NIST:降低OT环境下便携式存储介质的网络安全风险(2025) 3页

VIP文档

ID:74698

阅读量:0

大小:0.65 MB

页数:3页

时间:2025-10-02

金币:1

上传者:PASHU
NIST Special Publication
NIST SP 1334
https://doi.org/10.6028/NIST.SP.1334
September 2025 1
REDUCING THE CYBERSECURITY RISKS
OF PORTABLE STORAGE MEDIA IN OT
ENVIRONMENTS
Portable storage media continue to be useful tools for transferring data physically to and from Operational
Technology (OT) environments. For example, media can be used for updating firmware for a device in an isolated
OT network or retrieving log data for offsite diagnostics. Universal Serial Bus (USB) flash drives are commonly
used, in addition to external hard drives, CD or DVD drives, and other removable media.
Though portable storage media are convenient, their usage poses cybersecurity risks for operational
environments. Procedural, physical, and technical controls are important for minimizing the likelihood of a
cyberattack from portable storage media usage. The National Cybersecurity Center of Excellence (NCCoE) has
developed cybersecurity considerations to be integrated into a broader cybersecurity risk management program
to help OT personnel use portable storage media securely and effectively.
An organization should develop policies that support asset
management and enforce:
Purchasing, authorizing, and managing organization-
owned media. Devices provided by other sources should
be considered untrusted.
Procuring devices that support hardware-based
encryption standards such as FIPS.
Prohibiting media usage unless expressly authorized.
Authorization should be limited to specific personnel
and purposes.
Procedures for provisioning, usage, storage, sanitization,
and destruction.
Enabling logs for traceability (e.g., system and user
identity, device serial number, date and time).
Training staff on policy and procedures.
One way to minimize risk when using portable storage media
is to apply physical controls for accessing, labeling, and
storing the media.
Media should be stored in a physically secure location
where only authorized individuals have access.
Approved portable storage media should be inventoried
and labeled. Labels may indicate:
o Who may use it
o On which network/system it may be used
o Its functional purpose
Having a designated space to store approved media, in
conjunction with access control and labeling, is a foundation
for a well-implemented set of physical controls. This can be
part of a larger asset management program.
PROCEDURAL
CONTROLS
PHYSICAL
CONTROLS
资源描述:

【美国国家标准与技术研究院(NIST)下属国家网络安全卓越中心(NCCoE)】【2025年9月】发布《降低OT环境中便携式存储介质的网络安全风险》(NIST SP 1334);该文件的目的是帮助OT人员安全有效使用便携式存储介质,将网络安全考虑纳入 broader 网络安全风险管理制度,最小化其使用带来的网络攻击可能性;该文件内容包括:一是报告指出便携式存储介质(如USB闪存盘、外接硬盘等)在OT环境中用于固件更新、日志检索等场景的便利性,但其使用存在网络安全风险,需结合程序、物理、技术控制;二是程序控制方面,报告强调应采购组织所有、支持FIPS硬件加密的介质,禁止未授权使用,规定介质全生命周期(provisioning、使用、存储、sanitization、销毁)流程,启用可追溯日志,开展人员培训;三是物理控制方面,报告提出将介质存储在仅授权人员可访问的安全位置,对批准的介质进行inventory和标签(标注使用人、适用系统、用途);四是技术控制方面,报告建议禁用不必要端口、通过允许列表限制设备或文件执行,使用更新的恶意软件检测工具对介质前后扫描,跨设备/环境复用前格式化,只读时启用写保护,禁用Autorun,用FIPS认证算法加密数据,配置介质插入和数据传输警报;五是运输和sanitization控制方面,报告要求使用加密或锁具运输介质,传输文件时进行哈希/校验和验证,处置前按NIST SP 800-88 Rev.2进行sanitization并记录;该文件的结论是组织可通过对便携式存储介质的访问、存储、使用实施安全物理和逻辑控制,以及培训人员安全使用,降低其在OT环境中的网络安全风险;该文件建议将这些网络安全考虑整合到 broader 网络安全风险管理制度中,并参考《OT安全指南》(NIST SP 800-82 Rev.3)、《信息系统和组织安全与隐私控制》(NIST SP 800-53 Rev.5)、《介质sanitization指南》(NIST SP 800-88 Rev.2)等标准。

当前文档最多预览五页,下载文档查看全文

此文档下载收益归作者所有

当前文档最多预览五页,下载文档查看全文
温馨提示:
1. 部分包含数学公式或PPT动画的文件,查看预览时可能会显示错乱或异常,文件下载后无此问题,请放心下载。
2. 本文档由用户上传,版权归属用户,天天文库负责整理代发布。如果您对本文档版权有争议请及时联系客服。
3. 下载前请仔细阅读文档内容,确认文档内容符合您的需求后进行下载,若出现内容与标题不符可向本站投诉处理。
4. 下载文档时可能由于网络波动等原因无法下载或下载错误,付费完成后未能成功下载的用户请联系客服处理。
关闭