National Security Agency publishes OT cybersecurity guidance

S A99lg K5t R Cls2 Headshot

As the digital world continuously evolves, cybersecurity professionals are becoming increasingly concerned about attacks on operational technology in the transportation sector.

Electronic control units (ECU) are everywhere, from planes to automobiles, including large trucks that have the potential to be shut down because a hacker found an avenue in via GPS, for example. That could cause supply chain issues if it’s a common control unit and the manufacturer decides to issue a patch or some kind of fix, pulling those trucks off the road, impacting operational uptime, said Jeff Hall, principal security consultant and North American aerospace lead at cybersecurity consulting firm NCC Group.

“If you have an avenue in and somebody can get in and poke around when there's no real security controls, or you don't even know they're in your system, bad things can happen,” Hall said. “And anything in transportation that's not moving, it's not making money.”

That’s why the National Security Agency, alongside other government agencies from Canada, Australia, Germany, Japan, Korea, New Zealand and the UK, published new guidance to enhance cybersecurity methods to ensure the protection of critical infrastructure, including transportation.

[RELATED: Ransomware remains top cybersecurity concern for trucking industry]

The cybersecurity information sheet (CSI), titled “Principles of Operational Technology Cyber Security,” promotes six principles that guide the creation and maintenance of a safe, secure critical infrastructure operational technology (OT) environment.

• Safety is paramount.

• Knowledge of the business is crucial.

• OT data is extremely valuable and needs to be protected.

• Segment and segregate OT from all other networks.

• The supply chain must be secure.

• People are essential for OT cybersecurity.

“Public safety and strengthening our cybersecurity posture are at the heart of this particular CSI,” said NSA Cybersecurity Director Dave Luber. “The six principles of operational technology cybersecurity explored in this CSI are vitally important to anyone wanting to strengthen their cybersecurity posture and especially important for those who work in an operational technology environment supporting our nation’s critical systems.”

Partner Insights
Information to advance your business from industry suppliers
Maximizing Fleet Cost-Effectiveness
Presented by Michelin Connected Fleet

The NSA and other agencies recommend OT decision makers apply these six principles to help determine if a decision being made is likely to adversely impact the cybersecurity of an OT environment. If a decision impacts or breaks one or more of the principles, it will likely introduce a vulnerability to the OT environment.

The CSI explains why each principle is critical and offers examples, implications and questions to consider. You can read them here.

“This document provides a robust framework for OT cybersecurity based on safety, understanding of business processes, protection of OT data, network segmentation, securing supply chains and emphasis on the role of people in security,” Hall said. “This principle shows that a multidisciplinary approach covered by practice is required to protect critical infrastructures.”

But the document, he said, did miss something.

“One potential gap is the limited emphasis on automation and AI in monitoring and incident response, which could enhance resilience,” he said.

Hall said AI is currently more effective for companies using it to defend against attacks, helping them find anomalies in their systems. He said it will be a few more years before AI becomes a real factor in helping bad actors conduct attacks.

[RELATED: Trucking industry experts fear AI is an emerging cybersecurity concern]

“Look at AI – how much it's grown in just a year; it went from being relatively inept, couldn't really do much, to what it can do now. And I think it's just an exponential scale, where it's going to go faster and faster the more people discover it and learn how to use it or abuse it,” Hall added. “It's just one of those things that’s kind of hard to predict, but seeing where it has come from to where it's going, it's like the sky's the limit.”

Hall said to protect themselves, trucking companies’ OT decision-makers should focus on regular security audits, zero-trust models, and staying updated with evolving cyber threats specific to OT environments. He said he hammers home the need to test and audit to find areas that can be exploited so they can take steps to fix any problem areas, starting with the highest risk first.

“Any place you have a connectivity point, that's where you start,” he said. “If there's no connectivity, you’re still not safe, but it's a better situation, and you don't have to worry as much. But you still should be doing basic things.”

If your company is connected to something like telematics, for example, Hall said you need to work with that provider on security – at the smallest level ensuring there is some kind of authentication process and not just an open door to your system.

He said for small trucking operations, security assessments can get expensive, so he advises them to do as much due diligence on their providers and equipment as possible before purchasing.

This document is a starting point, he said, but challenges remain.

“Operational technology decision-makers are likely to run into challenges in following these principles, specifically with regard to balancing operational uptime with security, managing supply chains and enforcing security standards and bridging the cultural gap between OT and IT teams,” Hall said.

Angel Coker Jones is a senior editor of Commercial Carrier Journal, covering the technology, safety and business segments. In her free time, she enjoys hiking and kayaking, horseback riding, foraging for medicinal plants and napping. She also enjoys traveling to new places to try local food, beer and wine. Reach her at [email protected].