Credit: Intelligent Connected Systems Division, NIST
The impact of cyber security breaches on the owners/operators of infrastructure control systems is more significant and visible than ever. Whether you work for an infrastructure owner/operator or a consumer of an infrastructure service, the events of the past few months/years have made it clear that cyber security is a critical factor in ensuring the safe and reliable delivery of goods and services. Owners/operators of infrastructure control systems can find it difficult to address the array of cyber security threats, vulnerabilities and risks that can adversely affect their operations, especially with limited resources.
Operational technology (OT) includes a wide range of programmable systems and devices that interact with the physical environment (or control devices that interact with the physical environment). These systems and devices detect or directly cause change by monitoring and/or controlling devices, processes and events. Examples include industrial control systems (ICS), building automation systems, transportation systems, physical access control systems, physical environment monitoring systems, and physical environment measurement systems. OT can be found in all critical infrastructure.
Support Owners/operators of OT systems, NIST has published Special Publication (SP) 800-82r3 (Revision 3), Operational Technology (OT) Security Guidance, which provides guidance on how to improve the security of OT systems by addressing their unique performance and reliability. : and security requirements. SP 800-82r3 provides an overview of OT and typical system topologies, identifies typical threats to an organization’s mission and business functions supported by OT, describes typical OT vulnerabilities, and provides recommended security safeguards and countermeasures to manage associated risks. SP 800-82 has been downloaded more than 3 million times since its original release in 2006.This is the third edition of NIST SP 800-82 with a new title to reflect the expanded scope. SP 800-82r3 was produced by a joint effort of the NIST Smart Connected Systems Division’s Networked Control Systems Group and the NIST Computer Security Division.
Updates in this revision include:
- New title
- Expanding scope from ICS to OT
- OT Threat and Vulnerability Updates
- Updates on OT risk management, best practices and architecture
- Updates on current OT security activities
- Updates to OT security features and tools
- Additional alignment with other OT security standards and guidelines, including the Cyber Security Framework (CSF)
- SP 800-53r5 new safety management guidance, including OT coverage, which provides customized safety management baselines for low-impact, moderate-impact, and high-impact OT systems.
In addition to SP 800-82r3, the NIST Resource Collection for OT Cybersecurity can be found here: Operational Technology Security Site.