Topics on this page:
- Overview
- Guidelines
- Applicable controls for OT systems from the Information Security Control Standard
- Additional network control recommendations and guidance
- Data Classification Standard as applied to OT systems
- Guidance
- Identify
- Protect
- Network devices, such as routers, switches and firewalls
- Environment control systems
- Biometric and fob/electronic keys
- Personal devices
- Power supply systems
- Protect telecommunications cabling from interception or damage
- Physical access to the facilities
- Highly sensitive facilities
- Access to the facilities
- Protect people from entering a potential dangerous area
- Redundancy
- Detect
- Respond
- Recover
- Appendix
- Glossary
Overview
Preamble
There are a number of critical services at the University of Toronto that depend on operational technology (OT).
“OT encompasses a broad range of programmable systems and devices that interact with the physical environment (or manage devices that interact with the physical environment)”[1] that include common systems such as “supervisory control and data acquisition (SCADA), distributed control systems (DCS), programmable logic controllers (PLCs), building automation systems (BAS), physical access control systems (PACS) and the Industrial Internet of Things (IIoT)” and all similar tools and systems deployed at U of T.
These include functions such as controlling access to a power plant and the devices in it, to a building or to a laboratory, controlling fume hoods, access to and devices within animal facilities, controlling the temperature of refrigeration units, maintaining air flow within a laboratory, accessing a laboratory, etc.
Access to many of these control components is achieved through an internet connection to a computing device. All components need to be protected, similarly to IT systems, but with an understanding that in the OT environment, the focus is usually on safety, availability, integrity and confidentiality, in that order.
Unauthorized changes to OT controls could damage, disable or shut down equipment, create environmental impacts, endanger human and animal life or have other serious negative effects for U of T.
The following are examples of potential consequences[2] of an OT incident, including serious impacts that are possible due to the wide variety of research carried out at U of T. These examples illustrate why it is very important to identify and protect OT systems, detect any changes to a system, respond if there is an incident and recover from the incident.
- Impact on national security – some of the research materials at U of T can potentially be used to facilitate an act of terrorism.
- Injury or death of employees, e.g., unauthorized shutdown of a fume hood, which can lead to potential incident or injury.
- Injury or death of persons in the community, e.g., through release of hazardous material.
- Loss of research animal life if research animal life support systems are compromised, which can lead to serious regulatory consequences, loss of research data and high recovery costs.
- Loss of research material / impact to research material, through unauthorized changes in variables or theft of data. This can mean the loss of many years of work and loss of research reputation for principal investigators and U of T.
- Release, diversion or theft of hazardous materials.
- Environmental damage.
- Damage to equipment.
- Reduction or loss of production at one site or multiple sites simultaneously.
- Violation of regulatory requirements.
- Criminal or civil legal liabilities.
Purpose
The purpose of these guidelines is to provide a curated summary of National Institute of Standards and Technology’s guide to operational technology (OT) security (NIST SP 800-82r3)[3] as applicable to U of T, outlining minimal and critical controls applicable to OT systems, plus guidance on approaches to securing OT at U of T.
Audience
As listed in NIST SP 800-82r3 and applicable to U of T:
- Control engineers, integrators and architects who design or implement OT systems.
- System administrators, engineers and other information technology professionals who administer, patch or secure OT systems.
- Managers who are responsible for OT systems.
- Senior management who need to better understand risk for OT systems as they justify and apply an OT cyber security program.
- Vendors that are developing products that will be deployed as part of an OT system at U of T.
Scope and applicability
The guidelines apply to all U of T-managed OT systems that enable and support U of T operations and environments.
The goal of these guidelines is to provide those responsible for OT with guidance to safely deploy and operate OT systems and environments.
Guidelines
Applicable controls for OT systems from the Information Security Control Standard
OT systems at U of T must be protected in accordance with the University’s Information Security Control Standard.
The table below highlights priority controls for OT, as per NIST’s guide to OT security. These priority controls are an incomplete set of all the controls in the U of T standard. Given the possible impact of misuse of OT, it is recommended that additional controls in the Information Security Control Standard be reviewed by units managing OT, and compensating controls be applied where necessary.
Control area | Controls from the U of T set that are specifically mentioned in the NIST OT document | Notes |
---|---|---|
Access control |
|
RBAC (Role-Based Access Control) can be used to manage access to OT devices/components |
Awareness & training | AT-1 | |
Audit & accountability |
|
The controls under audit should be reviewed and more than the minimum implemented. It is necessary to determine that the OT systems are performing as intended. |
Configuration management |
|
Asset management (CM-1) is essential. For CM-7, it is critical to test changes to assure this will not impact OT system operation. |
Identification & authentication |
|
Ensure identification meets required controls. If not possible, provide mitigations through access controls. 800-82r3 recommends OT network accounts should not use corporate network accounts. |
Incident response | IR-1 | Should an incident occur, it is critical to also have plans in place to manage evacuation of people and containment of the physical effects of an event. |
Maintenance |
|
|
Media protection |
|
Protect media on which configurations of OT systems are recorded. |
Personnel security | PS-2 | |
Physical protection |
|
OT systems should be protected from physical access by unauthorized personnel. Restrict physical access to the OT network and components. See guidance. |
Risk assessment |
|
Include misuse of OT systems in the risk assessment. |
Security assessment |
|
|
System & communications protection |
|
See network controls below for more detail. |
System & information integrity |
|
* Highlighted controls are in the approval process and are recommended at this time.
