OT Cybersecurity

Quick Start Guide

for IT Professionals
 This guide is for IT
security veterans
who have a great
understanding of well-
worn cybersecurity
concepts, principles,
and lingo. We will not waste anyone’s time explaining
what a firewall is or what exploitation means.

This is a no-nonsense guide to operational technology (OT) terms and OT cybersecurity concepts
for IT security pros who want to help their firms bolster the security around their critical
infrastructure. This is a crib sheet for security practitioners who want to speak the language
and understand the pain points of operational engineers as they’re trying to collaborate toward
improved OT security posture.

In addition to the glossary, the guide will provide some important concepts and tips for cyber
veterans to hit the ground running as they scope an OT cyber risk management plan that makes
sense for the business.

02 PAPER-PLANE [email protected] X-TWITTER @DragosInc linkedin @Dragos, Inc.

FIRST THINGS FIRST:

What is Operational Technology (OT)?

Operational Technology is the broad range of programmable systems or devices that interact with the physical
environment or manage devices that interact with the physical environment.

Examples include:

Industrial Building Fire Control Safety Control Physical

Control Systems Management Systems Systems Access Control
(ICS) Systems Mechanisms

Put simply:
OT = IT + Physics
PAPER-PLANE [email protected] X-TWITTER @DragosInc linkedin @Dragos, Inc. 03
The #1 Difference in Security
Objectives Between IT and OT
Environments
If IT cybersecurity leaders take one thing from this guide, it’s that security objectives are different in industrial and
critical infrastructure settings.

C IA
Longtime IT cybersecurity experts understand the General
Purpose
importance of upholding the CIA triad of cybersecurity, Information Confidentiality Integrity Availability

which is the maintenance of Confidentiality, Integrity and Technology

Systems
Availability of systems, in that priority order.

AI C
In OT systems, cybersecurity pros need to remember that the Industrial
security prioritization will be an inversion of the CIA model, Automation Availability Integrity Confidentiality
and Control
with availability always top-of-mind, above integrity and
Systems
confidentiality.

Whether it’s to support always-on manufacturing lines, electrical grids, or pipeline operations, uptime is everything. The
tolerance for downtime is miniscule compared to those for IT systems—not only from a productivity and profitability
perspective, but also to support very serious safety concerns and mandates.

04 PAPER-PLANE [email protected] X-TWITTER @DragosInc linkedin @Dragos, Inc.

Common Stumbling Blocks
for IT Cyber Pros to Avoid
When Collaborating
with OT Staff
Cybersecurity veterans should look out for the following common stumbling blocks that frequently impede progress in
establishing a workable OT cybersecurity program.

Lack of understanding of safety focus: OT cyber incidents can cause safety problems, but so can
patching systems. This means risk calculations will be different.

Lack of understanding of uptime requirements compared to IT systems: As explained above,

uptime trumps confidentiality and even integrity concerns.

Culture disconnects between OT engineers and IT staff: OT engineers are cut from a different
cloth and are running on different priorities than IT staff. Cybersecurity experts have to be willing
to understand the lingo and the culture in order to bridge the divide.

Failing to use OT-native capabilities: IT tools that have been retrofitted to ‘work’ in OT
environments are often unable to offer full visibility into OT systems and processes. More
detrimentally, many of them introduce an unacceptable amount of downtime or disruption risk to
critical industrial control systems.

PAPER-PLANE [email protected] X-TWITTER @DragosInc linkedin @Dragos, Inc. 05

Your North Star: SANS 5 Critical
Controls for ICS Cybersecurity
A robust OT cybersecurity program focuses on protecting the most vital assets. Although comprehensive frameworks
like NIST and ISA/IEC 62443 exist to guide the development of a thorough plan, their complexity can sometimes
hinder prompt action. Our recommendation is to start with the implementation of the SANS 5 Critical Controls for ICS
Cybersecurity, which include:

1. OT-Specific Incident Response Plan

Have an operations-informed incident response plan with a focus on system integrity
and recovery capabilities during an attack.

