National cybersecurity agencies from seven countries, including the Five Eyes nations, have released new operational technology (OT) security guidance.
The new guidance, published on September 29, is addressed to cybersecurity practitioners working in organizations that deploy or operate OT equipment and systems.
Step-By-Step OT Security Guidance
This document is structured around five core principles to strengthen OT security:
- Define processes for establishing and maintaining the definitive record
- Establish an OT information security management programme
- Identify and categorise assets to support informed risk-based decisions
- Identify and document connectivity within your OT system
- Understand and document third-party risks to your OT system
The document provides step-by-step guidance, detailing the specific actions OT security teams should take to effectively apply each principle.
“OT systems keep the lights on, the water pumping, the manufacturing lines moving and our critical national services running. When these systems are compromised or disrupted, the real-world impacts affect safety, operations, the economy and even national resilience,” warned a spokesperson for the UK’s National Cyber Security Centre (NCSC), one of the guidance’s seven signatory agencies, in a public statement.
Establishing a Definitive Record of OT
The guidance defines a principles-based approach designed to help organizations create and maintain a “definitive record” of their OT environment.
This record encompasses all OT components, including individual devices, controllers, software and virtualized systems, which should be classified based on their criticality, exposure and availability requirements.
In addition to asset classification, the record incorporates best practices for mapping other key aspects of OT asset management.
This includes an assessment of connectivity, detailing how assets interact within the OT network and with external systems, the protocols in use and any operational constraints such as latency or bandwidth limitations.
The wider system architecture is also documented, covering the segmentation of zones and conduits, resilience measures like redundancy or high-availability configurations and the rationale behind critical design decisions.
Another key consideration is supply chain and third-party access, which outlines the vendors, integrators and service providers connected to the environment, how these relationships are managed and the security controls in place to protect those connections.
Finally, the document explains that the business and impact context must be clearly defined, assessing the operational, financial and safety consequences of asset or connection failures or compromises.
Alongside the UK’s NCSC, the other participating agencies include the Australian Signals Directorate (ASD), the US Cybersecurity and Infrastructure Security Agency (CISA), the Canadian Centre for Cyber Security (Cyber Centre), the FBI, New Zealand’s National Cyber Security Centre (NCSC-NZ), the Netherland's National Cyber Security Centre (NCSC-NL) and Germany’s Federal Office for Information Security (BSI).
This document comes one month after six of the seven above mentioned countries signed the first unified OT security taxonomy.
Join our upcoming webinar, “OT Security Ecosystem for Targeted Risk Reduction and Reporting”