Additional network control recommendations and guidance
The University’s Information Security Control Standard controls SCP-1, SCP-2, SCP-5, SCP-6 and SCP-7 do not provide sufficient detail for needed controls for OT systems. Since network management is critical for OT systems, C1 is recommended. Specific guidance is provided for C1. Also consult NIST 800-82r3 figure 16, which is a high-level example of the Purdue model and IIoT model for network segmentation with DMZ segments.
C1:
The OT network should be logically separated from the corporate network, or be on physically separated network devices, to prevent any interconnectivity of traffic between the two networks.
Guidance for C1:
Logical separation of networks can be achieved in different ways. Two well-known techniques that are used to create logical separation are virtual local networks (VLANs) and virtual route forwarding instances (VRFs). The former operates at layer 2 and the latter at layer 3. The OT network should employ logical network separation by leveraging VLANs and/or VRFs and, at minimum, by placing control devices on a separate logical network from other OT components.
Physically separated networks can achieve full or partial isolation of the OT network from the corporate network. Full isolation is accomplished when network equipment between the corporate network and the OT network is never shared. Partial isolation occurs when there is one or more entry/exit point(s) between the two networks. Physical network separation may be a suitable approach for high security equipment, e.g. electrical high-voltage switchgear.
See guidance under number two, “Protect” for further detail.
Data Classification Standard as applied to OT systems
The U of T Information Security Control Standard is dependent on the Data Classification Standard (level 1 to 4). The possible impact of malicious or accidental misuse of OT systems should guide whether the control should be applied at level 1, 2, 3 or 4, and not the data involved. In the OT environment, the focus is usually on safety, availability, integrity and confidentiality, in that order. In many cases, the control for OT systems should be based on requirements for level 3 or 4.
Guidance
Consistent with existing IT cyber security programs and practices, U of T departments and divisions (units) should develop and deploy an OT cyber security program. However, the lifespan of an OT system can exceed 20 years. As a result, many legacy systems may contain hardware and software that are no longer supported by the vendors and cannot be patched or updated to protect against known vulnerabilities. Legacy systems also may not provide desired features such as error logging, password protection or encryption capabilities. In that case, the security program should tailor compensating controls. Such compensating/mitigating controls should be documented, added as exceptions to a risk register and time limited. Refer to additional recommendations in the NIST guide as needed.
Overall, the effectiveness of an OT cyber security program is enhanced through coordination or integration with a unit’s and U of T’s processes and information security program.
Given the possible impacts, in addition to the Information Security Control Standard controls, the following guidance (best practices) can help protect OT and electronic systems and ultimately improve and strengthen the overall cyber and physical security of U of T’s assets and facilities. The guidance can also reduce the vulnerability of components/systems and data to malicious attacks, equipment failures and other threats. OT security measures are designed to reduce the likelihood of accidental or deliberate loss or damage to University assets and the surrounding environment.
1. Identify
2. Protect
Below is a list of suggested additional protective controls. The recommendation for the “Identify” section (above) is to prioritize the inventory based on the possible consequences of failure of an asset. Using the prioritized inventory as a basis, choose protective controls that apply to the identified asset.
3. Detect
Below is a list of suggested additional detection controls. The criticality of the asset, as decided under “Identify”, helps prioritize the order to apply recommended detection controls to the assets.
4. Respond
As with protect and detect, the criticality of the asset as decided under “Identify” helps prioritize the order to apply the recommendations below.
5. Recover
The recover function supports timely recovery to normal operations to reduce the impact from an incident. Based on the prioritization of assets dependent on the impact of an incident, as per “Identify”:
Appendix
Tables
Table 1[5]: Possible definitions for OT impact levels based on product produced, industry and security concerns.
This table is directly copied from NIST SP 800-82r3, table 3. It provides some guidance in deciding criticality of particular OT, based on the impact.
U of T staff managing OT in specific areas are best placed to decide impact for the systems under their care.
Category | High | Moderate | Low |
---|---|---|---|
Outage at multiple sites | Significant disruption to operations at multiple sites with restoration expected to require one or more days | Operational disruptions at multiple sites, with restoration expecting to require more than one hour | Partially disrupted operations at multiple sites, with restoration to full capability requiring less than one hour |
National infrastructure and services | Impacts multiple sectors or disrupts community services in a major way | Potential to impact sector at a level beyond the company | Little to no impact to sectors beyond the individual company; little to no impact on community |
Cost (% of revenue) | > 25% | > 5% | < 5% |
Legal | Felony criminal offense or compliance violation affecting license to operate | Misdemeanor criminal offense or compliance violation resulting in fines | None |
Public confidence | Loss of brand image | Loss of customer confidence | None |
People onsite | Fatality | Loss of workday or major injury | First aid or recordable injury |
People offsite | Fatality or major community incident | Complaints or local community impact | No complaints |
Environment | Citation by regional agency or long-term significant damage over large area | Citation by local agency | Small, contained release below reportable limits |
Glossary
Keywords as defined in NIST SP 800-82r3 glossary
Keywords as defined in NIST SP 800-82r3 document
References
Footnotes
- NIST SP 800-82r3 (2023, final)
- Some impacts are taken from NIST SP 800-82r3 (2023)
- NIST SP 800-82r3 (2023, final)
- Under OT System Design Considerations
- Table copied from NIST SP 800-82r3, page 46