The Cybersecurity and Infrastructure Security Agency (CISA) released new guidelines this week to help operational technology users implement secure communications.
In the guide, Barriers to Secure OT Communications: Why Johnny Can’t Authenticate, CISA provides insight from control system stakeholders, asset owners and operators in the water and wastewater systems, transportation systems, chemical, energy and food and agriculture sectors. The guide is also designed to advise OT manufacturers on reducing barriers and improving usability.
“Adopting secure communications in OT environments is a long-term effort with complexities, costs and risks. Over the past year, CISA conducted customer-led research to create this secure communication guide,” CISA Acting Director Madhu Gottumukkala said. “CISA encourages asset owners and operators, system integrators, service providers, and OT manufacturers to review this guide and collaborate together to implement secure communication.”
Many OT owners and operators use insecure legacy industrial protocols that lack basic authentication and integrity checks, the agency said. Insecure communications are vulnerable to threat actors who can impersonate a device or modify a message in transit, officials said. Secure versions of industrial protocols have been available for more than 20 years, but barriers have prevented the control systems community from wider adoption.
CISA said its guide would provide information on why secure communications are not widely adopted, and recommendations for OT owners, operators and manufacturers to overcome those barriers, including cost and complexity issues, latency and bandwidth concerns, inspections issues, interoperability and legacy product issues.
“There is a critical need for OT environments to use secure communication that protects against threats like actor-in-the-middle attacks and unauthorized updates,” CISA Executive Assistant Director for Cybersecurity Nick Andersen said. “This guide demonstrates CISA’s commitment to collaborate with industry and government partners to develop tangible outcomes that strengthen security and build trust. We encourage the control systems community to review and implement recommended actions in this guide.”