2. Defensible Architecture
Design architectures that support visibility, log collection, asset identification,
segmentation, industrial DMZs, and process-communication enforcement.

3. ICS Network Visibility & Monitoring

Enable continuous network security monitoring of the ICS environment using
protocol-aware toolsets and system of systems interaction analysis capabilities.

4. Secure Remote Access

Identify all remote access points and allowed destination environments and implement
on-demand access and multi-factor authentication (MFA) where possible.

5. Risk-Based Vulnerability Management

Understand the cyber digital controls in place and device operating conditions to make
risk-based vulnerability management decisions regarding your OT environment.

Work with your operations team and OT security experts to start putting these controls
into practice, ensuring they are fully operational and can efficiently handle key
scenarios. As your program evolves, you’ll establish a risk management framework. This
will allow you to fine-tune your investments and enhance risk mitigation efforts.

06 PAPER-PLANE [email protected] X-TWITTER @DragosInc linkedin @Dragos, Inc.

Examining OT Architecture
Below the Enterprise Level
One of the best ways for IT cybersecurity pros to understand what goes on under the hood of OT systems is to
get a basic grasp of the Purdue Model, an architectural reference model that maps out the relationships of both
IT and OT systems in an industrial setting.

Like the ISO 7-layer model, Purdue breaks things down into levels—in this case it is five layers from Level 0 to
Level 4. Level 4 is all enterprise IT systems that veteran cybersecurity pros understand well. Below that level,
you’ll find the OT systems that make up the fabric of industrial automation and control systems.

Network Monitoring Best Practices

Instrument monitoring of North-South traffic (IT/OT traffic) at Levels 3/3.5 This should include remote access
traffic, and minimal IT-only traffic. Monitoring of East-West traffic (OT/OT traffic) is done at Levels 1 and 2.
This is critical to get broader exposure for more complete asset inventory and profiles that provide the basis for
effective vulnerability management and threat detection.
PLATFORM DEPLOYMENT DIAGRAM
IT SECURITY

LEVEL 4
Enterprise
SOC SIEM LEVEL 3.5
JUMP SERVER,
AV, PATCH
DMZ

LEVEL 3 HISTORIAN Operations Management includes systems

that support managing workflows and
Operations scheduling across plant operations
Systems

LEVEL 2 HMI & Supervisory Control includes systems used

SCADA & SERVERS
HMI broadly (and often remotely) to monitor and
Supervisory Control HOST LOG control physical processes
COLLECTORS

Basic Control includes systems used to sense

and manipulate the physical process at the 1:1
LEVEL 1 device level

Basic
Control DCS Safety and Protection includes safety
PLCs RTUs PLCs SIS
CONTROLLERs instrumented systems (SIS) that will trigger
shutdowns when unsafe conditions are
detected; they’re often logically separated from
basic control

LEVEL 0
Physical Process: The machinery that governs the actual
Process SENSORS ACTUATORS SENSORS ACTUATORS
physical process

REMOTE SITE LOCAL PLANT

PAPER-PLANE [email protected] X-TWITTER @DragosInc linkedin @Dragos, Inc. 07

The Dragos Platform Delivers Value Across the SANS Five Critical Controls

ICS Incident Defensible ICS Network Secure Remote Risk-Based

Response Plan Architecture Visibility and Access Vulnerability
Monitoring Management

DRAGOS PLATFORM
• Detect & • View asset groups & • Asset discovery • Monitor 3rd-party • Match vulnerabilities
contextualize communications • Protocol analysis remote access to asset inventory
threats • Validate security sessions • Now, next, never
• Activity logging
• Forensic data controls • Validate SRA priorities & alt
• Threat detection
& timelines for • Audit & compliance controls for internal mitigation
investigations • Response playbooks
and 3rd party • Track status to
• Response playbooks • Vulnerability
completion
management

