TLP:CLEAR
Summary
The Cybersecurity and Infrastructure Security Agency (CISA) and partners warn that cyber threat actors, when compromising operational technology (OT) components, target specific OT products rather than specific organizations. Many OT products are not designed and developed with Secure by Design principles1 and commonly have weaknesses, such as weak authentication, known software vulnerabilities, limited logging, insecure default settings and passwords, and insecure legacy protocols. Cyber threat actors can easily exploit these weaknesses across multiple victims to gain access to control systems.
When security is not prioritized nor incorporated directly into OT products, it is difficult and costly for owners and operators2 to defend their OT assets against compromise. This Secure by Demand guide, authored by CISA with contributions from the following partners, describes how OT owners and operators should integrate security into their procurement process when purchasing industrial automation and control systems as well as other OT products.
- U.S. National Security Agency (NSA)3
- U.S. Federal Bureau of Investigation (FBI)
- U.S. Environmental Protection Agency (EPA)
- U.S. Transportation Security Administration (TSA)
- Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
- Canadian Centre for Cyber Security (CCCS)
- Directorate General for Communications Networks, Content and Technology (DG CONNECT), European Commission4
- Germany’s Federal Office for Information Security (BSI)
- Netherlands’ National Cyber Security Centre (NCSC-NL)
- New Zealand’s National Cyber Security Centre (NCSC-NZ)
- United Kingdom’s National Cyber Security Centre (NCSC-UK)
1 CISA’s Secure by Design campaign urges technology providers to take ownership of their customers’ security outcomes by building cybersecurity into design and development. As part of CISA’s campaign, CISA and partners developed three core principles to guide software manufacturers in building software security into their design process. For more information, see joint guide Secure-by-Design - Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software.
2 European Union (EU) legislation refers to essential and important entities, such as critical infrastructures as well as entities in the manufacturing sector.
3 NSA manages the National Information Assurance Partnership (NIAP) program and is piloting the Operational Technology Assurance Partnership (OTAP) program. These oversee evaluation of Commercial Off-the-Shelf (COTS) IT and OT products for use in National Security Systems (NSS) and develop security functional requirements and assurance activities for the product evaluations.
4 This document does not interpret European Union law nor is it meant to be a guidance for implementation of Union law. The document does not bind the European Commission. DG CONNECT contributed to the drafting of the document in order to cooperate on and emphasize shared cybersecurity principles. However, as this document is a multilateral effort, not all of its elements reflect Union law. Entities falling within the scope of Union law might use this document for information purposes only.
TLP:CLEAR