Operational Technology Security policy template

Title: <Name of the company > OT Security Policy

Department: Version: Original

Approved by: Approval date:

Senior management approval:

Effective date: Last updated:

Author:

Scope

This policy applies to the <specify location of <company name>

<enter address>

Authority

This policy is hereby approved and authorized.

________________________________ ___________________________________ __________________

Name Title Date

________________________________ ___________________________________ __________________

Name Title Date

Purpose

The purpose of this policy is to define the activities associated with the provision of security for OT
environments and network activities that protect <company name>'s OT systems, networks, data, databases
and other assets. Additional policies governing other information security activities will be addressed
separately.
Scope

The scope of this OT security policy is all operational technology systems including but not limited to those
connected to or enabled by operational technology systems such as SCADA, PLC, first level automation, HMI, all
machine and infrastructure controls and/or managed service infrastructures needed by the entity.

Statement of compliance

This policy is designed to be compliant with ISO/IEC 27001:2013 Information technology. Security techniques.
Information security management systems, IEC 62443 and other compliance directives and guidance as
applicable. Wherever possible this policy will incorporate and improve upon applicable standards and guidelines.

The OT security policy compliance is managed by the OT security team, with support from other departments.
In order to achieve full compliance, OT security processes must include appropriate controls, workflows,
procedures and identify staffing and technology resources to meet varied compliance requirements as per
region and other parameters. Any and all OT systems, vendors and solutions should necessarily comply with the
mandates applicable and any exception or deviation should be recorded with adequate evidence.

All departments and associated personnel are required to afford full cooperation and assistance in the
implementation of the OT security policy. Any lack thereof should be documented with adequate evidence.

This policy binds < company name>, employees, vendors and all stakeholders to necessarily comply with this
policy in letter and spirit. Failure to do so will attract penalties and action as deemed appropriate as per the
<company name> rules and regulations.

Policy

As part of its duty of care to its customers and as a matter of good business practice, the confidentiality,
integrity and availability of all OT applications, devices, structures, controls, data, systems, protocols and
disaster recovery and resilience frameworks and network resources implemented in an OT environment at
<company name> are to be managed by a formal information security management program at its core.

This program will provide a controlled and orderly method by which access to <company name>’s information
systems connected with OT is requested and granted through diligence and authority. All systems should be
monitored and analyzed for violations of security protocols. These should be addressed and mitigated, and
changes to security systems and procedures should necessarily be requested, tested, approved and
communicated for audit and recordkeeping purposes.

Through this policy <company name> strives to work towards ensuring security of OT systems and
infrastructure at all times.