The Dragos Platform: OT-Native Network Visibility & Monitoring

The Dragos Platform is the most effective OT-native vulnerabilities to mitigate risk, minimize downtime,
cybersecurity monitoring and visibility solution. and allocate cybersecurity resources where they are
Integrating Asset Visibility, Vulnerability Management, most needed.
Threat Detection, and Response, the platform enables
organizations to align to SANS 5 Critical Controls to • Intelligence-driven Threat Detection: The Dragos
deliver an all-encompassing approach to securing OT/ICS Platform rapidly pinpoints malicious activity in OT/
systems against the sophisticated threat landscape. ICS networks, providing in-depth context of alert
insights and reducing false positives. Leveraging
• Asset Inventory, Discovery and Monitoring: The the MITRE ATT&CK framework, the platform maps
Dragos Platform automates discovery, management, detected threats to specific adversary tactics,
and monitoring across all assets within the OT techniques, and procedures (TTPs). Its distinct
environment (OT, IT, IoT, and IIoT). It utilizes insights advantage lies in the continuous incorporation of
from 600+ protocols, network data, and logs, laying a cyber threat intelligence, enabling contextualized,
foundation for effective vulnerability management, threat-specific analytics that offer deeper detection
threat detection, and incident response with superior capabilities aligned with industry-standard
security and operational efficiency. frameworks.

• Risk based Vulnerability Management: Dragos is the • Investigations and Response: Dragos Platform users
only OT cybersecurity platform to provide corrected, can easily create cases to initiate investigations with
enriched, prioritized guidance that allows customers relevant activity logs, timeline views, and reference
to manage the full lifecycle of specific vulnerabilities response playbooks written by Dragos experts for a
in their environment, highlighting the highest priority comprehensive approach to investigating incidents.

08 PAPER-PLANE [email protected] X-TWITTER @DragosInc linkedin @Dragos, Inc.

The Impact of Cyber Controls on Operational Efficiency

It is crucial to recognize that implementing the right cyber controls can lead to substantial improvements in
operational efficiency and uptime. In production environments, the question of “What happened and why?” is
frequently posed. While some answers may be straightforward, identifying the root cause of emergent problems often
proves challenging. Controls that enable the identification of new devices, monitor third-party remote access, and
log OT system commands offer a valuable data set. This data can be analyzed to understand events leading up to and
following issues, enhancing OT network visibility and monitoring.

Preventing Production Shutdowns and Managing Risks

The question arises: Can we prevent a shutdown of production, or if necessary, how can we execute an orderly
shutdown? Implementing risk-based vulnerability management offers alternatives to IT-driven device patches that
could halt production lines. In the event of an incident, a robust OT-specific incident response plan, which considers
critical processes and safety systems, is essential.

Safeguarding Critical Processes and Assets

Protecting critical processes and assets from IoT devices, transient network traffic, or third-party remote access
is paramount. This involves creating defensible architectures that segment equipment types and networks. Such
strategies lead to more resilient operating environments and minimize disruptions.

Maintaining Vigilance
Staying vigilant and continuously searching for potential problems is essential for maintaining operational integrity
and safety. This proactive approach helps in early detection and resolution of issues, ensuring the smooth functioning
of operations.

PAPER-PLANE [email protected] X-TWITTER @DragosInc linkedin @Dragos, Inc. 09

Reframing Common Cyber Terms
and Concepts for ICS/OT
Ransomware: Just like in IT environments, cyber attackers target
ICS/OT environments with ransomware attacks. But the risk from 50 ransomware groups carried
out 905 reportable ransomware
ransomware against OT organizations and OT assets is higher incidents impacting industrial
stakes all the way around, with greater risk to physical safety organizations in 2023.

and continuity of critical processes at play. The 2021 ransomware

That’s a 50% increase over 2022.
attack that temporarily halted OT operations at Colonial Pipeline
was a high-profile example of just such an attack.

70+30+S
Segmentation: Just as with IT security, network segmentation is
a key best practice for limiting the blast radius of attacks against
70% In 2023, 70% of
IT or OT assets in industrial organizations. But the consequences OT-related incidents
originated from within
of poor segmentation are much more severe, as an attacker that the IT environment
moves laterally from a foothold made in an IT system to a critical
OT system could threaten human safety or the sustainability of the
business itself.

