Organizations—both public and private--come in all sizes, with different ways of operating, and at different levels of maturity; yet all organizations are vulnerable to cyberattacks. When those organizations are affiliated with critical infrastructure, cyberattacks have the potential to impact more than finances, including citizens’ health and well-being.
The Cybersecurity and Infrastructure Security Agency (CISA) has stated that “Infrastructure systems are the backbone of communities.” And Critical Infrastructure are those systems and assets “so vital that their incapacitation or destruction would have a debilitating effect on security, the economy, public health, public safety, or any combination thereof.”
Many organizations in these sectors don’t just rely on information technology (systems, devices, software for storing, retrieving, and sending information) to get their work done—but also on operational technology (programmable systems or devices that interact with the physical environment) and industrial control systems (system used to control industrial processes).
The purpose of this Critical Infrastructure Toolkit is to raise awareness and share guidance, frameworks, tools, and best practices for critical infrastructure cybersecurity—especially for smaller organizations with limited resources.
Operational Technology (OT)/Industrial Control Systems (ICS) are highly specialized systems and networks that control physical processes across enterprise and Critical Infrastructure environments including drinking and wastewater processing, electricity generation and distribution, and oil and gas refining and pipelines. OT/ICS systems are also responsible for the operation of HVAC systems in large buildings, campuses, and data centers; factory production lines; and modern transportation systems.
While IT and OT/ICS often share similar technologies, OT/ICS have unique cybersecurity requirements due to their ability to control physical processes, which could result in cyber-physical consequences that include not only the damage or destruction of property, but could result in serious bodily injury and death.
Due to the unique and specialized OT/ICS cybersecurity requirements, this toolkit is designed to provide OT/ICS asset owners and operators with a roadmap for improving their OT/ICS cybersecurity posture and a list of resources that are available at no cost.
- Identify one role/position/title responsible for cybersecurity within your ICS/OT environment. Whoever fills this role/position/title is then in charge of all ICS/OT cybersecurity activities.
- Conduct a Self-Assessment.
- Use a cybersecurity framework to guide your OT Cybersecurity.
- Create an OT/ICS Cyber Incident Response Plan
Your organization should have a named role/position/title identified as responsible and accountable for planning, resourcing, and execution of OT-specific cybersecurity activities. This role may undertake activities, such as managing cybersecurity operations at the senior level, requesting and securing budget resources, or leading strategy development to inform future positioning.
Your organization should conduct a comprehensive evaluation of your OT-related cybersecurity posture using several recognized government and industry standards, best practices, and recommendations.
The Cyber Security Evaluation Tool (CSET) provides a systematic, disciplined, and repeatable approach for evaluating an organization’s security posture. CSET is a desktop software tool that guides asset owners and operators through a step-by-step process to evaluate industrial control system/operational technology (ICS/OT) and information technology (IT) network security practices. Users can evaluate their own cybersecurity stance using many recognized government and industry standards and recommendations.
Your organization should identify any cybersecurity frameworks already in use, determine how they align with any compliance or regulatory goals specific to your environment/sector, and update your security program to leverage the frameworks to improve the state of your OT-related cybersecurity activities.
The CPGs are a prioritized subset of information technology (IT) and operational technology (OT) cybersecurity practices that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques. The goals were informed by existing cybersecurity frameworks and guidance, as well as the real-world threats and adversary tactics, techniques, and procedures (TTPs) observed by CISA and its government and industry partners. By implementing these goals, owners and operators will not only reduce risks to critical infrastructure operations, but also to the American people. The CPGs are represented in a manner that is easily traceable to the NIST Cybersecurity Framework.
The NIST Cybersecurity Framework is voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.
This document provides guidance on how to secure Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing their unique performance, reliability, and safety requirements. The document provides an overview of ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks.
The CIS Critical Security Controls® (CIS Controls®) are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks. The CIS Controls are developed by a community of IT experts who apply their first-hand experience as cyber defenders to create these globally accepted security best practices. The experts who develop the CIS Controls come from a wide range of sectors including, retail, manufacturing, healthcare, education, government, defense, and others. So, while the CIS Controls address the general practices that most organizations should take to secure their systems, some operational environments may present unique requirements not addressed by the CIS Controls.
Sector Specific Frameworks & Guidance
ICS and OT environments have unique incident response needs due to their added complexity, architectures, and requirements to keep key systems running. An ICS/OT Incident Response Plan must be specifically designed for the ICS/OT environment, and organizations cannot rely on their existing IT specific Incident Response Plan to address these specialized needs.
This document provides recommendations for those interested in protecting industrial control systems (ICS) within a facility or organization. It is primarily focused on preparing for and responding to a cyber-related incident in which ICS are either threatened or compromised. It discusses ways of preparing for and preventing an incident as well as ways to respond, analyze, and recover from one should it occur.
In addition to basic cybersecurity training, personnel who maintain or secure OT as part of their regular duties receive OT-specific cybersecurity training on at least an annual basis.
DHS CISA’s Virtual Learning Portal (VLP) offers several online courses for Industrial Control Systems owners and operators at no cost.
DHS CISA Tabletop Exercise Packages (CTEPs) are a comprehensive set of resources designed to assist stakeholders in conducting their own exercises. Partners can use CTEPs to initiate discussions within their organizations about their ability to address a variety of threat scenarios.
Other ICS/OT Resources