Full Report
The Cybersecurity and Infrastructure Security Agency (CISA) joined by 11 domestic and international partners, including the European Commission,... The post Cybersecurity agencies focus on enhancing OT security, list 12 essential elements for procurement process appeared first on Industrial Cyber.
Analysis Summary
# Best Practices: Secure Procurement for Operational Technology (OT) Systems
## Overview
These practices, developed by CISA and international partners, focus on integrating cybersecurity requirements into the procurement process for Industrial Automation and Control Systems (IACS) and other OT products. The goal is to mitigate cyber risks by prioritizing products built with **Secure by Design** principles and incorporating 12 essential security elements, moving critical infrastructure away from vulnerable legacy systems.
## Key Recommendations
### Immediate Actions
1. **Layer Security Controls on Existing Assets:** For current OT assets with inherent weaknesses (e.g., shared passwords, poor access controls), immediately implement compensating controls such as securing remote access with Multi-Factor Authentication (MFA) and ensuring unique traceability of all user access to OT assets.
2. **Prioritize Purchase Requirements:** Immediately update all Request for Proposal (RFP) and purchase evaluation criteria to mandate the inclusion of the 12 essential security elements outlined below.
3. **Demand Manufacturer Roadmaps:** When engaging with potential OT vendors, require evidence of their commitment to Secure by Design, specifically asking for published roadmaps detailing how they are adopting secure development practices.
### Short-term Improvements (1-3 months)
1. **Vendor Vetting Based on Security Elements:** For all upcoming procurements, rigoroulsy evaluate vendors based on their product satisfaction of the 12 priority security elements (see Configuration Examples).
2. **Ensure Configuration Backup and Recovery:** Select products that support secure, simple backup and deployment of system configurations to allow for rapid recovery from unauthorized changes or incidents.
3. **Verify Logging Standards:** Ensure baseline product versions support comprehensive logging (including configuration changes, security events, and safety events) using open standard formats, providing standardized access and change logs for incident response.
### Long-term Strategy (3+ months)
1. **Drive Market Demand for Security:** Consistently enforce purchasing decisions that prioritize secure features. This sends a market signal to manufacturers, stimulating the supply of Security-by-Design products across the industry.
2. **Mandate Compliance with ICS Standards:** Require manufacturers to demonstrate adoption of industry standards, specifically the **ISA/IEC 62443 series**, as a prerequisite for product selection.
3. **Establish Resilience Foundations:** Focus on acquiring products that establish a resilient and flexible cybersecurity foundation that can be sustained over the decades-long lifecycle of ICS/OT infrastructure.
## Implementation Guidance
### For Small Organizations
- Focus initial efforts on compensating controls (MFA/Unique Access) for existing high-risk assets.
- Prioritize purchasing from vendors who clearly articulate their adherence to the 12 security elements, even if it means slightly longer procurement cycles.
- Leverage guidance from national cybersecurity centers (e.g., CISA) for simplified checklists based on the 12 elements.
### For Medium Organizations
- Integrate the 12 security elements directly into official procurement governance documents and contract clauses.
- Begin auditing current vendor security claims against demonstrable proof (e.g., documentation, testing reports).
- Review immediate compliance needs, such as the EU’s **NIS2 Directive** (if applicable to operations), and factor required certifications/marks into purchasing requirements.
### For Large Enterprises
- **Establish a Demand Groundswell:** Use significant buying power to force supply-side changes by making Secure by Design a mandatory criterion for major contracts.
- **Develop Internal Security Scoring:** Create a standardized scoring matrix based on the 12 elements and ISA/IEC 62443 adherence to objectively compare competing OT solutions.
- **Address Legacy Migration:** Link new procurement decisions to strategies for retiring or segmenting legacy (non-secure) systems, ensuring new purchases enhance overall network segmentation and defense-in-depth.
## Configuration Examples
OT buyers should actively seek products incorporating the following 12 essential security elements:
| Security Element | Requirement Focus Area |
| :--- | :--- |
| **1. Configuration Management** | Product supports controlling and tracking modifications to configuration settings and engineering logic. |
| **2. Logging in the Baseline Product** | Product logs all actions (config changes, security/safety events) in open standard formats in the base version. |
| **3. Open Standards** | Product utilizes open standards for interoperability and avoidance of vendor lock-in/legacy vulnerabilities. |
| **4. Ownership** | Manufacturer clearly defines ownership regarding security responsibilities and outcomes. |
| **5. Protection of Data** | Data (at rest and in transit) must be protected by default. |
| **6. Secure by Default** | Product ships with hardened, secure default settings, avoiding insecure defaults like default passwords. |
| **7. Secure Communication** | All communications utilized by the product must be encrypted and authenticated. |
| **8. Secure Controls** | Control mechanisms themselves must resist tampering and exploitation. |
| **9. Strong Authentication** | Product enforces strong, preferably unique, user authentication mechanisms. |
| **10. Threat Modeling** | Manufacturer has engaged in systematic threat modeling during the design phase. |
| **11. Vulnerability Management** | Manufacturer has established processes for handling identified vulnerabilities post-deployment. |
| **12. Upgrade and Patch Tooling** | Product provides effective, secure, and simple tooling for patching and upgrading to maintain security posture. |
## Compliance Alignment
- **NIST:** Aligns fundamentally with the goals of the NIST Cybersecurity Framework (CSF) Identify and Protect functions, specifically related to Supply Chain Risk Management (SCRM).
- **ISA/IEC 62443:** Manufacturers should demonstrate adoption of these global standards for Industrial Automation and Control Systems security.
- **Regulatory Requirements:** Owners/operators must verify the product meets current and anticipated regulatory obligations (e.g., EU NIS2 Directive) at the time of acquisition.
## Common Pitfalls to Avoid
- **Prioritizing Functionality Over Security:** Do not accept the premise that security must be sacrificed for operational functionality; the requirement is **secure functionality**.
- **Ignoring Documentation:** Failing to require vendor roadmaps showing commitment to Secure by Design, which indicates a commitment beyond just the current product version.
- **Accepting Insecure Legacy Defaults:** Do not purchase products that rely on weak authentication, known software vulnerabilities, or insecure legacy protocols without verifiable mitigation strategies.
- **Neglecting Recovery Planning:** Choosing products without secure, simple mechanisms for configuration backup and system recovery, which increases downtime risk after an incident.
## Resources
- **CISA Secure by Demand Guidance:** (Reference the primary document: ‘Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products’)
- **ISA/IEC 62443 Standards:** Seek vendor adherence to these international ICS security benchmarks.
- **CISA Secure by Design Campaign:** Use this campaign information when evaluating manufacturer development philosophy.