Yesterday, CISA, along with11 domestic and international partners, including the European Commission, released the joint guidance “Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products”. The guide outlines how owners and operators should incorporate security measures into their procurement processes when acquiring industrial automation, control systems, and other OT products. The agencies urge organizations to focus on products that include 12 key security elements.

While threat actors may target particular organizations and sectors (like the water sector) when targeting critical infrastructure, they are more interested in the kinds of OT products that are deployed rather than any particular organization. Therefore, identifying and buying the products that are the most secure will not only make your utility less of a target, but simultaneously encourage manufacturers to create secure products. As your utility incorporates Fundamental 11: Secure the Supply Chain, one of WaterISAC’s 12 Cybersecurity Fundamentals, consider including the elements listed below. Access the full guide at CISA.

When procuring products, OT owners and operators should select products from manufacturers who prioritize the following security elements:

1. Configuration Management: The product supports controlling and tracking modifications to configuration settings and engineering logic. Seek out manufacturers whose products backup and deploy system configurations in a secure and simple manner.
2. Logging in the Baseline Product: The product supports logging of all actions—including changes to configuration, security events, and safety events—in the baseline versions using open standard logging formats. Seek out products that come with standardized access and change logs for building incident response capabilities.
3. Open Standards: The product uses open standards to support secure functions and services and for migrating configuration settings and engineering logic. Seek out products that support open, interoperable standards to facilitate replacing or adding products.
4. Ownership: The product gives owners and operators full autonomy over said product, including maintenance and changes. Seek out products that enable operator autonomy while minimizing dependency on the vendor.
5. Protection of Data: The product protects the integrity and confidentiality of data, services, and functions, including a product’s configuration settings and engineering logic. Seek out products that treat operational data as valuable and protect it at rest and during transit to and from vendors and manufacturers.
6. Secure by Default: The product is delivered secure out of the box, reducing the attack surface and removing the burden on owners and operators. Seek out products that include all security features in all versions; eliminate default passwords; allow for appropriate length and complexity for passwords; use secure up-to-date versions of protocols with older insecure protocols (e.g., SNMPv1/2, Telnet, SSL, TLS 1.0/1.1) disabled by default; do not unnecessarily expose external interfaces; and provide authorized users the ability to reset product configuration to its original state.
7. Secure Communications: The product supports secure authenticated communication with digital certificates deployed that fail loudly (e.g., when a certificate expires) but allows critical processes to continue. Seek out products that simplify digital certificate deployment and renewal such that operators do not need to be cyber experts to achieve secure authenticated communications.
8. Secure Controls: The product is resilient to threat actors sending malicious emergency, safety, or diagnostic commands; protects the availability of essential functions; withstands active security scanning; and minimizes the impact of an incident on the overall system. Seek out manufacturers who can demonstrate trusted safety-critical controls and explain how operators can continuously verify and regain that trust.
9. Strong Authentication: The baseline version of the product, especially safety-critical equipment, protects against unauthorized access through appropriate control measures, including role-based access control and phishing-resistant multifactor authentication. Seek out manufacturers that have eliminated the use of shared role-based passwords in their products.
10. Threat Modeling: The product has a full and detailed threat model. Seek out products that have an up-to-date threat model that articulates the ways in which it might be compromised, along with security measures implemented to reduce these threat scenarios.
11. Vulnerability Management: The manufacturer has a comprehensive vulnerability management regime in which products are rigorously tested to help ensure they contain no known exploitable vulnerabilities. Each product has a clearly defined support period during which vulnerabilities are managed and patches are supplied free of charge. Seek out manufacturers who include hardware and software bill of materials with product delivery and who commit to timely remediation of vulnerabilities through a vulnerability disclosure program.
12. Upgrade and Patch Tooling: The product has a well-documented and easy to follow patch and upgrade process and supports moving to a supported operating system version at no extra cost if the original operation system is soon to be no longer supported. Seek out products that can be verified and that support owner-controlled patch management.