Urgent New OT Security Mandate: Maintain Real-Time System Inventory
▼ Summary
– Multiple countries’ cybersecurity agencies have jointly released new guidance for operational technology (OT) organizations to create and maintain a definitive record of their architecture.
– The guidance emphasizes establishing a holistic view of OT systems to better assess risks, criticality, and potential impacts of compromises rather than focusing on individual assets.
– Five key principles are outlined, covering processes for maintaining records, securing OT information, categorizing assets, documenting connectivity, and managing third-party risks.
– Creating a definitive OT record is complex and time-consuming, so organizations should prioritize systems based on business impact, national security, third-party connections, and system exposure.
– The guidance highlights the importance of coordination between OT and IT teams to combine cybersecurity expertise with industrial process knowledge for improved security architecture.
A new international directive is placing significant pressure on operational technology organizations to establish and maintain a real-time, accurate inventory of their entire system architecture. Cybersecurity agencies from the United States, Canada, the United Kingdom, Australia, New Zealand, the Netherlands, and Germany have jointly released updated guidance that moves beyond simply creating an asset list. The focus is now on developing a definitive record, a dynamic collection of documents that provides a continuously updated and precise view of all OT systems.
This definitive record is presented as the foundational element for effective cybersecurity. The guidance states that by establishing this holistic view, organizations can properly assess risks and implement security controls that are proportionate to the threat. Instead of focusing on individual assets in isolation, this approach allows security teams to understand the broader context, leading to a more accurate assessment of an asset’s criticality and the potential impact of a compromise.
The agencies acknowledge that building such a comprehensive record for all OT systems is a complex and time-consuming task. They recommend a prioritized approach, focusing first on systems that have the greatest impact on business functions, those with potential national significance, systems with third-party connections that can alter configurations or control processes, and assets with a high degree of overall exposure.
The published framework is built upon five core principles. The first principle involves defining the processes for both establishing and maintaining the definitive record. This includes identifying all relevant data sources, setting up a validation process for the collected information, and determining how the record will be kept current.
The second principle centers on establishing a dedicated OT information security management program. Given that the definitive record will contain information highly valuable to threat actors, organizations must clearly define the program’s scope, assess the value of their OT information from an attacker’s perspective, and implement robust measures to secure this sensitive data.
Identifying and categorizing assets to support informed, risk-based decisions forms the third principle. This step requires defining the criticality, exposure level, and availability requirements for each asset. This detailed categorization enables organizations to make effective decisions when considering new or updated security controls.
The fourth principle addresses the critical task of identifying and documenting all connectivity within the OT network. Organizations are advised to determine asset communication requirements, identify the necessary communication protocols and how to secure them, document existing architectural security controls, note any network constraints, and assess whether current security controls could be bypassed by an attacker during a compromise.
Finally, the fifth principle focuses on documenting risks introduced by third parties. This involves determining the level of trust for every entity with an external connection, understanding the contractual requirements imposed by the third party, and identifying whether any third party is installing equipment that could provide out-of-band access.
Security experts emphasize the urgency of this mandate. “Maintaining updated OT systems is vital for effective cybersecurity protection,” explains Joshua Roback, a principal security solution architect at Swimlane. “Security teams cannot detect vulnerabilities, apply controls, or respond effectively to incidents without a clear understanding of which assets exist, how they’re connected, or what roles they play.”
Roback also highlighted a key takeaway from the guidance: the need for enhanced coordination between OT and IT teams. “This is especially important now, as the two traditionally separate domains now face multiple shared threats, including the rise of insider threats and the growing popularity of ransomware groups,” he added. “Combined efforts between the two teams can bridge IT teams’ knowledge of cybersecurity practice and OT teams’ knowledge of industrial processes and operational constraints to create a vastly improved OT architecture that benefits organizations as a whole.”
(Source: Security Week)
