The Cybersecurity Infrastructure & Security Agency (CISA) and its international partners’ latest secure-by-design initiative speaks directly to operational technology (OT) asset owners and operators with the objective of creating a groundswell of demand for a uniform set of expectations from automation vendors.
Released today, “Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products” [PDF] is an effort to return agency to decision makers within critical infrastructure by creating a healthy tension and set of market dynamics to drive better security in OT assets.
The 22-page guide identifies 12 security elements that OT owners and operators should be looking for during procurement cycles with automation and control system vendors. The hope is that the market will favor those providers whose mindset is that security is part and parcel to developing functionality and not an afterthought. Specifically, those automation vendors that prioritize these dozen facets of cybersecurity—many of which are essential to basic security hygiene—will gain a competitive advantage over those that have failed to build cybersecurity into the design and development of their products.
We believe this initiative returns a measure of influence and leverage back into the hands of asset owners, who are often at the mercy of advanced attackers operating with impunity against legacy technology that was not built with today’s connectivity imperatives in mind. Manufacturers that adhere to this guide not only reduce the collective attack surface across the ecosystem, but also could find themselves with a competitive leg-up against those that fail to adhere to a newly articulated guide that makes it clear what best practices should be followed.
What is Secure by Demand for OT?
CISA’s premise is that threat actors will target specific classes of OT assets, rather than individual organizations. We’ve seen malware such as Triton purpose-built to target safety systems built by Schneider Electric, while Incontroller targeted numerous programmable logic controllers from manufacturers such as Omron and Schneider Electric, as well as weaknesses in legacy protocols such as OPC UA.
Poorly secured protocols are a popular avenue targeted by advanced attackers for initial access to an OT asset, along with weak authentication implementations, insecure credentials, poor configurations, unpatched vulnerabilities, and a lack of logging capabilities. Often, organizations must deploy expensive compensating controls to reduce their exposure in these areas.
The Secure by Demand guide—written by CISA and partners including the FBI, NSA, and cybersecurity agencies from the U.K., Australia, Canada, New Zealand, and various EU nations—is an effort to bring cybersecurity into purchasing decisions and prioritize spending around technologies that enforce the 12 elements described in the guide.
“OT owners and operators will send a message to manufacturers to stimulate the supply of Secure by Design products,” the guide says. “Manufacturers that implement these considerations can establish a resilient and flexible cybersecurity foundation in their products that OT owners and operators can build on over the coming decades.”
Below are the 12 cybersecurity elements; the guide presents selection criteria for each element, as well as questions to ask of vendors, and why-this-matters reasoning:
Configuration Management: Products should track modifications not only to configurations, but also engineering logic, and securely back up and deploy system configurations.
Logging: Products should log all actions, including security and safety events. Open standard logging formats are also recommended.
Open Standards: Support for open, interoperable standards simplifies new product deployments and the migration of configuration settings and engineering logic.
Ownership: Asset owners and operators should have autonomy over maintenance and changes to the product, thus minimizing vendor dependencies.
Data Protection: Product should secure the integrity of configuration settings, engineering logic, and more at rest and in transit.
Secure by Default: Products are secure out of the box, sans default passwords, and use current versions of protocols, disabling by default older and insecure protocols, and more.
Secure Communications: Simplified digital certificate deployment and renewal that ensures secure communication between devices and the network.
Secure Controls: Resilience is the key with this element, in particular around the availability of essential functions and the ability to withstand malicious activity such as the sending of malicious safety commands, or active security scanning.
Strong Authentication: Controls such as role-based access controls, multifactor authentication, and the elimination of shared credentials should be prioritized.
Threat Modeling: An updated threat model that articulates means of compromise should be in place along with recommendations to reduce risk to those threats.
Vulnerability Management: Vendors must express their plans to regularly test for vulnerabilities, define support periods when flaws are managed and patches released at no charge. Hardware and software bills of materials (SBOM) should be included.
Upgrade and Patch Tooling: Product must include a documented and simple patching and upgrade process, and support for migrations to new versions of an operating system when previous versions are no longer supported.
Overcoming Inherent Secure by Design Challenges
The overarching challenge to any secure by design initiative in OT is the excessively long technology cycle within industrial automation environments. As a result, enterprises face long technology obsolescence periods because availability and process safety are paramount, and functioning legacy technology lives on in order to maintain those priorities. On top of this paradigm, it’s clear that secure by demand—and design—is playing the long game.
With that in mind, we believe asset owners and operators need to both drive pressure on automation vendors to improve security in these targeted ways, while concurrently taking pragmatic steps to deal with the here-and-now inherent risks in currently deployed OT assets.
We advocate for an exposure management approach that prioritizes remediating the riskiest assets with the greatest impact on production and safety for mitigation and remediation. This approach moves assets to the front of the line that have vulnerabilities for which there are known and publicly available exploits, and also may be insecurely connected to the internet, either directly exposed to the public network, or through a non-enterprise grade remote access solution.
By layering on an enterprise-grade secure access solution, for example, one that includes role-based access controls, and monitoring, auditing, and logging capabilities, an organization can mitigate risks in products that fail to meet those best practices today.
Similarly with regard to vulnerability management, simply prioritizing mitigation or remediation solely by critical or high CVSS ratings may leave organizations blind to their true risk posture. By prioritizing against risk factors such as KEVs, insecure connectivity, and weak access controls, enterprises would gain a better picture of their actual exposure to threats.
This of course requires visibility into assets, the critical first step complementing an exposure management approach to risk reduction. All of these facets have an end-goal of reducing costs around risk remediation and total cost of ownership.
