The National Security Agency (NSA) has partnered with cybersecurity agencies in Australia,
Canada, Germany, Japan, the Netherlands, New Zealand, South Korea and the United Kingdom to
launch a guide that presents six fundamental principles. These principles are intended to assist in
the creation and maintenance of a secure and critical environment for operational technology (OT)
infrastructure.
Its purpose is to provide organizations that manage critical infrastructures with a framework to
protect their operational technology (OT) environments from cyber threats, ensuring the continuity of
essential services such as energy, drinking water and transportation. The increasing dependence on
operational technology and the complexity of these environments imply significant challenges in
business decision making, especially when introducing new technologies, selecting suppliers or
developing continuity plans.
The document details six fundamental principles that should guide organizations in creating and
maintaining secure OT environments:
1. Safety is paramount
2. Knowing the business is fundamental
3. OT data is valuable and must be protected
4. Segmenting and segregating OT networks
5. Securing the supply chain
6. People are essential to cybersecurity OT
Each principle is designed to help decision makers identify and mitigate cyber risks associated with
operational technology. The document provides clear guidelines for implementing appropriate
controls, reducing vulnerabilities and promoting business continuity. It also highlights the importance
of aligning cybersecurity with organizational culture and collaboration among all levels of the
organization, from engineers to executives.
This framework seeks to ensure that critical systems not only operate efficiently, but also securely,
minimizing exposure to cyber threats and maintaining public confidence in essential services.
Principle 1: Safety is paramount
This principle underlines the critical importance of security in operational environments (OT),
highlighting that, unlike corporate IT systems where rapid innovation may be a priority, in OT it is
essential to ensure physical security and avoid threats that could endanger human life and the
continuity of critical services. Organizations that operate critical infrastructure, such as power plants
or water treatment systems, must always consider the physical hazards and the potential
repercussions that a failure, whether due to human error or cyber attack, could have on public safety
and social stability.
Key Aspects
● Protection of human life and the environment: OT systems operate equipment that, if
tampered with or altered, could lead to hazardous incidents such as explosions, chemical
leaks, electrical discharges or structural collapse.
● Continuity of service: Security also encompasses the need to maintain the operability of
essential services, such as the supply of drinking water or energy, to avoid negative impact
on society.
Examples and Considerations
● Incident response: Organizations must be prepared to respond to incidents on systems that
require secure operation. In some cases, paying a ransom (as in ransomware attacks) is not
feasible, as there is no guarantee that the system will be returned to a secure state.
● Validity of backups: If an attacker has been present in the OT network, it may be difficult to
trust the available backups, as they could have been compromised.
● Recovery plans: Critical systems must have well-defined recovery procedures that ensure a
safe return to operation, even after major outages.
This principle emphasizes the need for a rigorous and disciplined approach to the operation and
management of OT systems. Security in these environments involves not only protecting against
cyber-attacks, but also ensuring that any changes or disruptions do not affect the physical integrity of
the system or endanger human lives or essential services. The key is for organizations to adopt a
preventative mindset, always prioritizing security over any other objective.
Principle 2: Knowing the business is fundamental
This principle underscores the importance for organizations to have a thorough understanding of the
operational processes and systems that support their critical services. The premise is that, in order
to adequately protect operational technology (OT), it is imperative to understand both the essential
business needs and the specific characteristics of the systems that enable its operation.
Key Aspects
● Identification of vital systems: Organizations must determine which are the essential systems
that enable the continuity of critical services. This includes identifying which parts of the
operational process are indispensable for the production and supply of critical services such
as energy, water or transportation.
● Understanding the OT process: It is essential to understand each part of the process
controlled by OT systems, ensuring that dependencies and critical points can be identified.
The designed architecture must enable the defense of these vital systems against threats,
both internal and external.
● Integration of cybersecurity into planning: Teams responsible for designing, operating and
maintaining OT systems must be aligned with the business context. This includes
understanding how physical processes connected to the OT environment bring value to the
business and how disruptions can impact service to users.
● Connections and dependencies: Organizations need to know how OT systems interface with
other systems and what dependencies exist. This is vital for assessing risks and establishing
effective controls.
● Continuity and crisis management plans: The creation of incident response, business
continuity and crisis management plans should include the participation of both process
engineering and cybersecurity experts. In addition, these plans should be continually
exercised, reviewed and updated to ensure their effectiveness.
Examples and Considerations
● Top-Down vs. Bottom-Up: The "top-down" approach has led to separate OT and IT
networks, but the "bottom-up" perspective allows identifying the minimum elements
necessary for the operation of critical processes. For example, to generate electricity, you
may only need a generator, a controller and an adequate fuel supply.
