The National Security Agency has recommended security policies and technical requirements for smart controller devices installed for operational technology in national security systems, or NSS. The recommendations address new risks from the rising combination of IT and OT systems, as well as growing adversarial cyberthreats, NSA said Wednesday.
Vulnerable Cyberattack Targets
Smart controllers typically integrated within IT network systems are high-value cyberattack targets vulnerable to adversaries, the agency noted in its cybersecurity technical report titled “Operational Technology Assurance Partnership: Smart Controller Security within National Security Systems.”
Threats on OT systems and devices can simulate IT network vulnerabilities, the agency explained. It pointed out that vulnerability is higher on legacy OT systems, as they lack security by default, and there are vulnerabilities as well in the IT infrastructure integrated into them.
Testing and Updates as Shields
The recommendations in the 57-page report include regular administrator testing and updating of all NSS OT firmware and software, including host, embedded and network devices. The NSA report also urges controls on system components or devices with wireless capabilities to ensure that a switch or a default mode can disable the wireless interface.
As a further guidance, the report provides analytical comparison of National Institute of Standards and Technology security controls and current International Society of Automation technical requirements for OT devices.
Parallel Cyber Guardrails
According to NSA, the study was also conducted to help develop the Operational Technology Assurance Partnership, a pilot for the cybersecurity testing process of NSS OT components. Additionally, the study’s findings will be submitted to the U.S. Army’s Intelligence Support Activity standards committee for consideration on future cybersecurity technical requirement updates for the components in industrial automations and control systems.
In February, NSA also released three cybersecurity information sheets outlining critical mitigation strategies to safeguard organizations’ edge device systems, including firewalls, routers and virtual private network gateways.
