“Due to the extensive integration of OT in the technical environments of critical infrastructure organisations, and the complex structure of these environments, it can be difficult to identify how business decisions may affect the cyber security of OT, including the specific risks attributed to a decision,” they wrote in the document. The principles “are vitally important to anyone wanting to strengthen their cybersecurity posture and especially important for those who work in an operational technology environment supporting our nation’s critical systems,” Dave Luber, cybersecurity director for the U.S. National Security Agency (NSA), said in a statement. First among the principles outlined in the document released by the security agencies is that “safety is paramount,” with the authors noting that “in contrast to corporate IT systems, where leaders prioritise innovation and rapid development without concern of threat to life, operational cyber-physical systems’ leaders must account for threat to life in daily decision making. U.S. security agencies and allies in other countries are laying out guideposts for organizations as they design and manage their operational technology (OT) environments, which are increasingly coming under attack by nation-states, financially motivated threat actors, and others. A 14-page document issued this week by the group lays out six principles enterprises can adhere to for enhancing cybersecurity protections of critical infrastructure in a range of sectors that include water, energy, transportation, and health care. The NSA, FBI, CISA, and Multi-State Information Sharing and Analysis Center (MS-ISAC) were the U.S. representatives contributing to “Principles of Operational Technology Cyber Security,” a Cybersecurity Information Sheet that also included security agencies from Australia, Canada, the UK, New Zealand, Germany, the Netherlands, Japan, and South Korea. Other principles include organizations having a deep understanding of their business to allow them to better prepare for and protect against cyber risks, knowing that OT data is “extremely valuable” – to both the organization and bad actors if they can steal it – and needs to be protected, and keeping OT networks separate from all other networks. Critical infrastructure entities also need to ensure the security of their supply chains, which includes having a supply chain assurance program for equipment and software suppliers, vendors, and managed service providers (MSPs), particularly those with access to OT to deliver support. Critical infrastructure has been a key focus of the Biden Administration since President Biden in 2021 issued his executive order to strengthen the cybersecurity of both government agencies and private organizations. A report by Fortinet found that cyberattacks on OT environments are on the rise this year, even while their security postures are maturing and OT security is getting a spot at the executive table, with more organizations putting it under their CISOs. The White House lists 16 critical infrastructure sectors, including emergency services, the defense industrial base, food and agriculture, and IT. Those decisions can include adding new systems, processes, and services to the OT environment, choosing vendors and products, or developing business continuity and security-related plans.
This Cyber News was published on securityboulevard.com. Publication date: Thu, 03 Oct 2024 00:43:05 +0000