● Third-party information packs: When involving third parties in the management of OT
systems, it is essential to provide clear documentation that includes contacts, permitted
tools, and procedures to ensure effective collaboration without compromising security.
● Visual signals and physical controls: Identifying and physically marking authorized devices in
the OT environment helps reduce the risk of unauthorized interference and enables quick
decision making in case of security events.
This principle emphasizes that understanding the business is crucial not only for implementing
effective cybersecurity measures, but also for prioritizing recovery during incidents. It also fosters
seamless collaboration between operations and cybersecurity teams, ensuring that the approach to
cybersecurity is aligned with business needs and the operational context.
Principle 3: OT data are extremely valuable and
must be protected
From an adversary's perspective, knowledge about the configuration of an OT (Operational
Technology) system is highly valuable, as OT environments tend to remain stable and unchanged
frequently. This stability allows malicious actors to develop specific and sophisticated malware to
attack such systems with precision.
Critical data types in OT:
● Engineering configuration data: This includes network diagrams, sequences of operation,
logical schematics and configuration data such as device addresses. This data does not
change frequently and can be relevant for decades, facilitating the preparation of targeted
attacks.
● Ephemeral data: Such as voltage or pressure levels, which provide real-time information on
the status of processes and can reveal details about internal or customer operations.
● Intellectual Property (IP) and Personal Data (PII): Data about customers or processes, such
as patient records in healthcare or metering data in the energy or water sectors, require
protection just as much as configuration data.
Implications and protection strategies:
● Control storage: Organizations must define where and how OT data is stored to avoid
exposure. Although OT networks are often segmented, critical data is often stored on
corporate IT systems, which increases exposure.
● Minimize data distribution: Internal processes should avoid unnecessary propagation of OT
data between different systems to reduce risks.
● Detect unauthorized access: Implement tools such as canary tokens that alert if OT data is
accessed or extracted in an unauthorized manner.
Key questions for OT data protection
● Do suppliers or consultants have copies of critical data?
● Is OT information stored in corporate systems or external clouds?
● Are controls in place to prevent security systems, such as EDRs, from leaking OT data out of
the environment?
● Is there a clear process for data destruction when decommissioning OT equipment?
This principle highlights the need to alert and monitor access to OT data, as lack of control can
facilitate sophisticated attacks and the manipulation of critical systems. Therefore, a sound
cybersecurity strategy must include controls over data flow and storage, as well as measures to
detect and respond to potential breaches.
Principle 4: Segment and segregate OT networks
from all other networks
This principle highlights the importance of segmentation and segregation in environments to protect
against cyber threats and minimize the risks of compromise. The principle is based on the idea that
OT networks should be kept separate not only from corporate IT networks, but also from any other
networks that may introduce additional risks.
Importance of segmentation and segregation
● Risk reduction: OT networks are more critical than IT networks because they control
essential physical processes (e.g. electricity, water and transportation). These networks
should not be directly connected to IT networks, which tend to be more vulnerable because
of their exposure to the Internet and services such as email or web browsing.
● Security between OT and other networks: It is essential to protect not only the
communication between OT and IT networks, but also the connections between different OT
networks of third parties (such as suppliers, customers or partners). These connections can
become an attack vector if not properly managed.
Examples and implications of the principle
● Security in connections between OT and third parties: Connections to OT networks of
other players, such as energy providers or transmission companies, can open security gaps
if not properly managed.
● Physical and logical separation: It is recommended that critical functions be separated
physically and logically, to ensure that even if a less critical network is compromised, the
more critical networks remain protected.
● Security in systems administration: Administrative accounts and systems must be properly
segregated. For example, critical OT systems should not rely on services administered from
IT networks with lower levels of security, as compromising these accounts could put the OT
network at risk.
● Privilege escalation risks: An attacker accessing the IT network could escalate privileges
and compromise the firewall or OT network control devices if these infrastructures are not
adequately separated.
This principle emphasizes that any existing connection in an OT network must be considered a
potential point of vulnerability and treated with the highest level of security. Segmentation should not
only apply between OT and IT, but also between different zones within OT, according to their levels
of criticality. In addition, organizations should continuously evaluate administrative configurations to
ensure that the management of OT networks does not rely on less secure external systems.
Principle 5: The supply chain must be secure
Supply chain security has been a focus of attention for several years, and many previous
publications have already covered this area. However, in operational technology (OT) environments,
this principle highlights some additional specific considerations, as it is not sufficient to apply generic
controls.
