Government agencies from the Five Eyes intelligence alliance and European partners have issued a joint advisory urging critical infrastructure organizations to prioritize the security of their operational technology (OT) products. The advisory, issued on January 13, emphasizes the importance of OT owners and operators selecting products from manufacturers that follow secure-by-design principles to enhance cybersecurity resilience and reduce security breaches.
One key focus of the advisory is the shift of the cybersecurity burden onto OT manufacturers rather than operators. While OT owners and operators face significant costs in securing their environments, manufacturers have the capacity to improve the security of their products. The advisory aims to create market incentives for manufacturers to prioritize security in their products, ultimately leading to safer OT environments and a stronger cybersecurity foundation in critical infrastructure systems.
The advisory also stresses the importance of moving away from legacy systems and choosing products that enforce secure-by-design principles. According to the US Cybersecurity and Infrastructure Security Agency (CISA), this shift will encourage manufacturers to provide products with integrated cybersecurity measures that address current and future threats. Jonathon Ellison from the UK’s National Cyber Security Centre (NCSC) emphasized the significance of these guidelines for OT system operators, stating that security should be a mandatory requirement for all products, not an optional feature.
In addition to these points, the advisory outlines several essential secure-by-design features that OT products should incorporate. These features include eliminating default passwords, implementing phishing-resistant multifactor authentication, and ensuring products are resilient to cyberattacks. Furthermore, manufacturers are encouraged to provide easy-to-follow patching and upgrade processes, along with a comprehensive vulnerability management regime to prevent exploitable flaws. The advisory also suggests that manufacturers offer a detailed threat model outlining how their products could be compromised, aiding in the protection of OT systems against emerging cyber threats.
By following these guidelines and prioritizing security in their purchasing decisions, OT owners and operators can contribute to a more secure and resilient critical infrastructure environment. The collaborative effort between government agencies and industry stakeholders underscores the importance of addressing cybersecurity challenges in OT systems to safeguard against potential threats and vulnerabilities.
Overall, the joint advisory provides a comprehensive framework for enhancing the security of OT products and emphasizes the shared responsibility between manufacturers, operators, and government agencies in safeguarding critical infrastructure against cyber threats. Compliance with these guidelines is essential in establishing a robust cybersecurity posture and ensuring the continued integrity of OT systems in the face of evolving risks.