Critical infrastructure organizations have been urged to take action to ensure their operational technology (OT) products are secure by design.
Government agencies from the Five Eyes intelligence and security alliance, alongside European partners, issued a joint advisory on January 13 to critical infrastructure firms setting out the key security considerations when purchasing OT products.
The guidance is designed to ensure OT owners and operators choose products and manufacturers that follow secure-by-design principles which reduce the likelihood of damaging attacks occurring.
Shifting the Security Burden to Manufacturers
The burden of industrial cybersecurity costs falls disproportionally on OT owners and operators rather than manufacturers, the advisory argued.
Despite this, it is the manufacturers who have the greatest ability to improve the security of their products and reduce risk for their customers.
Making purchasing decisions based on security should serve to create market incentives for OT manufacturers to improve their product security.
The US Cybersecurity and Infrastructure Security Agency (CISA) emphasized the need for critical infrastructure organizations to move away from legacy environments, which necessitates prioritizing the purchase of products that enforce secure by design principles.
“OT owners and operators will send a message to manufacturers to stimulate the supply of secure by design products. Manufacturers that implement these considerations can establish a resilient and flexible cybersecurity foundation in their products that OT owners and operators can build on over the coming decades,” the agency wrote.
Read now: CISA Encourages Organizations to Adopt a 'Secure by Demand' Strategy
Jonathon Ellison, Director of National Resilience and Future Technology at the UK’s National Cyber Security Centre (NCSC), commented: “This new guide gives organizations practical advice on how to prioritize OT products that are secure by design when making purchasing decisions, helping to mitigate the very real cyber threats they face.”
He added: “I strongly advise UK operators of OT systems to follow this guidance to help set a strong foundation for their cyber resilience and to send a signal to manufacturers that security is more than just an extra feature for products but a requirement in demand.”
Secure by Design in OT Products
The guidance shared what secure-by-design features OT products should include.
For instance, default passwords in OT products should be eliminated and they should contain phishing-resistant multifactor authentication (MFA).
There ought to be easy to follow patch and upgrade processes, with owners and operators given full autonomy over maintenance and changes made to the product.
Additionally, the manufacturer should have a comprehensive vulnerability management regime to ensure the product contains no known exploitable vulnerability from the outset.
Other parts of the guidance focus on product resiliency against hacker activity, such as protections against attackers sending malicious emergency, safety or diagnostic commands. OT products should also ensure essential functions remain available in the event of an attack.
The advisory added that the manufacturer should provide a full and detailed threat model that articulates the ways the product could be compromised, along with security measures implemented to reduce these threat scenarios.
The new advisory follows guidance published by CISA and the ACSC in October 2024 for securing OT environments.