1. This policy addresses all <company name> Operational Technology, systems, data and networks
implemented in private, hybrid and/or public cloud infrastructures, plus all other <company name> OT
assets as identified by OT security team.
2. The OT security team will define the baseline security processes and procedures; secure and utilize
specialized software and systems to reduce the threat of breaches; regularly test the security of the
company’s perimeters from within and without and the other perimeters using penetration tests,
vulnerability assesment and other forensic methods; and document all information and procedures and
controls.
3. The <company name> OT security team will prepare and document OT information security and
cybersecurity plans with a focus on assets and data; it will facilitate the maintenance and review of those
plans.
4. The <company name> OT security team will asses the need for and procure threat intelligence that is
relevant for detecting threats and malware and use it to identify and address cyberthreats
5. The OT security team will periodically conduct a risk and vulnerability assessment of the internal and
external threats and vulnerabilities of the OT environment.
6. The OT security team will ensure that all assets are accounted for and inventoried along with CVE
information as well as data on access and privileges
7. The OT team will also work towards segregating networks to limit malware propagation
8. All HMI systems and control systems will be audited from time to time to ensure they are secure and free
from any external influence
9. The relevant infrastructure management team will maintain an inventory of all OT assets and networks
10. The OT security team will also establish a policy for managing information, its creation, storage and
destruction.
11. The OT security team will also establish a policy for accessing <company name> systems, networks,
applications and devices, both locally and remotely, including access controls; this policy will also cover
authentication of <company name> and non- <company name> users.
12. The OT security team will also from time to time publish guidelines for remote access
13. The OT security team will also ensure that malware (e.g., ransomware, spam, phishing attacks, denial-of-
service attacks and other unauthorized access attempts) is prevented through the use of appropriate
software and other appropriate prevention and detection resources. It will ensure that all vendors have
access to and use similar defense mechanisms
14. The OT security team will establish a network perimeter security and intrusion detection and control policy
to ensure that unauthorized attempts to penetrate the <company name> OT security perimeter are
prevented.
15. The OT security team will establish and document a formal process for identifying a possible breach in
determining the nature and possible impact of the breach, notifying <company name> management and
other stakeholders of the breach thereby minimizing the impact of the breach as quickly as possible, and
documenting the steps taken when dealing with the incident. Such a response will be designed to maximize
resilience and response impact.
16. The OT security team will establish and document a formal process for identifying a possible security breach
(e.g., theft of information, social engineering, unauthorized access to systems), assessing the breach,
determining the nature and possible impact of the breach, notifying <company name> response teams and
management of the breach, minimizing the impact of the breach as quickly as possible, and documenting
the steps taken when dealing with the incident.
17. The OT security team will provide OT security education, training and awareness programs.
18. The OT security team will include business continuity and disaster recovery in its security controls.
19. The OT security team will define consequences of violations of security policy.
20. The OT security team will define how security incidents are reported and managed.
21. The OT security team, in collaboration with the company legal department, shall prepare and have
executed the appropriate service level agreements (SLAs) with OT and other influential service providers to
ensure acceptable third-party vendor performance.
22. Data in use at <company name>, whether at rest or in motion, within any approved OT environment, must
be secure.
23. <company name> employees must sign an employee contract agreeing to accept and comply with the OT
security policies at the time they are hired and on a regular basis (e.g., annually) through the employee
handbook and/or in contract renewals to account for policy changes over time.
24. All proposed changes to the OT security operations are to be documented in detail and published.
25. OT security breaches that may impact <company name>'s operations should be identified in the company’s
information security management system and associated plans.
26. The OT security team will develop a schedule of all relevant security activities for the company, and will
ensure that these activities are completed on time. Extension to some of the activities can be given on a
case-by-case basis without any scope for a blanket approval except in case of a force majeure
27. The OT security team will ensure all security policies and associated procedures will comply with
appropriate legislative, regulatory and contractual requirements, as well as accepted standards and good
practice.
28. All proposed changes to this OT security policy are to be processed and documented by the company’s OT
change management system.

Policy leadership

<Title of executive> is designated as the corporate owner responsible for OT security activities for the
Company. Resolution of issues in the support of OT security activities should first be coordinated with IT
management, SCADA and PLC management teams, the corporate information security team, and others as
required from time to time.

Policy responsibilities

• Policy framing and drafting: The <title of executive> is responsible for framing this OT security policy.
• Policy approval -- The <title of executive> is responsible for approving this policy.
• Policy implementation -- The <enter name of department or individual> is responsible for planning,
organizing and implementing all activities that fulfill this policy.
• Policy maintenance and updating -- The <enter name of department or individual> is responsible for all
activities associated with maintaining and updating this policy.
• Policy monitoring and review -- The <enter name of department or individual> is responsible for monitoring
and reviewing this policy.
• Policy improvement -- The <enter name of department or individual> is responsible for defining and
implementing activities that will improve this policy.
• Policy auditing -- The <company name> internal audit department, or an approved external audit
organization, organizes and coordinates the completion of OT security policy audits, in collaboration with
the IT department and/or other stakeholders.

Management review

<Enter name of department or individual> will review and update this OT security policy on an annual basis. As
changes to this security policy are indicated during business, <enter name of department or individual> may
initiate a change management process to update this policy.

All management inputs will be considered for action and adopted as per established protocols.

All changes and updates to this policy will be communicated to all stakeholders.

Policy enforcement
The <title of executive> will enforce this policy. Non-compliance will be reported to < > and survive as episodic
documentation with adequate evidence.

Penalties for noncompliance

In situations where Operational Technology security activities do not comply with this policy, the OT security
team will prepare a report stating the reason(s) for non-compliance in written and present it to the relevant
team for resolution. Failure to comply with this OT security policy and any SLAs established with external firms
within the allotted time for resolution may result in <penalties as required>

Policy location

The policy will be signed, scanned into an electronic file and posted in the following location on the network:
<enter location of policy>.