in OT, trained and competent people are required to respond,” the document reads.

Advertisement. Scroll to continue reading.

The guidance, the authoring agencies point out, is aimed at all personnel involved in making decisions affecting OT, from leadership to the technical personnel. All critical infrastructure organizations are advised to review security best practices and implement recommended actions to improve OT security.

Learn More at SecurityWeek’s ICS Cybersecurity Conference
The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
ICS Cybersecurity Conference
October 21-24, 2024 | Atlanta
www.icscybersecurityconference.com

Related: Five Eyes Agencies Release Guidance on Detecting Active Directory Intrusions

Related: Rising Tides: Runa Sandvik on Creating Work that Makes a Difference

Related: Pentagon Wants Feedback on Revised Cybersecurity Maturity Model Certification Program

Related: Smart Cities: Utopian Dream, Security Nightmare, or Political Gimmick?

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.