The Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC) has published a new set of principles to guide critical infrastructure providers on how to better secure and protect their operational technology (OT) systems.
Critical infrastructure organisations are advised to use the principles to inform the design, implementation and management of IT ecosystems and the supply chains that support essential services, to ensure they are kept safe and secure from cyber threats and to ensure any potential risks are considered as required.
The six principles include:
- “Safety is paramount – Ensure the system is safe!
- Safety is critical in physical environments. This includes safety of human life, safety of plant, equipment and the environment, and reliability and uptime of the process. Cyber security controls must be safe, and safety must be informed by the cyber threat environment.
- Knowledge of the business is crucial – Know and defend vital systems.
- Knowing the business, knowing how processes work, knowing where connections are and what parts are critical, will help an organisation design and implement the most effective cyber security controls and response capabilities for the resources available. Organisations should be able to identify vital systems and have in place an architecture that defends them, and include a restoration and recovery process capable of meeting required business outcomes.
- OT data is extremely valuable and needs to be protected – Protect OT data.
- For a malicious cyber actor, knowing how a system is set up, how the network is architected, how the controllers are configured, what vendors and devices are used, with which protocols, is like a treasure map for how to cause harm. Put processes in place to minimise access to and distribution of OT data, while ensuring integrity of the OT data.
- Segment and segregate OT from all other networks – Keep the back door shut.
- Segment and segregate OT from all other networks, including peers, IT and the internet. Consider especially administrative and management role assignments in OT environments.
- The supply chain must be secure – Secure the cyber supply chain.
- Supply chain security goes beyond software and devices from major vendors. Consider all software, devices and managed service providers in OT, including their support, management and maintenance, from purchasing and integration through to decommissioning and disposal.
- People are essential for OT cyber security – People are the first line of defence.
- A cyber-related incident in OT cannot be prevented, defended against, identified, responded to and recovered from in a timely manner without people with the necessary tools and training looking for it, and able to competently respond to it. An investment in staff to create a collaborative team of trained and skilled people with necessary tools, supported by a mature and organisation-wide cyber-security culture, is critical to an organisation’s cyber defences.”
“ASD has consulted with industry to develop Principles of operational technology cyber security, which have been co-sealed by our international intelligence partners,” a statement from the agency said.
“The principles are designed to help leaders, developers, and other stakeholders consider key cyber security risks in OT environments and actions they can take to secure their OT.
“You can use the principles for OT to identify and mitigate the cyber security risks within your operational technology and specific requirements.”
The principles were co-sealed by the:
- United States’ Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI) and Multi-State Information Sharing and Analysis Center (MS-ISAC);
- United Kingdom’s National Cyber Security Centre (NCSC-UK);
- Canadian Centre for Cyber Security (Cyber Centre);
- New Zealand’s National Cyber Security Centre (NCSC-NZ);
- Germany’s Federal Office for Information Security (BSI Germany);
- Netherlands’ National Cyber Security Centre (NCSC-NL);
- Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and National Police Agency (NPA); and
- Republic of Korea’s National Intelligence Service (NIS) and NIS’ National Cyber Security Center (NCSC).