Joint guidance on secure by demand and priority considerations for operational technology owners and operators when selecting digital products

The Canadian Centre for Cyber Security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. (Cyber Centre) has joined the United States’ (U.S.) Cybersecurity and Infrastructure Agency (CISA) and the following international partners in releasing cyber security guidance on secure by demand and priority considerations for operational technology (OT) owners and operators when selecting digital products:

• U.S. Department of Energy
• U.S. Environmental Protection Agency (EPA)
• U.S. Federal Bureau of Investigation (FBI)
• U.S. National Security Agency (NSA)
• U.S. Transportation Security Administration
• Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC)
• Directorate General for Communications Networks, Content and Technology, European Commission
• Germany’s Federal Office for Information Security (BSI)
• Netherland’s National Cyber Security Centre (NCSC-NL)
• United Kingdom’s National Cyber Security Centre (NCSC-UK)

Cyber threat Cyber threatA threat actor, using the internet, who takes advantage of a known vulnerability in a product for the purposes of exploiting a network and the information the network carries. actors can attack OT products with weaknesses such as weak authentication AuthenticationA process or measure used to verify a users identity. , shared software vulnerabilities, and limited logging. If your organization uses an OT product that has not been designed with secure by design principles or has these common weaknesses it can be difficult and costly to defend against compromise CompromiseThe intentional or unintentional disclosure of information, which adversely impacts its confidentiality, integrity, or availability. .

As part of CISA’s Secure by Demand series, this joint guide aims to advise OT owners and operators on how to integrate security into their device procurement processes.

This guide outlines key security elements that OT products should have, particularly industrial automation and control system products. The key elements include:

• configuration management
• logging in the baseline product
• open standards
• ownership
• protection of data
• secure by default
• secure communications
• secure controls
• strong authentication
• threat modeling
• vulnerability management
• upgrade and patch tooling

By purchasing products with these key elements, your organization can mitigate risks from current cyber threats.

Read the joint guidance Secure by Demand: Priority Considerations for Operational Technology Owners and Operators When Selecting Digital Products.