Request A Consultation
NIST SP 800-82 hero image of Operational Technology

NIST SP 800-82 Rev. 3

Guide to Operational Technology (OT) Security

Currently in draft form, NIST SP 800-82 Rev. 3 Guide to Operational Technology (OT) Security offers best practices on how to improve OT security systems. OT comprises programmable systems or devices that interact with or manage the physical environment. 
These systems/devices include
  • Industrial control systems (ICS) (the focus of Rev 2)
  • Building information systems
  • Transportation systems
  • Physical access control systems (buildings with servers that store user data, access privileges, and audit logs)
  • Physical environment monitoring and measurement systems that
    • identify and analyze water, air, and soil pollution sources

OT is a key aspect of critical infrastructures that are becoming increasingly integrated, mutually dependent, and connected via wireless networking. This interconnectedness puts OT implementations at greater risk for threats from hostile governments, terrorist groups, and other types of malicious actors as well as system failures caused by accidents and natural disasters. Because of their role in critical infrastructures such as power grids, region-wide transit operations, and hydroelectric dam systems, OT requires security solutions tailored to their environments over and above those used in traditional information technology systems.

NIST SP 800-82 industrial control systems

The NIST SP 800-82 Rev. 3 draft cites these security objectives for OT:

  • Restrict logical access to the OT network, network activity, and systems.
  • Restrict physical access to the OT network and devices.
  • Protect individual OT components from exploitation.
  • Restrict unauthorized modification of data.
  • Detect security events and incidents.
  • Maintain functionality during adverse conditions.
  • Restore the system after an incident.

NIST SP 800-82 applies many of the security controls outlined in NIST SP 800-53, Rev. 5, Security and Privacy Controls for Information Systems and Organizations as is, though 800-82 provides additional information or interpretation to make some controls OT-specific. NIST Cybersecurity Framework (CSF) is also applicable; 800-82 includes some Categories with OT-specific areas that are not part of a non-OT CSF application.

800-82 Rev. 3 advises that an effective cybersecurity program for OT systems is the “defense-in-depth” strategy that layers security mechanisms to minimize the impact if any one fails. This strategy includes the following:

  • Developing OT-specific security policies, procedures, and training
  • Addressing security throughout the OT system life cycle
  • Logically separating the corporate and OT networks
  • Establishing redundant critical components that are on redundant networks
  • Designing critical systems in such a way to prevent catastrophic cascading events
  • Disabling unused ports and services
  • Following the principle of least privilege and restricting user privileges to only those users required to perform that specific function
  • Installing intrusion-detection, antivirus, and file-integrity–checking software
  • Deploying software and firmware security patches and updates

We want to hear from you!

To start a conversation with one of our experts, give us a call or Request a Consultation.

We look forward to speaking with you about your goals and unique needs.

CISO Global - We want to hear from you! Security technician answering phone.