As cyber threat actors increasingly targeting specific OT products rather than specific manufacturing sites, the Cybersecurity and Infrastructure Security Agency (CISA), a division of the United States Department of Homeland Security, in cooperation with global contributors, have created the “Secure by Demand: Priority Considerations for OT Owners and Operators when Selecting Digital Products” document.
According to the OPC Foundation, one of the contributing authors of this document, “This document outlines how several OT (operations technology) products are not designed nor were developed with secure by design principles. This means that these hardware and software components commonly have weaknesses when it comes to authentication, software vulnerabilities, limited logging, as well as insecure default settings and passwords.”
“This document outlines a checklist of capabilities that align with the vision of the OPC UA standard,” said Randy Armstrong, chairman of the Security Working Group of the OPC Foundation. “These capabilities give asset owners specific requirements to give to their perspective vendors, thus ensuring that owner/operators can secure their factories from modern cyber security threats. This document further serves as a valuable tool that allows asset owners to change the conversation with their vendors about what their needs will be when it comes to secure-by-design principles.”
Describing the motivation behind this document, Dr. Matthew Rogers, ICS (industrial control system) expert at CISA, explained, “The risk of a threat actor accessing the OT network is increasing due to business drivers for interconnectivity and the compromise of edge devices that enable segmentation. This “Secure by Demand” guidance for OT is the product of asset owners, governments, industrial automation and control system vendors, and industry groups all collaborating toward a more flexible and resilient implementation with their unique viewpoints and subject matter expertise. Asset owners should take this guidance to their vendors and procurement officials as they consider procuring new OT equipment.”
Michael Clark, director of the OPC Foundation North America, noted that, with this document “we see well-articulated guidance directed toward OT owners and operators. By following the principles and best practices outlined therein, OT owners and operators are effectively securing critical infrastructure and making it more difficult for threat actors to be successful in their disruptive behaviors.”
Eleven internationally recognized security agencies accredited this document, supporting the advice delivered for the OT community and the suppliers that service this industry. Agencies accrediting the document include:
- U.S. Cybersecurity and Infrastructure Security Agency
- U.S. Federal Bureau of Investigation
- U.S. National Security Agency
- U.S. Environmental Protection Agency
- Canadian Centre for Cyber Security
- Directorate General for Communications Networks, Content and Technology European Commission
- Germany’s Federal Office for Information Security
- Netherlands’ National Cyber Security Centre
- New Zealand’s National Cyber Security Centre
- United Kingdom’s National Cyber Security Centre
- Australian Signals Directorate’s Australian Cyber Security Centre
More cybersecurity coverage from Automation World:
