NSA Releases Guidance on Operational Technology Cybersecurity
The National Security Agency has released a cybersecurity advisory on ensuring the security of operational technology and enterprise networks.
The document, titled “Stop Malicious Cyber Activity Against Connected Operational Technology,” is targeted at the Department of Defense, the defense industrial base and national security systems, NSA said Thursday.
Operational technologies are programmable systems that interact with the physical environment, according to the National Institute of Standards and Technology’s Computer Security Research Center.
Some examples of operational technology are industrial control systems, building management systems, fire control systems and physical access control mechanisms.
According to the NSA, operational technologies are increasingly becoming exposed to cyber exploits as their components continue to be connected to information technology.
Recent exploits of IT management software and its supply chain have resulted in publicly documented impacts on the government and the defense industrial base, NSA said in the document’s executive summary.
The agency advised the owners of defense networks to conduct detailed risk analyses of their operational technology before establishing cross-domain connections.
Operators should consider the value or risks of using a standalone system, connecting operational technology to IT, spending more on risk mitigation and presenting evaluation results to leadership, according to the guidance.
The NSA noted that the cybersecurity measures available for IT-connected operational technology are also applicable for standalone systems.
A standalone or “islanded” operational technology is considered more secure from outside threats than systems connected to an enterprise IT system with external connectivity.
Network owners could also compromise by adopting intermittently connected systems, which the NSA said are only at risk when connected to external networks.
Tags: advisory CSRC cybersecurity Defense Industrial Base Department of Defense guidance information technology IT IT management national security National Security Agency NIST NSA operational technology