NSA & CISA Release Guidance For Secure OT Product Selection
The National Security Agency (NSA) joins the Cybersecurity and Infrastructure Security Agency (CISA) and other organizations to publish guidance helping operational technology (OT) owners and operators integrate security when selecting OT products.
This new joint guidance helps operational technology owners and operators secure their procurement lifecycles. Learn the key security elements to consider and the right questions to ask manufacturers.
The joint Cybersecurity Information Sheet (CSI), “Secure by Demand: Priority Considerations for Operational Technology Owners and Operators in the Selection of Digital Products,” highlights key security elements to consider when purchasing industrial automation and control systems and other OT products, as well as specific questions to ask manufacturers. Many OT products are not designed or developed securely, and they commonly have weaknesses that make them a target for cyber threat actors, including the following: weak authentication, shared software vulnerabilities, limited logging, default settings, default credentials, and default protocols. “
The guidance not only helps owners and operators of critical systems secure their OT procurement lifecycles, it also sends a message to manufacturers to establish a more resilient and flexible cybersecurity foundation in their products,” said Dave Luber, NSA’s Cybersecurity Director.
The CSI urges OT owners and operators to select products with the following key security elements:
The other agencies co-sealing the CSI are the Federal Bureau of Investigation (FBI), the U.S. Department of Energy, the U.S. Environmental Protection Agency (EPA), the U.S. Transportation Security Administration, the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS), European Commission, Germany’s Federal Office for Information Security (BSI), Netherland’s National Cyber Security Centre (NCSC-NL), New Zealand’s National Cyber Security Centre (NCSC-NZ), and the United Kingdom’s National Cyber Security Centre (NCSC-UK).
领英推荐
The report complements a previously published CSI, “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software,” jointly released in April 2023 and updated in October 2023.
OK Bo?tjan Dolin?ek
Cybersecurity Professional | Independent Representative at Primerica | Experienced Corporate Trainer | PTA Dad
1 个月I remember when studying for cybersecurity the question about maintaining the boundaries between OT and IT came up. We ended up discussing that in order to secure an organization, it won't for too long. As the threat landscape continues to evolve, so will our roles. We just hope that the executive-ship of these organizations can find appreciation in these ever expanding roles.
Lead, Infrastructure/Network and Security | Security Policy Development and Compliance
1 个月This is a significant step toward improving critical infrastructure security.By addressing common vulnerabilities like weak authentication, default credentials, and limited logging, this guidance empowers organizations to make informed decisions, ask the right questions to manufacturers, and prioritize security in industrial automation and control systems to reduce exposure to cyber threats.
CISO with expertise in operational technology at HRSD
1 个月great, but some of our most critical infrastructure has a few issues with opertionalizing this: older systems and no plan in place to replace them due to lack of funds so telling people what to select is like asking a homeless person what they will order from a 5star restaurant menu; many of these same or even some with funds have no focused ICS cybersecurity professional or even a dedicated seasoned network engineer to assist in secure installation; and many in the OT/ICS space won't gain access to this guidance unless their ISAC promotes it. these are just a few of the issues when government agencies with little to no operational asset ownership experience make guidance... its Marie Antionette circa 1765... Solutions? Government assistance on assessment and installation, but that has a cost and a risk. Do other asset owners have an answer? Feds and those without ownership of ICS assets need not respond
CISSP, CCSP | Helping companies secure their applications and infrastructure
1 个月It's encouraging to see such comprehensive collaboration across international agencies, signaling a unified front against escalating cyber threats. However, the real challenge lies in driving manufacturers to adopt these guidelines as standard practice during product development. For organizations managing OT systems, integrating these security elements into procurement processes is not just a best practice, but an operational necessity. Failing to do so risks exposing critical infrastructure to vulnerabilities that adversaries are increasingly adept at exploiting.