On April 23, the National Security Agency (NSA) released a Cybersecurity Technical Report (CTR) to share recommendations for security policies and technical requirements for operational technology (OT) smart controller devices installed in National Security Systems (NSS).
The growing convergence of IT and OT systems, along with the advanced cyber capabilities of our adversaries, have introduced new threats to OT environments. These threats increase the risk of cyber incidents that could disrupt critical missions, endanger public safety, and cause financial harm.
This increased risk is a notable concern for smart controllers, intelligent OT embedded devices with enhanced capabilities normally associated with IT network devices, which are potential high-value targets for adversaries.
Improving the security polices, testing requirements, and overall security posture of NSS OT systems is crucial in the response to the increased risk against these systems and keeping them secure.
The CTR, “Operational Technology Assurance Partnership: Smart Controller Security within National Security Systems,” provides the first steps in developing minimum security requirements for smart controllers within NSS that align with the moderate-moderate-moderate (M-M-M) National Institute of Standards and Technology (NIST) countermeasures baseline. It also includes an analytical comparison of NIST security controls and existing International Society of Automation (ISA) technical requirements for OT devices.
The findings of the analysis identify inadequately addressed security controls and outline future requirements that fill these gaps.
The study captured in the CTR primarily focuses on identifying inadequately addressed security controls for smart controllers. The study also helps with developing the Operational Technology Assurance Partnership (OTAP), a pilot process for the cybersecurity testing of NSS OT components.
Additionally, the findings of this study will be submitted to the ISA standards committee for consideration toward future updates to ISA-62443-4-2. ISA-62443-4-2 outlines cybersecurity technical requirements for the components in industrial automations and control systems.
Read the full report here.
By 
