New intel agency guidance for procuring secure infrastructure

By on
New intel agency guidance for procuring secure infrastructure

A new document, "Secure by Demand," spearheaded by the United States Cybersecurity and Infrastructure Security Agency (CISA) and its international partners aims to shift the burden of cybersecurity from operational technology (OT) owners and operators to manufacturers of the products they buy.

It is specifically aimed at those who purchase industrial automation and control systems and other OT products, urging them to prioritise security when selecting products.

The document highlights that cyber threat actors often target specific OT products due to common weaknesses such as weak authentication, known software vulnerabilities, and insecure default settings.

Such vulnerabilities can be easily exploited across multiple victims, giving attackers access to control systems.

The guidance promotes a "Secure by Design" approach, where security is built into the product from the outset, rather than being an afterthought.

Twelve key security elements that buyers should look for when selecting OT products are outlined.

They include:

  • Configuration management: products should allow for the control and tracking of modifications to configuration settings and engineering logic, with secure backup and deployment capabilities.
  • Logging in the baseline product: all actions, including security and safety events, should be logged using open standard formats.
  • Open standards: the product should utilise open standards to support secure functions, services and the migration of configurations and logic.
  • Ownership: OT owners and operators should have full autonomy over the product, including maintenance and changes, minimising dependence on the vendor.
  • Protection of data: the product should protect the integrity and confidentiality of data, services, and functions, including configuration settings and engineering logic.
  • Secure by default: products should be delivered secure out of the box, with default passwords eliminated, secure protocols enabled and insecure protocols disabled.
  • Secure communications: authenticated communication with digital certificates should be supported, with simplified deployment and renewal processes.
  • Secure controls: products should be resilient to malicious commands, protect the availability of essential functions, and withstand active security scanning.
  • Strong authentication: products should protect against unauthorised access through role-based access control and phishing-resistant multi-factor authentication.
  • Threat modelling: a full and detailed threat model should articulate how the product could be compromised and the security measures implemented to reduce these risks.
  • Vulnerability management: manufacturers should have a comprehensive vulnerability management regime, with rigorous testing and timely remediation of vulnerabilities.
  • Upgrade and patch tooling: products should have a well-documented and easy to follow patch and upgrade process with owner-controlled patch management.

The guidance stresses that by prioritising these elements, critical infrastructure organisations can mitigate cyber threats and create a path away from legacy environments.

For example, products should not have default passwords, as these can be easily exploited by malicious actors.

Furthermore, products should be delivered with secure protocols enabled by default. 

The document urges manufacturers to adopt these principles to establish a resilient and flexible cybersecurity foundation in their products.

It also highlights that OT operators need to be able to control and recover their systems without unnecessary dependencies and should look for products that support open standards for ease of interoperability between manufacturers.

By enforcing purchasing decisions that prioritise these security elements, OT owners and operators can encourage manufacturers to supply "Secure by Design" products.

This will ensure that critical infrastructure, which manages essential services such as energy, water supply, and transportation, is more resilient to cyber attacks, which are becoming increasingly frequent and sophisticated.

The new guidance aims to ensure a safer and more secure future for vital infrastructure.

Along with CISA, Secure by Demand is a collaboration between the National Security Agency and the Federal Bureau of Investigation in the United States; the Australian Signals Directorate/Australian Cyber Security Centre; the Canadian Centre for Cyber Security; Germany's Federal Office for Information Security, UK's National Cyber Security Centre, and their eponymous counterparts in the Netherlands and New Zealand.

 

 

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © nextmedia Pty Ltd. All rights reserved.
Tags:
asd cisa fbi nsa nz ncsc security

Partner Content

How NinjaOne Is Supporting The Channel As It Builds An Innovative Global Partner Program
How NinjaOne Is Supporting The Channel As It Builds An Innovative Global Partner Program
Ingram Micro Ushers in the Age of Ultra
Ingram Micro Ushers in the Age of Ultra
Tech For Good program gives purpose and strong business outcomes
Tech For Good program gives purpose and strong business outcomes
Build cybersecurity capability with award winning Fortinet training from Ingram Micro
Build cybersecurity capability with award winning Fortinet training from Ingram Micro
Secure, integrated platforms enable MSPs to focus bringing powerful solutions to customers
Secure, integrated platforms enable MSPs to focus bringing powerful solutions to customers

Sponsored Whitepapers

Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
Pulseway Essential Eight Framework
Pulseway Essential Eight Framework
7 Best Practices For Implementing Human Risk Management
7 Best Practices For Implementing Human Risk Management
2025 State of Machine Identity Security Report
2025 State of Machine Identity Security Report

Events

techpartner.news MSP index - Brisbane
techpartner.news MSP index - Brisbane
techpartner.news Channel Leader List / Golf day
techpartner.news Channel Leader List / Golf day
techpartner.news Pipeline Conference 2025
techpartner.news Pipeline Conference 2025
Integrate Expo 2025
Integrate Expo 2025
Security Exhibition & Conference 2025
Security Exhibition & Conference 2025

Most read articles

AI ambition: Nick Beaugeard looks to harness AI agents to provide tech services

AI ambition: Nick Beaugeard looks to harness AI agents to provide tech services
Tech Research Asia to present Australian IT M&A report

Tech Research Asia to present Australian IT M&A report
Comms Group to spend $10m to buy TasmaNet business and assets

Comms Group to spend $10m to buy TasmaNet business and assets
Admins warned about threat to Commvault

Admins warned about threat to Commvault

Log in

Email:
Password:
  |  Forgot your password?