The Canadian Centre for Cyber Security (Cyber Centre) has joined the United States’ (U.S.) Cybersecurity and Infrastructure Agency (CISA) and the following international partners in releasing cyber security guidance on secure by demand and priority considerations for operational technology (OT) owners and operators when selecting digital products:
- U.S. Department of Energy
- U.S. Environmental Protection Agency (EPA)
- U.S. Federal Bureau of Investigation (FBI)
- U.S. National Security Agency (NSA)
- U.S. Transportation Security Administration
- Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC)
- Directorate General for Communications Networks, Content and Technology, European Commission
- Germany’s Federal Office for Information Security (BSI)
- Netherland’s National Cyber Security Centre (NCSC-NL)
- United Kingdom’s National Cyber Security Centre (NCSC-UK)
Cyber threat actors can attack OT products with weaknesses such as weak authentication, shared software vulnerabilities, and limited logging. If your organization uses an OT product that has not been designed with secure by design principles or has these common weaknesses it can be difficult and costly to defend against compromise.
As part of CISA’s Secure by Demand series, this joint guide aims to advise OT owners and operators on how to integrate security into their device procurement processes.
This guide outlines key security elements that OT products should have, particularly industrial automation and control system products. The key elements include:
- configuration management
- logging in the baseline product
- open standards
- ownership
- protection of data
- secure by default
- secure communications
- secure controls
- strong authentication
- threat modeling
- vulnerability management
- upgrade and patch tooling
By purchasing products with these key elements, your organization can mitigate risks from current cyber threats.
Read the joint guidance Secure by Demand: Priority Considerations for Operational Technology Owners and Operators When Selecting Digital Products.