Hot on the heels of guidance via CISA and NIST on how organizations can better defend against software supply chain attacks, the National Security Agency released instructions last week on how to fine tune any operational technology setups following last year's SolarWinds attack.

This guidance is technically for agencies in the defense department and third party military contractors; the NSA called on National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) owners to heed its its advisory last Thursday.

The gist of the advisory is to highlight some of the dangers often inherent in connectivity. operational technology, or OT, is essentially any technology - hardware or software - that can detect and control changes through the monitoring of industrial or manufacturing process equipment or assets.

While the basic warning here is simple - think twice and weigh the risk before connecting OT to an IT network - the NSA acknowledges that sometimes, connectivity is necessary. when those times arise, have the right steps in place to prevent exploitation.

When connecting OT networks to IT networks, the nsa stresses having the appropriate mitigations in place, including the ability to limit access, actively monitor, log all access attempts, and cryptographically protect remote access vectors.

Until some of these mitigations, like monitoring, are in place, entities should also ensure that all remote access connections are disconnected and that an OT network map and OT network communication baseline have been established

Of course, before even going through these steps, an organization needs to come to terms with the fact that it's better to leave an OT system unconnected or islanded, when it comes to keeping them protected from threats. even an occasionally connected OT system, "can be a good compromise because it is only at risk when it is connected, which should only be done when required, such as for downloading updates or during times when remote access is required for a finite period of time."

The NSA also encourages entities to consider the cost of mitigating the risks that stem from connecting OT networks to an enterprise it system, especially since many OT systems can be older, approaching end of life, and could prove costly when it comes to ensuring they're updated and secured from a wide-scale compromise.

"Mindfully prioritize and consider the risks before allowing enterprise IT-to-OT connections. While OT systems rarely require outside connectivity to properly function, they are frequently connected for convenience without proper consideration of the true risk and potential adverse business and mission consequences. Taking action now can help improve cybersecurity and ensure mission readiness," the NSA's guidance reads.