The US Cybersecurity and Infrastructure Security Agency (CISA), along with its international cybersecurity allies, has unveiled the “Secure by Demand” guidelines to safeguard operational technology (OT) environments. The framework provides a blueprint for OT owners and operators to prioritize cybersecurity when procuring digital products.This initiative addresses growing concerns about vulnerabilities in critical infrastructure, including energy grids, transportation networks, and manufacturing facilities, which have increasingly become targets for sophisticated cyberattacks.Historically, weak authentication, outdated protocols, and insecure configurations have made OT systems particularly susceptible, underscoring the need for a proactive approach to procurement, the Secure by Demand guidelines stated in the document.”Driving demand is essential, but achieving lasting change requires fostering accountability and industry-wide adoption of SbD principles, from the CEO’s office to the developer’s desk,” CISA Director Jen Easterly wrote in a blog corresponding to the announcement of the guidelines. The guidelines advocate embedding security principles during procurement rather than retrofitting solutions post-deployment. Key aspects include mandating detailed vulnerability patch histories, secure default settings, strong authentication, and modern encryption capabilities from vendors. The emphasis is on selecting secure technologies and ensuring a transparent partnership with suppliers that adhere to security standards throughout the product lifecycle.”Operational technologies underpin critical infrastructure, and when vendors deliver products with security flaws, it compromises the entire ecosystem,” the guidance stated. The recommendations stress resilience by design, enabling organizations to thwart potential attacks and maintain the integrity of their systems without delays caused by post-breach recovery efforts.
Challenges and implications for vendors and operators
Adopting the “Secure by Demand” principles may require significant operational adjustments, particularly for vendors and organizations new to such stringent guidelines. Vendors are expected to provide transparency around security certifications, patching schedules, and mechanisms to address future vulnerabilities. For OT operators, this implies overhauling procurement protocols to align with cybersecurity priorities, potentially delaying adoption but ultimately fortifying defenses.While the guidelines emphasize preemptive measures, experts recognize challenges for smaller vendors that may struggle with compliance due to resource constraints. Similarly, transitioning existing OT systems to align with secure by design principles could strain budgets and timelines.”The legacy nature of OT systems, with lifecycles much longer than IT services, often results in outdated infrastructure that is difficult to patch or update without operational disruptions,” said Shivraj Borade, senior analyst at Everest Group. “Vendor dependencies for updates and integration complexities further compound these challenges.”Borade emphasized the heightened vulnerabilities of OT systems, “Widely used in critical infrastructure, these products are prime targets for threat actors. Building secure OT products has now become an urgent priority.”He suggested that CISA’s new guidelines could reshape enterprise procurement strategies for OT products. “These guidelines are poised to increase collaboration between OT product companies and OT security Independent Software Vendors (ISVs), unlocking significant opportunities in the OT security market,” he added.
A roadmap for resilience in OT
The “Secure by Demand” guidelines represent a significant move toward a more secure and resilient operational landscape. By placing cybersecurity at the forefront of procurement, CISA’s framework encourages industries to prioritize long-term security over short-term convenience.The successful implementation of these recommendations could position the framework as a global standard, paving the way for reduced risks and stronger international cooperation in defending against cyber threats. For OT stakeholders, the guideline serves as both a warning and an opportunity, to adapt, innovate, and safeguard their critical systems for a rapidly evolving digital world.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3803081/cisa-unveils-secure-by-demand-guidelines-to-bolster-ot-security.html
