In today’s world, critical infrastructure organisations—those responsible for essential services like water, energy, and transportation—rely on Operational Technology (OT) to manage and control physical systems. As these systems become more interconnected, they also become more vulnerable to cyber threats. This makes OT cyber security a critical focus area for organisations to ensure their operations remain uninterrupted and safe.
To help guide organisations, a group of cyber security experts, including the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), U.S. Cyber security and Infrastructure Security Agency (CISA), and others, have published a comprehensive set of principles for OT cyber security. These principles aim to protect OT environments and ensure business continuity. Below, we break down the six key principles from their collaborative publication.
1. Safety is Paramount
In OT environments, the risk extends beyond data breaches—it can impact lives and physical assets. Unlike corporate IT, where innovation and speed are prioritised, OT systems manage physical processes that, if disrupted, could have life-threatening consequences. Ensuring safety means designing systems that remain secure and reliable even in the face of cyber threats.
Organisations should consider critical questions such as: Are they prepared to deploy staff to a compromised OT site? Can they trust that their systems are safe to operate post-recovery? These considerations are crucial to maintaining both safety and operational continuity.
2. Business Knowledge is Crucial
A deep understanding of an organisation’s OT environment is vital to defending against cyber threats. It is important to know which systems are critical for delivering essential services and how these systems interact. With this knowledge, organisations can design better cyber security measures that are tailored to protect key operational processes.
Top-down and bottom-up approaches are necessary. From the leadership level to technical personnel, understanding the business context of OT systems helps align security strategies with operational goals.
3. OT Data is Extremely Valuable and Needs to be Protected
OT data, such as system schematics and engineering configurations, are often static and rarely change over time. This makes them valuable targets for adversaries. If an attacker gains access to this information, they can craft targeted malware to disrupt operations.
Organisations must protect both long-term OT data and more ephemeral data (e.g., operational metrics like voltage or pressure levels). Storing this data in secure, segmented systems, away from less secure networks, can reduce the risk of unauthorised access.
4. Segment and Segregate OT Networks
Segmentation is a well-established cyber security practice, and it’s especially crucial in OT environments. OT networks should be isolated from IT networks and the internet to reduce the likelihood of compromise. Further, critical OT systems, such as those controlling safety protocols, should be segregated from less critical systems.
For example, an electricity transmission company must ensure that its OT systems are isolated not only from the corporate IT network but also from the OT networks of upstream or downstream partners. Each connection needs to be secured, regardless of the size of the connected systems.
5. Secure the Supply Chain
Supply chains are often a point of vulnerability in OT environments. Devices from third-party vendors, whether large or small, can introduce risks. Critical control messages in OT systems are often sent with minimal security, and any device on the network could potentially intercept or alter these messages.
Organisations need to vet all devices, including peripherals, before allowing them into their OT networks. It’s also essential to monitor vendor behavior and ensure that firmware updates or device configurations are sourced securely.
6. People Are Essential for OT Cybersecurity
No cyber security framework can succeed without trained, knowledgeable people. In OT environments, where the systems are deeply intertwined with physical operations, having staff who understand both engineering and cyber security is essential. From field operators to control engineers, everyone plays a role in defending against cyber threats.
Building a strong safety culture that integrates cyber security is vital. Field staff should be empowered to report suspicious activity without fear, and regular training should ensure that they can identify potential cyber incidents.
Conclusion
Protecting Operational Technology from cyber threats requires more than just technology—it involves a deep understanding of the business, securing valuable data, segmenting networks, and fostering a cyber security-aware workforce. By following the six principles laid out by global cyber security authorities like ACSC and CISA, organisations can better protect their OT environments and ensure the continuity of essential services.
For a detailed exploration of these principles, you can read the full guide published by the Australian Cyber Security Centre (ACSC) and its international partners here