Operational Technology Configuration Standard 

Purpose 

To outline required configuration settings for any Operational Technology (OT) devices attached to the university network. 

Scope 

This standard applies to all Operational Technology (OT) devices that are supported by the university.  This covers all OT devices purchased with university funds regardless of which funds are used. 

Standard 

Automated system patching 

All OT devices must be configured to automatically install patches and firmware updates within 90 days of release.  Acknowledging that OT devices often lose support faster than workstations and servers, OT devices that are no longer supported by their vendor can still be used on the university network so long as the OT device is running the last available update and there are no known vulnerabilities for that update. 

Network placement 

All OT devices will be attached to the university network with guidance from the ITS Networking team.  The ITS Networking team has purpose-built subnets for housing OT devices. OT devices cannot be placed in a subnet that is accessible to the Internet without written approval from the Chief Information Security Officer and that approval must be renewed annually.  When an OT device needs to be accessible to the Internet the ports that are made accessible and the IP addresses that can access the OT device will be minimized as much as possible.  Because of the potential life/safety impacts of exposing OT devices to the Internet, when possible remote access for vendor support will be provided by provisioning a VPN account to the vendor supporting the OT device. 

Exceptions 

All exceptions to this standard require written approval from the Chief Information Security Officer.  All exceptions require annual renewal. 

Revision History 

August 2024 – Standard adopted