Living off the land (LOTL): Attacks using fileless malware and leveraging existing system utilities and remote
admin capabilities to execute commands are favored not just by advanced IT attackers, but also those that target
ICS/OT systems. In addition to using tools that cross OT/IT boundaries like Powershell, Windows Management
Instrumentation, and Server Message Block, OT-threat groups also can use ICS protocols for living off the land (LOTL)
attacks in ICS environments.

Now, Next, Never methodology: The Computer Emergency

Only 3% of OT
Response Coordination Center’s (CERT/CC) Now, Next, Never vulnerabilities found in
methodology used within the Dragos Platform is an excellent 2023 required immediate
action from ICS operators,
method of prioritizing patching and vulnerability remediation. It
According to Now, Next,
is especially important for OT assets, as the act of patching can Never prioritization
sometimes be riskier than leaving a flaw in place and mitigating in
some other way.

PAPER-PLANE [email protected] X-TWITTER @DragosInc linkedin @Dragos, Inc. 10

Tabletop Exercises: As US Security and Exchange Commission In 2023 the number
Cybersecurity Risk Management rules tighten reporting timeframes of OT cybersecurity Executive and
tabletop exercises board-level tabletops
for cyber incidents—whether in IT or OT networks—and other increased 350%.
increased 217%.
regulatory directives increase OT cyber response preparedness,
217% 350%
organizations are increasingly seeing a need to practice their OT
incident response procedures through OT cyber tabletop exercises.

68+32+S
Vulnerability Management: Managing vulnerabilities in OT
environments can be a drastically different affair than in IT because 68% 68% of new ICS/OT
vulnerabilities found in
the tools, the methods for mitigation, and the risks—especially in the 2023 can be addressed
by network monitoring,
physical realm—are all very unique to OT. For example, the highest
network segmentation,
risk OT flaws are those that can cause loss of view or loss of control or multifactor
authentication.
in ICS systems. On top of that OT systems often run continuously,
with months or years before a maintenance window allows for
patches. This means creative mitigations are crucial.

Incident Response Plan: Industrial organizations and those that operate critical infrastructure need a cyber
incident response plan that’s specific to OT—and it can’t be copy-and-pasted from the IT incident response plan. OT
environments face different risks, incidents in these environments have escalated consequences, and they need a
different approach to monitoring and response. For example, forensic data must be collected differently to maintain
stricter operational and uptime requirements; and systems can’t be triaged by shutting them down and disconnecting
them. Most importantly: OT cyber incident response requires a blend of expertise that bridges the knowledge and
cultural space of the IT and operational engineering teams. Internal cyber incident response teams can rarely bridge
that gap on their own.

Zero Trust: As zero trust and micro segmentation grow in importance for IT network security, many cybersecurity
pros wonder if they can transfer the same principles to OT networks. Because of the unique demands and operational
realities of ICS networks, organizations can’t take a cookie cutter approach to OT zero trust. MFA is crucial, but
measures like active monitoring and how zones or segments are designed will be different.

Active vs. Passive Scanning: IT-style active scanning for asset discovery and vulnerability management is frequently
problematic for OT systems and can have big operational and compliance ramifications for industrial processes. This is
why OT-native cybersecurity tooling places a heavy emphasis on well-designed passive scanning.

IoT: Just like IT environments, internet of things (IoT) devices are pervasive in OT settings. Industrial internet of things
(IIoT) devices are commonly used for sensors that can help measure and optimize operational processes. The Dragos
Platform extends its coverage to IoT and IIoT devices when they are used in OT processes and systems.

11 PAPER-PLANE [email protected] X-TWITTER @DragosInc linkedin @Dragos, Inc.

OT Cybersecurity Glossary
Air Gap: An age-old term used and identifying the most valuable Embedded Device: A small industrial control system (ICS)
to describe the disconnection assets—including facilities, computer system-usually used by the ISA/IEC 62443 series
of a device or system from a networks and systems crucial to comprised of hardware and of standards.
network or the internet at large. business missions or under high software—designed to carry out
Air gaps were once the primary safety thresholds—that would be a very specific function within Industrial Control System (ICS):
means of industrial cybersecurity the first place to start in bolstering a larger computer system or A generalized term that refers to
protection. Today they’re not only OT cybersecurity monitoring device. ICS systems are usually the broad class of systems used
ineffective and outdated, but they and controls and appropriately comprised of a tapestry of to control and monitor industrial
also rarely exist with the rise managing OT cyber risk. embedded devices. machinery and processes. ICS
of IT/OT integration and digital typically includes both hardware
transformation. Cybersecurity Management Field Device: Industrial and software components that
System (CSMS): A methodical equipment that controls actions or can perform a range of tasks that
Common Industrial Protocol approach to developing an measurement. Field devices can include carrying out programmable
(CIP): An industrial protocol ICS cybersecurity program as include sensors, actuators, and actions on physical processes,
for industrial automation recommended by the IEC 62443 valves. remote diagnostics, maintenance
applications that is supported set of cybersecurity standards. actions and human interface.
by the Open DeviceNet Vendors Fieldbus I/O Modules: An Some common components
Association (ODVA). CIP is Data Logger: A software database interface module between a or subtypes of ICS include DCS,
often at the nexus between OT that collects and stores data central processor and industrial SCADA, PLC and HMI systems.
and IT networks. It is used in generated by ICS assets. They’re machinery. They allow field input
industrial settings to integrate typically high-performance devices like sensors and switches ICS Network: A collection of ICS
applications that govern control, databases capable of processing to communicate with field output devices and applications that are
safety, synchronization, motion, and storing high volumes of real- devices like valves, drives and connected together (and often to
configuration and information time data. Also referred to as data indication lights. the internet and/or IT networks)
in industrial equipment with historians or process historians. to optimize automation and
enterprise-level IT networks 5 Critical Controls: SANS Institute remote supervision of end-to-end
and the internet. EtherNet/ Data Historian: A software identified five critical controls industrial processes or facilities.
IP, DeviceNet, CompoNet, and database that collects and for organizations to align ICS/
ControlNet protocols all fall under stores data generated by ICS OT cybersecurity with their IT Industrial Internet of Things
the CIP protocol umbrella. assets. They’re typically high- cybersecurity readiness. These (IIoT): A collection of industrial
performance databases capable five controls are: 1. ICS incident sensors, telemetry and devices
CRASHOVERRIDE: The first-ever of processing and storing high response plan, 2. A defensible connected to each other
malware framework designed and volumes of real-time data. Also architecture, 3. OT-specific and the Internet, providing
deployed to attack energy assets referred to as process historians visibility and monitoring, 4. communication between
in Ukraine in December 2016. or data loggers. Secure remote access, 5. Risk- physical devices and cloud-based
based vulnerability management. processes. IIoT is sometimes
Critical Infrastructure: Assets, Distributed Control Systems conflated with ICS but is distinct
machinery, systems and (DCS): A process control system Human Machine Interface (HMI): through its use of IoT reference
networks that provide functions that connects autonomous A hardware or software interface models that lean heavily on 5G
that are necessary to maintain controllers, sensors and actuators in which an operator can interact connectivity and IoT gateway/
our modern way of life, including in a distributed system with no with an industrial controller. edge connections, send data
those that provide power, water, centralized operator supervisory HMIs can include everything outside enterprise confines and
telecommunications and control. DCS control loops are from physical control panels to are not constrained by Purdue
manufactured goods to society at designed for reliability and unlike software-based dashboards. model hierarchies.
large. SCADA, DCS is typically controlled
and managed on premises rather Industrial Automation and IT/OT Convergence: The
Crown Jewel Analysis: A process than remotely. Control System (IACS): A integration and interconnection
of mapping an OT environment synonymous term for an between IT and OT systems

