Critical infrastructure organizations have been urged to prioritize the security of their operational technology (OT) products by government agencies from the Five Eyes intelligence alliance and European partners. A joint advisory issued on January 13 provides key security considerations for OT owners and operators when purchasing OT products. The guidance focuses on ensuring that OT products follow secure-by-design principles, which are intended to reduce the likelihood of security breaches and improve overall cybersecurity resilience. The advisory emphasizes the importance of OT owners and operators choosing products from manufacturers that adhere to these security guidelines.
A major point of the advisory is the shifting of the cybersecurity burden onto OT manufacturers
A major point of the advisory is the shifting of the cybersecurity burden onto OT manufacturers rather than operators. Although OT owners and operators face disproportionate costs in securing their environments, manufacturers have the greatest capacity to enhance the security of their products. By making security a priority in purchasing decisions, the advisory aims to create market incentives for manufacturers to implement more secure products. This shift is expected to lead to safer OT environments and a stronger cybersecurity foundation in critical infrastructure systems.
The advisory also highlights the need for OT owners and operators to move away from legacy systems, urging them to prioritize products that enforce secure-by-design principles. According to the US Cybersecurity and Infrastructure Security Agency (CISA), such decisions would encourage manufacturers to supply products with integrated cybersecurity measures that address current and future threats. Jonathon Ellison from the UK’s National Cyber Security Centre (NCSC) reiterated the importance of these guidelines for OT system operators, stressing that security should not be treated as an optional feature but as a necessary requirement for all products.
The guidance also outlines several essential secure-by-design features that OT products should include, such as eliminating default passwords, implementing phishing-resistant multifactor authentication, and ensuring products are resilient to cyberattacks. Furthermore, manufacturers should offer easy-to-follow patching and upgrade processes and provide a comprehensive vulnerability management regime to prevent exploitable flaws. Additionally, the advisory suggests that manufacturers provide a thorough threat model detailing how the product could be compromised, helping to ensure the security of OT systems against evolving cyber threats.