Examples and considerations:
● Changing the perspective on supplier risk: Traditionally, only large or operationally critical
suppliers were rigorously evaluated. However, from a cybersecurity perspective, the size or
importance of the vendor is not determinative. A seemingly minor device or service can open
critical doors for attackers if it is not secure.
● Exposure in open OT environments: In OT systems, critical control messages are often
sent unencrypted, via multicast or broadcast messages that any device on the network can
receive and interpret. This makes any component in the environment – such as printers,
routers, or engineers' workstations – a potential access point for threats.
● Know the origin and path of devices: It is essential to track the origin and previous use of
devices connected to the OT network, including consultant or vendor laptops. These may
have previously connected to less secure networks, introducing a potential risk when
transferred to the OT environment.
● Evaluate hidden capabilities of devices: Not only is it important what devices can do in their
current configuration, but also what they could do if their firmware or configuration is altered.
If vendors have remote access to perform updates, organizations should ensure that the
firmware is cryptographically signed and its integrity verified prior to installation.
● Rigorous evaluation of vendor behavior: Organizations should consider vendor practices that
require exceptions to security policies as negative indicators. For example, if a vendor
requests direct connections from the OT network to the Internet for support or firmware
upgrades, the vendor's suitability should be questioned and more secure alternatives should
be sought.
● Traffic control and security analysis: A good control consists of connecting a device to the
network while capturing the traffic with a packet analyzer to verify that they are not
communicating without authorization with remote addresses.
Supply chain security is critical because interconnections and dependencies between multiple
devices and systems increase exposure to cyber-attacks. A single compromised or mismanaged
device can represent a significant vulnerability for the entire OT infrastructure. Therefore, this
principle calls for maintaining tight control over all elements of the supply chain, ensuring that every
component that interacts with critical infrastructure meets the highest security standards.
Principle 6: People are essential to cybersecurity OT
This principle emphasizes that cyber security in operational technology (OT) cannot be achieved
without the active and skilled participation of people. Technical tools and processes alone are not
sufficient to prevent or detect incidents. Effective incident response depends on people with the right
training, skills and knowledge to handle these challenges.
Importance of security-based cybersecurity culture.
● It highlights the need to build a strong cybersecurity culture, focused on physical and digital
security. The organization must consider cybersecurity principles as an essential aspect of
workplace safety, not only as a technological obligation.
● Field technicians and other operatives are the first line of defense and play a crucial role in
detecting suspicious behavior. Although these employees are not typically cybersecurity
experts, their working knowledge of the OT environment enables them to identify anomalies
that could indicate cyber incidents.
Key challenges and strategies
● Diversified training: A cross-functional team is needed, consisting of cybersecurity experts,
control engineers, operations personnel and asset managers. All of these roles must align on
core OT principles, even if they come from different cultures and priorities.
● Cultural change: For personnel without engineering or critical infrastructure experience, it
can be a challenge to adopt a "safety first" approach. The organization must foster a shared
understanding among all areas involved.
● Fearless reporting: It is essential to empower operatives to report possible incidents without
fear of reprisal or ridicule. There must be clear procedures for observations to be assessed
and handled in a timely manner.
Development of cybersecurity awareness and culture
● Include cybersecurity in key processes: Cybersecurity should be integrated into security
assessments, acceptance testing (FAT/SAT), and engineering change management.
Methods such as Cyber-Informed Engineering help strengthen this integration.
● Avoidance of risky behavior: A prime example is remote maintenance without informing on-
site personnel, which can cause operators to ignore abnormal behavior as normal. This
demonstrates the need for transparency in operations.
● Incident reassessment: Operators should be trained to consider the possibility of cyber
compromise in operational problems. Historically, these problems have been attributed only
to technical failures, which can result in the loss of key evidence for cyber investigations.
This principle emphasizes that the combination of technology, processes and people is essential to
maintain security in OT environments. Active engagement and preparedness of personnel, along
with a security-focused organizational culture, are fundamental to cyber resilience in critical
infrastructures.
Conclusion
The approach presented is not limited to establishing technical controls, but promotes a holistic
integration of cybersecurity across all dimensions of the OT environment: processes, people and
technology. The principles highlight the importance of aligning risk management with physical and
operational security, thus ensuring complete resilience. Collaboration between technical and
operational experts, along with efficient vendor and data management, is critical to maintaining the
integrity of critical infrastructures.
Finally, the adoption of these principles requires not only technological resources, but also a deep
organizational commitment that fosters a cybersecurity culture based on security, collaboration and
transparency. With this framework, organizations will be able to meet current and future challenges
efficiently, ensuring the continuity of essential services and the protection of their most valuable
assets.



