Hi All,
The Cybersecurity and Infrastructure Security Agency (CISA) and partners warn that cyber threat actors, when compromising operational technology (OT) components, target specific OT products rather than specific organizations. Many OT products are not designed and developed with Secure by Design principles and commonly have weaknesses, such as weak authentication, known software vulnerabilities, limited logging, insecure default settings and passwords, and insecure legacy protocols. Cyber threat actors can easily exploit these weaknesses across multiple victims to gain access to control systems.
When security is not prioritized nor incorporated directly into OT products, it is difficult and costly for owners and operators to defend their OT assets against compromise. This Secure by Demand guide, authored by CISA with contributions from the following partners, describes how OT owners and operators should integrate security into their procurement process when purchasing industrial automation and control systems as well as other OT products.
U.S. National Security Agency (NSA)
U.S. Federal Bureau of Investigation (FBI)
U.S. Environmental Protection Agency (EPA)
U.S. Transportation Security Administration (TSA)
Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC)
Canadian Centre for Cyber Security (CCCS)
Directorate General for Communications Networks, Content and Technology (DG CONNECT), European Commission
Germany's Federal Office for Information Security (BSI)
Netherlands' National Cyber Security Centre (NCSC-NL)
New Zealand's National Cyber Security Centre (NCSC-NZ)
United Kingdom's National Cyber Security Centre (NCSC-UK)
When procuring products, OT owners and operators should select products from manufacturers who prioritize the following security elements:
1. Configuration Management: The product supports controlling and tracking modifications to configuration settings and engineering logic. Seek out manufacturers whose products backup and deploy system configurations in a secure and simple manner.
2. Logging in the Baseline Product: The product supports logging of all actions-including changes to configuration, security events, and safety events-in the baseline versions using open standard logging formats. Seek out products that come with standardized access and change logs for building incident response capabilities.
3. Open Standards: The product uses open standards to support secure functions and services and for migrating configuration settings and engineering logic. Seek out products that support open, interoperable standards to facilitate replacing or adding products.
4. Ownership: The product gives owners and operators full autonomy over said product, including maintenance and changes. Seek out products that enable operator autonomy while minimizing dependency on the vendor.
5. Protection of Data: The product protects the integrity and confidentiality of data, services, and functions, including a product's configuration settings and engineering logic. Seek out products that treat operational data as valuable and protect it at rest and during transit to and from vendors and manufacturers.
6. Secure by Default: The product is delivered secure out of the box, reducing the attack surface and removing the burden on owners and operators. Seek out products that include all security features in all versions; eliminate default passwords; allow for appropriate length and complexity for passwords; use secure up-to-date versions of protocols with older insecure protocols (e.g., SNMPv1/2, Telnet, SSL, TLS 1.0/1.1) disabled by default; do not unnecessarily expose external interfaces; and provide authorized users the ability to reset product configuration to its original state.
7. Secure Communications: The product supports secure authenticated communication with digital certificates deployed that fail loudly (e.g., when a certificate expires) but allows critical processes to continue. Seek out products that simplify digital certificate deployment and renewal such that operators do not need to be cyber experts to achieve secure authenticated communications.
8. Secure Controls: The product is resilient to threat actors sending malicious emergency, safety, or diagnostic commands; protects the availability of essential functions; withstands active security scanning; and minimizes the impact of an incident on the overall system. Seek out manufacturers who can demonstrate trusted safety-critical controls and explain how operators can continuously verify and regain that trust.
9. Strong Authentication: The baseline version of the product, especially safety-critical equipment, protects against unauthorized access through appropriate control measures, including role-based access control and phishing-resistant multifactor authentication. Seek out manufacturers that have eliminated the use of shared role-based passwords in their products.
10. Threat Modeling: The product has a full and detailed threat model. Seek out products that have an up-to-date threat model that articulates the ways in which it might be compromised, along with security measures implemented to reduce these threat scenarios.
11. Vulnerability Management: The manufacturer has a comprehensive vulnerability management regime in which products are rigorously tested to help ensure they contain no known exploitable vulnerabilities. Each product has a clearly defined support period during which vulnerabilities are managed and patches are supplied free of charge. Seek out manufacturers who include hardware and software bill of materials with product delivery and who commit to timely remediation of vulnerabilities through a vulnerability disclosure program.
12. Upgrade and Patch Tooling: The product has a well-documented and easy to follow patch and upgrade process and supports moving to a supported operating system version at no extra cost if the original operation system is soon to be no longer supported. Seek out products that can be verified and that support owner-controlled patch management.
------------------------------
Michael Roza CPA, CISA, CIA, CC, CCSKv5, CCZTv1, MBA, EMBA, CSA
------------------------------