Agencies release joint guide on zero trust adoption in operational technology

The Cybersecurity and Infrastructure Security Agency and other federal agencies released a joint guide yesterday for organizations to apply zero trust principles to operational technology systems. Zero trust is a cybersecurity strategy that is guided by the principle that no users or devices are safe and must always be verified. The guide includes insights on overcoming unique constraints, addressing potential challenges and prioritizing key areas for integrating zero trust principles. OT environments in health care include tools that manage energy control, HVAC, life-safety systems, door access controls, physical security systems and alarms.

"Operational technology underpins the systems Americans rely on every day, and adversaries know it," said FBI Cyber Division Assistant Director Brett Leatherman. "Nation-state actors are pre-positioning on these networks because OT controls critical physical processes, and because these environments often lack the visibility to detect them early. … Resilience in OT isn't achieved through any single control; it requires layered defenses that raise the cost for adversaries at every stage."

For more information on this or other cyber and risk issues, contact John Riggi, AHA national advisor for cybersecurity and risk, at [email protected], or Scott Gee, AHA deputy director for cybersecurity and risk, at [email protected]. For the latest cyber and risk resources and threat intelligence, visit aha.org/cybersecurity (https://www.aha.org/cybersecurity).