Table of Contents
Imagine trying to secure your home with a state-of-the-art alarm system while leaving a window open. This is the reality for many organisations today when it comes to their Operational Technology (OT) networks. Hackers have identified this gap and are increasingly exploiting OT systems, which are essential to industries such as energy, manufacturing, and transportation.
To address this growing threat, the UK’s National Cyber Security Centre (NCSC), in collaboration with other global agencies, has issued critical guidance to help organisations secure their OT networks. The focus? Embedding cybersecurity principles like Secure by Design and Secure by Demand to ensure resilience and mitigate risks from the ground up.
Understanding Operational Technology (OT)
OT refers to the hardware and software systems that control physical processes in industries and modern businesses. In simple terms, OT systems run machines, equipment, and processes essential for critical operations, such as production lines in factories, railway signals for transportation, power plants for energy generation, and even automated systems in office buildings and retail environments.
Hackers exploit vulnerabilities in OT systems because once they breach one device, they can replicate their methods across similar environments. This scalability makes OT attacks particularly devastating. A successful attack can result in:
- Operational disruptions: Downtime in production lines or essential services.
- Public safety risks: Compromised transportation or utility systems.
- Financial losses: Costly ransom payments, regulatory fines, and reputational damage.
Why the NCSC Issued Guidance
With attacks on OT systems increasing globally, the NCSC has stepped in to provide a roadmap for organisations to enhance their cybersecurity posture. The guidance emphasises two key principles:
- Secure by Design: Security should be an integral part of OT systems from the start, not an afterthought.
- Secure by Demand: Organisations must prioritise security requirements when procuring OT products and services.
The guidance highlights the urgency of securing OT to protect both individual organisations and the broader infrastructure that supports society. NCSC is not alone in this effort; agencies worldwide are joining forces to enhance OT security. For example, CISA (Cybersecurity and Infrastructure Security Agency) in the US, the Canadian Centre for Cyber Security (CCCS), and New Zealand’s National Cyber Security Centre (NCSC-NZ) are among the key contributors. Their shared goal is simple: ensure OT systems are secure, as failing to act could lead to serious consequences for industries and society.
NCSC states that organisations that own and operate OT systems are strongly encouraged to integrate the outlined 12 key security considerations into their procurement processes to help defend against threats and to send a clear signal to manufacturers about the level of security they expect from products. Here are the priority considerations to be made:
- Configuration Management: Makes it easy to track, save, and restore system settings securely.
- Logging in the Baseline Product: Keeps detailed records of changes and events to help respond to security issues.
- Open Standards: Uses common standards so products work well together and are easier to replace.
- Ownership: Lets you fully control and manage the product without needing constant vendor help.
- Protection of Data: Keeps your data safe from tampering or theft, both when stored and in transit.
- Secure by Default: Comes ready with secure settings, removing risky defaults and unnecessary access points.
- Secure Communications: Uses secure methods for systems to communicate and alerts you if something’s wrong.
- Secure Controls: Prevents harmful commands and keeps critical functions working during attacks.
- Strong Authentication: Protects access with strong passwords and multi-step verification.
- Threat Modelling: Identifies ways hackers might attack and includes steps to block them.
- Vulnerability Management: Tests for security flaws, fixes them fast, and offers free updates during the support period.
- Upgrade and Patch Tooling: Provides easy instructions for updates and ensures the system stays supported.
Implementing the NCSC Guidance
The NCSC guide provides detailed information, but here are the key considerations summarised briefly:
- Select Secure by Design products: Choose OT systems that have security built into their architecture to minimise vulnerabilities.
- Work with trusted vendors: Purchase from companies with proven cybersecurity practices and whitelisted by recognised authorities.
- Demand incident response capabilities: Ensure that OT devices come with mechanisms to detect, report, and respond to cyber incidents.
- Assess lifecycle support: Vendors should provide long-term updates and patches to address emerging threats.
- Scrutinise the supply chain: Ensure every component in the OT system adheres to robust security standards.
Making the Guidance Actionable
Considering the above key points, organisations need to do the following to make it actionable. These steps ensure that security is not just an add-on but a fundamental part of your OT strategy:
- Engage with cybersecurity experts early: During the design phase, bring in professionals who understand OT’s specific challenges to avoid costly mistakes later.
- Prioritise security over cost: Budget constraints should not compromise the safety and resilience of critical infrastructure.
- Choose trusted suppliers: Work only with vendors recognised for adhering to Secure by Design principles.
- Conduct regular audits: Periodic assessments of your OT network can identify vulnerabilities and ensure compliance with the latest standards.
Operational Technology is the backbone of many industries, yet its growing exposure to cyber threats demands urgent attention. The NCSC’s focus on Secure by Design and Secure by Demand principles offers organisations a clear path to build resilience and protect critical operations.