PAPER-PLANE [email protected] X-TWITTER @DragosInc linkedin @Dragos, Inc. 12

to improve automation and environment or manage devices the physical level of equipment of machinery in the event of
efficiency and facilitate the that interact with the physical like pumps, compressors, and dangerous malfunction or
exchange and analysis of relevant environment. valves at Level 0. At the top is the operator error. CIP Safety and
data within industrial settings. enterprise network equipment of Fail Safe over EtherCAT (FSoE)
OT-Native Cybersecurity: Level 5. The model is devised to are two common safety network
Loss of Control: The malfunction Cybersecurity monitoring and help visualize and conceptualize protocols.
in an OT system that obstructs or control systems purpose-fit the layers of restrictions and
changes an operator’s control over for unique design, availability, security controls between levels
a system due to a cybersecurity and safety concerns of OT of connection and traffic. Supervisory Control and Data
incident or other digital reliability environments. These stand in Acquisition (SCADA): A type
issue. LOC could include contrast to IT systems that are Remote Terminal Unit (RTU): of ICS that uses computers and
malicious changes to device state retrofit for limited usage in OT A microprocessor-controlled networked communication
to cause hazardous conditions environments, but which could electronic device that connects to supervise a variety of field
or shutdowns, or unintentional cause blind spots in visibility industrial field devices to ICS devices across an industrial
failures due to activity elsewhere or interfere with availability or networks. They’re the interface environment. It offers a universal
in the ICS network. safety goals. between a physical process and means to manage processes
digital systems like SCADA and across facilities, either locally or
Loss of View: The malfunction Process Control Network (PCN): DCS that control, monitor and remotely.
in an OT system that disrupts An industrial network that automate them.
the flow of data around a process connects equipment that powers Supervisory Controller: A server
due to a cybersecurity incident physical processes, including Safety Instrumented Function: that runs the software that
or other digital reliability issue. machinery, lighting, conveyors, Functions that take an industrial communicates with, controls, and
LOV could include complete HVAC and appliances to control or process or device to a safe automates functionality of field
loss of visibility into a process automation systems. state when a hazardous or devices like remote terminal units
or a distortion of data due to unsafe condition is detected. and programmable. Also referred
either malicious manipulation or Process Historian: A software An SIF is carried out by a safety to as a SCADA server.
unintentional damage. database that collects and instrumented system (SIS).
stores data generated by ICS Stuxnet: The first real example of
MITRE ATT&CK for ICS: A assets. They’re typically high- Safety Instrumented System ICS-specific malware. Discovered
comprehensive cybersecurity performance databases capable (SIS): A system of hardware in 2010 and likely in development
framework for identifying, of processing and storing high and software controls within for five years before that, it
assessing and mitigating volumes of real-time data. Also industrial machinery designed targeted programmable logic
cyberattacks on industrial referred to as data historians or that shuts down equipment when controllers and was used to
networks. data loggers. it detects dangerous conditions. disable Iranian nuclear centrifuge
Also commonly referred to as equipment.
Open Device Vendors Programmable Logic Controller emergency shutdown systems
Association (ODVA): A standards (PLC): A ruggedized industrial (ESS) or safety shutdown systems
organization and trade computer used to control (SSD), SIS is usually comprised of
association for companies that operational actions or outputs of a combination of sensors, logic
make industrial equipment that industrial machinery based on the solvers and control elements.
leverages industrial automation inputs it monitors from that piece
applications. ODVA oversees the of equipment. PLCs are usually Safety Integrity Level (SIL): The
protocol CIP. small and modular. They can measurement of performance
frequently be rack-mounted into of a safety system in industrial
Open Platform Communications devices with thousands of inputs environments, typically
(OPC): A set of software standards and outputs that are networked to calculating the relative level of
that coordinates how control other PLC and SCADA systems. risk-reduction provided by a
devices communicate industrial safety integrated function (SIF).
plant floor data to automation Purdue Model: A hierarchical
applications. architectural/control model (also Safety Network: An industrial
known as a reference model) network that communicates
Operational Technology (OT): that breaks up OT and IT into real-time signals from physical
Programmable systems or devices six functional levels from Level processes to ICS systems that
that interact with the physical 0 to Level 5. At the bottom is can trigger the shut-down

