NSA to Defense Sector: Think Twice Before Connecting Operational Technology to the Internet

solarseven/iStock.com

The agency recognized benefits such as enabling remote work but notes the inherent risks and costs of putting industrial control system components online.

Given recent intrusions, the National Security Agency warns organizations should reassess the pros and cons of connecting the operational technology in their industrial control systems to information technology and the public internet.  

“Acknowledge that a standalone, unconnected (‘islanded’) OT system is safer from outside threats than one connected to an enterprise IT system(s) with external connectivity (no matter how secure the outside connections are thought to be),” reads the first step in a guide the agency released Thursday for evaluating such systems.  

The guide applies to network owners within the National Security System, the Defense Department and the defense industrial base, where NSA said malicious cyber activity continues to target the operational technology such as valves and pressure sensors that control physical processes in industrial operations and can have consequences such as loss of life if compromised.

This operational technology predates the internet but operators have connected it to information technology over the years in order to benefit from the ability to process data, leverage the IT workforce, monitor the systems and manage updates. But the NSA said entities have not paid enough attention to the cybersecurity risks involved, and it’s time for a change in their approach.

“A significant shift in how operational technologies are viewed, evaluated, and secured within the U.S. is needed to prevent malicious cyber actors from executing successful, and potentially damaging cyber effects. As OT components continue being connected to information technology, IT exploitation increasingly can serve as a pivot to OT destructive effects,” according to the guide. “While OT systems rarely require outside connectivity to properly function, they are frequently connected for convenience without proper consideration of the true risk and potential adverse business and mission consequences.” 

On Thursday the Cybersecurity and Infrastructure Security Agency also released an advisory on industrial control systems. CISA listed a host of products with vulnerabilities that affect real-time operating systems, or RTOS, and the software libraries that support them. “Successful exploitation of these vulnerabilities could result in unexpected behavior such as a crash or a remote code injection/execution,” CISA said, encouraging entities to implement mitigation measures and updates where available.

The NSA advises organizations to consider not just the security risks of connecting OT to IT, but the costs involved in alleviating them. This can include segmentation equipment, renewing product and system licenses, updating outdated devices and the time lost in the process, and the personnel necessary to maintain and secure assets. 

The final step in the evaluation methodology included in NSA’s advisory, which also includes steps for improving cybersecurity in OT systems that have already been connected, is to present a detailed cost-benefit analysis to leadership for an ultimate assessment of the risks.