Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Western Security Agencies Share Advice on Selecting OT Products

CISA and other Western security agencies have shared guidance for OT owners and operators when procuring products. 

ICS and OT security

CISA and several other Western security agencies have published guidance to help operational technology (OT) owners and operators select secure products.

The authoring agencies warn that threat actors are targeting particular OT products rather than specific organizations, pointing out that vulnerable OT products can grant attackers access to the systems of multiple victims across various critical infrastructure sectors.  

“Many OT products are not designed and developed with Secure by Design principles and commonly have weaknesses, such as weak authentication, known software vulnerabilities, limited logging, insecure default settings and passwords, and insecure legacy protocols. Cyber threat actors can easily exploit these weaknesses across multiple victims to gain access to control systems,” the agencies said.

They have advised OT owners and operators to procure products from manufacturers that prioritize a series of 12 security elements.

Save the date: 2025 ICS Cyber Security Conference – October 27-30, Atlanta

The security elements buyers should look for are configuration management, logging in the baseline product, open standards, ownership, protection of data, secure by default, secure communications, secure controls, strong authentication, threat modeling, vulnerability management, and upgrade and patch tooling. It should be noted that they are not listed in the order of their priority. 

For each of these elements, the guidance provides a brief description of the selection criteria and questions to ask before acquiring a product.

For instance, a product that logs all actions using standard formats makes it easier for OT network defenders to gather evidence of intrusions. Potential buyers should ask questions about whether a product logs restarts, logins or changes, whether it provides telemetry and logs that help predict and prevent process failure, and whether security and safety events are logged by default.

Advertisement. Scroll to continue reading.

Regarding ownership, customers need to have full autonomy over a product, including changes and maintenance, to enable quick incident response and recovery.  

In terms of data protection, an OT product must ensure the integrity and confidentiality of data, services and functions.

“OT data rarely changes and is valuable for threat actors trying to understand a system. An understanding of operational data is often needed to bypass safety checks and cause sustained harm,” the agencies explained in their guidance.

Secure by default implies that a product is secure and resilient against prevalent threats and vulnerabilities out of the box, without requiring configuration changes.

As for secure controls, products need to have mechanisms to protect themselves against malicious commands — working under the assumption that a threat actor is present on the network the product is deployed on.

Industrial control systems (ICS) and other OT products also need to have a detailed threat model, which enables asset owners to understand the risks associated with the product and prioritize security controls.

The guidance was written by security agencies in the US, Australia, Canada, Germany, Netherlands, New Zealand, and UK, as well as an agency of the European Commission. The document is available in PDF format. 

Related: Four-Faith Industrial Router Vulnerability Exploited in Attacks

Related: Rockwell PowerMonitor Vulnerabilities Allow Remote Hacking of Industrial Systems

Related: Navigating Your OT Cybersecurity Journey: From Assessment to Implementation

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.