13 PAPER-PLANE [email protected] X-TWITTER @DragosInc linkedin @Dragos, Inc.

Cybersecurity Regulations and
Standards Commonly Referenced
in OT Environments
Worldwide

ISA/IEC 62443: One of the most universal global sets of voluntary frameworks for ICS/OT cybersecurity, this is a series
of standards developed by the International Society of Industrial Automation (ISA) in conjunction with the International
Electrotechnical Commission (IEC). The ISA Global Cybersecurity Alliance advocates for adoption of ISA/IEC 62443
worldwide. It is geared for all sectors of industry using automation and control systems.

Maritime E26/27: International cybersecurity regulations for securing the integration of OT/IT equipment on ships
networks to emphasize cyber resilience through identification, protection, detection, response, and recovery.

United States

Cybersecurity Capability Maturity Model (C2M2): A set of standards and self-evaluation tooling
developed by the US Department of Energy and coalition of critical infrastructure stakeholders to measure cyber
program maturity and advance their IT and OT cyber readiness. It’s a model that covers 350 different cybersecurity
practices across 10 different domains. While established specifically to help energy providers bolster their OT cyber
programs, it’s designed to be used in a range of industries and use cases.

Cybersecurity Maturity Model Certification (CMMC): A US Department of Defense (DoD) program that sets
cybersecurity standards across IT and OT cyber domains. Manufacturers that build products for the DoD supply chain
operate with a three-tier system of maturity and are subject to CMMC-driven assessments. The pending CMMC 2.0
rules are under review by federal rulemakers.

NIST Cybersecurity Framework (NIST CSF V2.0): One of the most well-known and widely adopted voluntary
standards, NIST CSF provides foundational cybersecurity best practices guidance for guiding security programs across
all technology environments, OT or IT.

PAPER-PLANE [email protected] X-TWITTER @DragosInc linkedin @Dragos, Inc. 14

NIST Special Publication (SP) 800-82: A document for critical infrastructure organizations providing foundational
guidance on hardening OT environments while keeping the unique performance, reliability, and safety considerations
of these systems in mind. This is a good OT-specific companion guidance to help IT pros who are already working on
adherence to NIST CSF and would like to align their OT security program with those efforts.

NIST Risk Management Framework (800-53 RMF): A comprehensive, flexible, and repeatable 7-step process for
managing information security and privacy risk for organizations and systems across a range of industries, but most
specifically designed for government agencies and their suppliers to satisfy Federal Information Security Management
Act (FISMA) requirements.

North American Electric Reliability Corporation Cybersecurity Standards Implementation Plan (NERC CIP): A series
of standards developed to protect critical cyber assets used to operate North America’s Bulk Energy Systems (BES) and
associated devices from attack. Released in 2008, NERC CIP standards are mandatory and enforceable.

US Cybersecurity and Infrastructure Agency Binding Operational Directive (CISA BOD): A mandatory directive for
federal, executive branch, departments and agencies on how to conduct asset discovery, vulnerability detection, and
vulnerability management across both IT and OT infrastructure.

US Transportation Security Administration Security Directive Pipeline 2021-02C (TSA SD02C): Is a regulation
for owners and operators of TSA-designated critical pipeline systems and facilities to create a cybersecurity
implementation plan for their IT and OT systems, develop and maintain a cybersecurity incident response plan, and
develop a cybersecurity assessment program for proactively assessing and auditing these cybersecurity measures.

SEC Disclosure Regs: The new US Security and Exchange Commission cybersecurity regulations are applicable not
only to IT cybersecurity but also OT. Boards and cybersecurity leaders must understand that incident preparedness and
response will be different from OT systems, but all these connected systems need policies and procedures in place to
ensure an organization meets SEC standards for cyber risk management and appropriate breach disclosure.

Europe

NIS2 Directive: European Union mandates for cybersecurity of Operators of Essentials Services
(OES). Organizations unable to comply with the best practices laid out by NIS2 are subject to fines
of up to €10 million or 2 percent of their total global annual turnover.

German IT Security Act 2.0 (IT-Sicherheitsgesetz 2.0 –IT-SiG2): An enforceable cybersecurity regimen for critical
infrastructure organizations in Germany that spans across energy, food, transport and traffic, water supply,
manufacturing, wastewater and waste management, healthcare, digital infrastructure, finance and insurance, IT, and
companies of special public interest.

15 PAPER-PLANE [email protected] X-TWITTER @DragosInc linkedin @Dragos, Inc.

UK Cyber Assessment Framework (CAF): A voluntary cybersecurity framework developed by the UK’s National
Cyber Security Centre (NCSC) that’s broken into 14 cybersecurity and resilience principles. Originally designed for
organisations responsible for Critical National Infrastructure (those designated as Operators of Essential Services
(OESs) as defined by the NIS Regulations), the CAF has been updated to have broader applicability and is now at the core
of the UK government’s cybersecurity strategy.

Australia

Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP): Requires
owners and operators of critical infrastructure assets in Australia to create and maintain a critical
infrastructure risk management program. It introduced a new framework for enhanced cyber
security obligations required for operators of systems of national significance (SoNS). SLACIP amended Australia’s
Security of Critical Infrastructure Act of 2018 (SOCI).

Enhanced Cyber Security Obligations for Systems of National Significance (ECSOs for SoNS): The additional cyber
security controls specified in SLACIP. SoNS are a select group of critical infrastructure assets that are designated by the
Australian government to be most crucial to the nation. SoNS are determined by the Minister for Home Affairs based on
“their interdependencies across sectors and potential for cascading consequences to other critical infrastructure assets
and sectors if disrupted.”

CISC Risk Assessments for SOCI Compliance: Risk assessments conducted by Australia’s Cyber and Infrastructure
Security Centre (CISC) across Australia’s critical infrastructure to determine obligations laid out by the Security of
Critical Infrastructure Act of 2018 (SOCI).

GCC

Kingdom of Saudi Arabia Operational Technology Critical Controls (KSA OTCC): The KSA OTCC
consists of a set of cybersecurity controls and best practices that are tailored to the specific needs
of the Kingdom of Saudi Arabia. It includes guidance on four primary domains: governance, defense, resilience, and
third-party cybersecurity. The framework is mandatory for all organizations that operate critical infrastructure in the
country, including those in the energy, transportation, and healthcare sectors.

PAPER-PLANE [email protected] X-TWITTER @DragosInc linkedin @Dragos, Inc. 16

Dragos has a global mission to safeguard
civilization from those trying to disrupt the
industrial infrastructure we depend on every day.
The Dragos Platform offers the most effective
industrial cybersecurity technology, giving
customers visibility into their ICS/OT assets,
vulnerabilities, threats, and response actions. The
strength behind the Dragos Platform comes from
our ability to codify Dragos’s industry-leading OT
threat intelligence, and insights from the Dragos
services team, into the software. Our community-
focused approach gives you access to the largest
array of industrial organizations participating
in collective defense, with the broadest visibility
available.

Our solutions protect organizations across a

range of industries, including electric, oil & gas,
manufacturing, building automation systems,
chemical, government, water, food & beverage,
mining, transportation, and pharmaceutical.
Dragos is privately held and headquartered in
the Washington, DC area with regional presence
around the world, including Canada, Australia, New
Zealand, Europe, and the Middle East.

Schedule a demo with one of our industrial

cybersecurity experts to see how Dragos can help
you on your journey: dragos.com/request-a-demo

X-TWITTER facebook linkedin

Copyright © 2024 Dragos, Inc. All Rights Reserved.