The Cybersecurity and Infrastructure Security Agency (CISA) and its U.S. and international partners have released joint guidance for Operational Technology (OT) owners and operators. The guidance is part of CISA’s Secure by Design series. The purpose is to help customers identify manufacturers dedicated to continuous improvement and achieving a cost-effective balance in their operations.
Critical infrastructure and industrial control systems are increasingly becoming targets for cyberattacks. Threat actors often target specific OT products rather than individual organizations. Many OT products are not originally designed with Secure by Design principles, leading to easily exploitable vulnerabilities.
The joint guidance aims to steer OT owners and operators toward selecting products from manufacturers who prioritize security. By choosing such products, organizations can better safeguard their infrastructure against potential threats. The guide recommends that owners choose products from manufacturers that emphasize security elements such as configuration management, logging, open standards, ownership, and the protection of data.
Joint guidance for OT owners and operators
Scott Gee, AHA deputy national advisor for cybersecurity and risk, highlighted the importance of these measures in the healthcare sector. Many hospitals have vast quantities of network-connected OT devices such as cameras, door access controls, and HVAC systems,” said Gee.
“Keeping these devices secure and operational is critical to the delivery of high-quality patient care.”
Gee also advised hospitals to review their existing technology. “This is also a good reminder to look at the legacy technology in your networks and apply as many of these principles as possible. If legacy equipment cannot be brought up to these standards, understand the vulnerabilities in those systems and have a plan to segment and monitor the devices,” he said.
Moreover, Gee stressed the significance of maintaining business and clinical continuity plans. Hospitals and health systems should understand the clinical and business impact which may result from a loss of OT due to a loss of network connectivity during a cybersecurity event. It is strongly recommended that healthcare organizations maintain business and clinical continuity plans to compensate for a loss of OT for 30 days or longer.
For more information on questions to consider during procurement discussions and to learn more about secure by design principles and practices, visit CISA’s official site.
For further information on cybersecurity and risk management, individuals and organizations can contact Scott Gee.
