The U.S. Cybersecurity and Infrastructure Security Agency has released guidance to support operations technology owners and operators in acquiring secure industrial automation and control system products.
Titled “Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products,” the guidance recommends that OT owners and operators choose products that use open standards. This approach allows for easy switching between providers without compromising security. Additionally, solutions based on open standard solution enable organizations to stay at the forefront of security advancements, allowing for the rapid adoption of innovations such as new encryption algorithms.
The guide also highlights the importance of selecting solutions with strong authentication capabilities. It especially emphasizes role-based access control, attribute-based access control and phishing-resistant multi-factor authentication. These elements provide OT operators with mechanisms that support best practices in identity and access management.
Other key secure-by-design elements that should be included in an OT product, as listed in the guidance, are:
- configuration management,
- logging in the baseline product,
- ownership,
- data protection,
- secure by default,
- secure communications,
- secure controls,
- threat modeling,
- vulnerability monitoring, and
- upgrade and patch tooling.
According to the guidance, organizations that choose to purchase solutions incorporating secure-by-design principles ensure a high level of security for their systems. This also sends a message to the industry, demonstrating a greater demand for solutions that provide a resilient and flexible cybersecurity foundation.
The document is part of the Secure by Design series, which aims to protect a wide range of entities from cyberthreats, by addressing common software weaknesses during the software development phase. CISA’s recommendations were made in collaboration with various organizations, including the National Security Agency, the FBI, the Environmental Protection Agency, the Transportation Security Administration, and partners from Australia, Germany, Canada, New Zealand, the U.K., the Netherlands and the European Commission.