The National Security Agency, together with the Cybersecurity and Infrastructure Security Agency and other partner organizations, has issued a guidance to assist operational technology owners and operators in selecting secure OT products.
Cybersecurity Information Sheet
The NSA said Monday the Cybersecurity Information Sheet, called “Secure by Demand: Priority Considerations for Operational Technology Owners and Operators in the Selection of Digital Products,” outlines significant security elements needed to purchase OT products such as industrial automation and control systems. The CSI also includes questions to ask manufacturers.
Many OT products don’t have inherent security features or were not developed securely. These products are usually vulnerable to cyberattacks due to weak authentication, shared software weaknesses, limited logging, default settings, default protocols and default credentials.
According to the CSI, OT owners and operators should select products that feature vital security elements, such as:
- Configuration management
- Logging in the baseline product
- Open standards, ownership
- Protection of data
- Secure by default
- Secure communications
- Secure controls
- Strong authentication
- Threat modeling
- Upgrade tooling
- Vulnerability handling
Aside from NSA and CISA, the other partner organizations include the FBI, Department of Energy, Environmental Protection Agency, Transportation Security Administration, European Commission, Australian Signals Directorate’s Australian Cyber Security Centre, Canadian Centre for Cyber Security, Germany’s Federal Office for Information Security, Netherland’s National Cyber Security Centre, New Zealand’s National Cyber Security Centre and the United Kingdom’s National Cyber Security Centre.
Dave Luber, director of cybersecurity at NSA, said, “The guidance not only helps owners and operators of critical systems secure their OT procurement lifecycles, it also sends a message to manufacturers to establish a more resilient and flexible cybersecurity foundation in their products.”