If you’re plugged into the realm of operational technology (OT) or keeping a vigilant eye on critical infrastructure cybersecurity threats, buckle up—there’s important news in the digital defenses arsenal. Many OT systems—the backbone of critical infrastructure like utilities, energy grids, and manufacturing—remain ripe targets for cyberattacks. Now, the Cybersecurity and Infrastructure Security Agency (CISA), backed by an ensemble of U.S. and international partners, has leveled up its efforts with fresh guidance under the Secure by Demand series. Let’s break it down for you.
CISA’s latest document, titled “Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products”, is more than another tech buzzword checklist. It’s a call-to-action for OT operators to get proactive when choosing digital products and to integrate cybersecurity into procurement processes from the get-go.
The harsh reality? OT systems are an appealing digital goldmine for cybercriminals. According to the report, threat actors tend to go after vulnerabilities within specific OT products—not merely individual organizations—making all users of said products vulnerable. This means that even if you think your organization is off the radar, it’s not; if the tools you rely on have gaps, you’re an open door.
The guidance specifically urges OT owners and operators to:
For example:
Questions to ponder:
So, what do you think? Is your organization in lockstep with these recommendations, or are these ideas raising new concerns for your OT landscape? Let’s hear it below!
Source: CISA CISA and US and International Partners Publish Guidance on Priority Considerations in Product Selection for OT Owners and Operators | CISA
What’s All the Buzz About?
CISA’s latest document, titled “Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products”, is more than another tech buzzword checklist. It’s a call-to-action for OT operators to get proactive when choosing digital products and to integrate cybersecurity into procurement processes from the get-go.The harsh reality? OT systems are an appealing digital goldmine for cybercriminals. According to the report, threat actors tend to go after vulnerabilities within specific OT products—not merely individual organizations—making all users of said products vulnerable. This means that even if you think your organization is off the radar, it’s not; if the tools you rely on have gaps, you’re an open door.
Why This Guidance Matters: A Quick Dive into “Secure by Design”
You might be asking, “What exactly does Secure by Design mean?” Great question! In simple terms, it’s a fundamental design philosophy that emphasizes building security features into a product from its inception. This contrasts starkly with the traditional “add security later” model, where manufacturers patch vulnerabilities only after issues arise. By prioritizing Secure by Design principles, organizations are less likely to introduce products riddled with weaknesses that hackers can exploit.The guidance specifically urges OT owners and operators to:
- Look for Continuous Improvement: Favor manufacturers invested in regularly updating and securing their products.
- Balance Cost vs. Cyber Resilience: Understand that the cheapest option might cost far more in the long term if it’s vulnerable to cyber threats.
- Emphasize Secure Procurement: Bake in these priorities when negotiating contracts or evaluating new software solutions.
The Cyber Target: Why OT Systems Are in the Crosshairs
Here’s an unsettling truth: Cybercriminals love OT systems. Why? Because they regulate operations as vital as power grids, water treatment plants, and manufacturing. A breach in such systems can set off cascading failures—knocking out critical services or endangering lives. Combine this with the fact that many OT products weren’t originally conceived with cybersecurity in mind, and you get the perfect storm for exploitation.For example:
- Legacy Systems: Some OT systems are 10 to 20 years old and were designed for reliability, not defense.
- Always-On: Unlike IT systems, OT equipment often runs 24/7, leaving minimal room for updates or downtime.
- Interconnected Risks: With the rise of the Internet of Things (IoT) in OT environments, devices designed without robust security protocols can become weak links.
Making Smarter Choices: Recommendations for OT Owners
The new guidance isn’t just finger-pointing at problems—it’s about equipping OT operators to make smart, proactive choices. Here are some actionable tips pulled from the playbook:1. Demand Transparency
When shopping for OT products, your first question to manufacturers should be: “What are you doing to ensure this product is Secure by Design?” If they can’t give you a clear answer, consider it a red flag.2. Evaluate Security Practices
Ensure the vendor has a track record of applying cybersecurity updates and addresses vulnerabilities promptly. Reference any past recalls or security notices issued about their products.3. Assess Realistic Risks
Ask tailored questions to bring to light any inherent risks tied to the product. For instance:- How often are software patches released, and how disruptive are they to runtime?
- Can the product function in isolated environments to minimize exposure to external networks?
4. Involve Stakeholders
Cybersecurity isn’t just the IT department's problem—it’s everyone’s problem. Collaborate with operators, engineers, and risk management staff to ensure a united procurement approach prioritizing security.Zooming Out: A Broader Look at Secure by Demand
This guidance forms part of CISA’s broader Secure by Demand series, which aims to redefine how digital products are designed, sold, and maintained. It also dovetails with their Secure by Design framework, where manufacturers are encouraged to embed security into their development lifecycle.Your Takeaway: Influence Matters
Many businesses underestimate their power when it comes to influencing the supply chain. OT owners can advocate for improved security measures during procurement discussions. The Secure by Demand Guide encourages operators to demand robust risk assessments, share planning recommendations across their industry sectors, and never cut corners for convenience's sake.Next Steps for WindowsForum Members
If your organization leans on OT infrastructure, this guidance is relevant—and urgent. Here’s how you can jump-start your security journey:1. Start Here
Dig into CISA’s Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem | CISA. It’s a roadmap for incorporating security into procurement and beyond.2. Understand Common OT Threats
Explore case studies of OT-targeted attacks to understand the tactics deployed by adversaries. This will help you frame real-world scenarios when discussing procurement security with decision-makers.3. Boost Awareness
If OT security feels overwhelming, educate your workforce about the risks posed by improperly secured systems. The more eyes on potential vulnerabilities, the better.The Bigger Picture: Bridging OT & IT Security
One of the recurring themes in today’s tech environment is how closely intertwined OT and IT systems have become—and how this convergence demands robust cybersecurity protections. While IT-centric security updates are common knowledge to many WindowsForum users, integrating similar practices into OT environments is still a fairly emerging discipline.Questions to ponder:
- Should OT procurement standards align closer with robust IT protocols?
- What role should governments (or even private sector watchdogs) play in holding manufacturers accountable for Secure by Design flaws?
So, what do you think? Is your organization in lockstep with these recommendations, or are these ideas raising new concerns for your OT landscape? Let’s hear it below!
Source: CISA CISA and US and International Partners Publish Guidance on Priority Considerations in Product Selection for OT Owners and Operators | CISA
Last edited:
