NIST Publishes Draft Cyber Security Framework for Operational Technology
On Tuesday, April 26, 2022, the National Institute of Standards and Technology (“NIST”) released for public comment the third revision of the NIST Special Publication (SP) 800-82r3, Guide to Operational Technology (OT) Security. NIST’s updated guidance provides a framework for improving the security of operational technology systems while maintaining a high-level of performance, reliability, and safety. To mitigate the cyber security risk to operational technology systems, operators of critical infrastructure facilities should familiarize themselves with NIST’s updated guidance and implement cyber security programs that address the unique threats and vulnerabilities that face operational technology systems.
Who Uses Operational Technology?
Operational technology is critical to the technological landscape that underpins critical infrastructure. These technologies are widely used in the oil and gas, energy, manufacturing, chemical, waste, and wastewater sectors and are critical to everyday operations. Examples of operational technologies include Industrial Control Systems (“ICS”), Supervisory Control and Data Acquisition (“SCADA”), Distributed Control Systems (“DCS”), Safety Instrumented Systems (“SIS”), and Physical Access Control Systems (“PACS”).
Operational technology systems are often interconnected and rely on monitoring and/or control of devices, processes, and events to detect or cause direct changes in a facility’s operations. Because these technologies are directly responsible for controlling physical processes at industrial facilities, cyber security threats pose a significant risk to human lives, the environment, as well as serious financial risks resulting from production losses and disrupting the economy.
NIST’s Operational Technology Cyber Security Framework
NIST recommends that companies start with a robust risk-based assessment of their operational technology systems to identify vulnerabilities. The NIST guidance then provides the following general framework for companies to use to address operational technology cyber security risks.
- Prepare:Prepare the organization to manage its security and privacy risks.
- Categorize: Determine the potential adverse impact of the loss of confidentiality, integrity, and availability of information if operational technology systems are compromised.
- Select: Determine the initial selection of controls to protect these systems.
- Implement:Implement the selected controls in the new or legacy systems.
- Assess:Determine the effectiveness of the controls in producing desired results.
- Authorize:Decide to authorize the operation of a comprehensive system to address operational technology threats, and accept the potential risks to operations, assets, and individuals based on the implementation of the agreed-upon controls.
The updated NIST guidance also provides in-depth cyber security strategies to address:
- Developing security policies, procedures, training, and educational materials that apply specifically to operational technology systems.
- Implementing heightened security policies and procedures based on the National Terrorism Advisory System.
- Addressing security throughout the life cycle of operational technology systems, including architecture design, procurement, installation, maintenance, and decommissioning.
- Ensuring that critical components are redundant and operate on redundant networks.
- Tracking, monitoring, and auditing critical areas of operational technology systems.
Considering the increase in cyber security attacks on critical infrastructure facilities, companies in the oil and gas, energy, manufacturing, chemical, waste, and wastewater sectors should review the updated NIST guidance and determine whether their cyber security programs adequately protect operational technologies.
Threat Sources, Vulnerabilities, and Incidents
Lastly, the updated NIST guidance explores threat sources, vulnerabilities, and incidents specific to operational technologies. Appendix C to the NIST guidance provides descriptions of vulnerabilities and predisposing conditions that companies should be aware of in their operational technologies. The appendix also provides summaries of past and current incidents caused by vulnerabilities in operational technologies and provides real-life examples of the risks posed to companies.
Conclusion
NIST is accepting public comment on the updated guidance through July 1, 2022.
Our team will continue to provide updates on developing NIST guidance to keep our clients aware of developments in the ever-changing cyber security landscape. If you have any questions about how the updated NIST Guide to Operational Technology Security may apply to you or your business, please reach out to a member of the Baker Botts Privacy and Security Team.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.