Cybersecurity agencies from seven countries have collaborated to release new security guidance for operational technology (OT) systems. These guidelines are specifically tailored for cybersecurity professionals who work with OT equipment and systems. The document provides a structured, step-by-step approach, detailing the specific actions that OT security teams should take to effectively implement each principle. The guidance emphasizes that OT systems are vital for critical services like power, water, and manufacturing, and that their compromise can have serious real-world consequences on safety, the economy, and national resilience.
The new guidance defines a principles-based method aimed at helping organizations create and maintain a definitive record of their OT environment. This record includes all OT components—such as individual devices, controllers, software, and virtualized systems—which should be categorized based on their criticality, exposure, and availability needs. This structured approach helps ensure that all assets are accounted for and properly managed according to their importance.
In addition to asset classification, the document incorporates best practices for mapping other crucial aspects of OT asset management. This includes a detailed assessment of connectivity, which explains how assets interact within the OT network and with external systems, the protocols in use, and any operational constraints like latency or bandwidth limitations. The guidance also covers documenting the broader system architecture, including the segmentation of zones and conduits, resilience measures like redundancy, and the rationale behind critical design decisions.
Another key component is the assessment of the supply chain and third-party access. The document recommends outlining all vendors, integrators, and service providers connected to the environment, explaining how these relationships are managed, and detailing the security controls in place to protect these connections. Lastly, the guidance stresses the importance of clearly defining the business and impact context. This involves assessing the operational, financial, and safety consequences of any potential asset or connection failures or compromises.
The collaborative effort behind this guidance includes agencies from the UK (NCSC), Australia (ASD), the US (CISA and FBI), Canada (Cyber Centre), New Zealand (NCSC-NZ), the Netherlands (NCSC-NL), and Germany (BSI). This document builds on a previous unified OT security taxonomy, which was signed by six of these seven countries just one month prior. The continued collaboration shows a unified international effort to strengthen cybersecurity for critical infrastructure.
Reference:
