NIST has released its public draft of NIST Special Publication (SP) 800-82r3, Guide to Operational Technology (OT) Security. This is the third revision of NIST SP 800-82, with a new title reflecting an expanded scope, and it was produced through collaboration of the NIST Smart Connected Systems Division’s Networked Control Systems Group and the NIST Computer Security Division. It seeks to improve operational technologies security while addressing their unique performance, reliability, and safety requirements.
OT are programmable systems or devices that interact with the physical environment, or manage devices interacting with this environment. These systems/devices detect or cause change by monitoring and/or controlling devices, processes, and events. Examples include industrial control systems (ICS), building automation systems, transportation systems, physical access control systems, physical environment monitoring systems, and physical environment measurement systems.
This revision provides an overview of OT and typical system topologies; identifies typical threats to OT-supported organizational mission and business functions; describes typical vulnerabilities in OT; and recommends security safeguards and countermeasures for managing risks. The revision also includes:
- Expanded scope, from ICS to OT
- Updates on OT threats and vulnerabilities
- Updates on OT risk management, recommended practices, and architectures
- Updates on OT security activities
- Updates on OT security capabilities and tools
- Alignment with OT security standards and guidelines, including NIST’s Cybersecurity Framework
- Tailoring guidance for NIST SP 800-53, Rev. 5 security controls
- OT overlay for NIST SP 800-53, Rev. 5 security controls, which provides baselines for low-impact, moderate-impact, and high-impact OT systems.
The period for commenting on this revision runs through July 1, 2022. The revision and instructions for submitting comments are online, and a direct link to the comment template and the comments email address sp800-82rev3 [at] nist.gov are also provided.