Today, CISA—along with U.S. and international partners—released joint guidance Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products. As part of CISA’s Secure by Demand series, this guidance focuses on helping customers identify manufacturers dedicated to continuous improvement and achieving a better cost balance, as well as how Operational Technology (OT) owners and operators should integrate secure by design elements into their procurement process.
Critical infrastructure and industrial control systems are prime targets for cyberattacks. The authoring agencies warn that threat actors, when compromising OT components, target specific OT products rather than specific organizations. Many OT products are not designed and developed with Secure by Design principles and often have easily exploited weaknesses. When procuring products, OT owners and operators should select products from manufacturers who prioritize security elements identified in this guidance.
For more information on questions to consider during procurement discussions, see CISA’s Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem. To learn more about secure by design principles and practices, visit Secure by Design.
Brief
On January 13, 2025, the Cybersecurity and Infrastructure Security Agency issued an update regarding "CISA and US and International Partners Publish Guidance on Priority Considerations in Product Selection for OT Owners and Operators". The guidance focuses on helping customers identify secure manufacturers and integrate secure by design elements into procurement processes. Critical infrastructure is at risk due to easily exploited weaknesses in operational technology products that lack secure by design principles, the authoring agencies warn.
Highlights content goes here...
Purpose
The purpose of the joint guidance released by CISA and international partners is to provide operational technology owners and operators with a set of priority considerations when selecting digital products. The guidance, titled “Secure by Demand,” aims to help customers identify manufacturers that prioritize security elements in their product development process.
Effects on Industry
The release of this guidance has significant implications for the operational technology (OT) industry, which is critical infrastructure and industrial control systems. Threat actors often target specific OT components rather than specific organizations, highlighting the need for secure by design principles in product development. By procuring products from manufacturers that prioritize security elements identified in this guidance, OT owners and operators can reduce the risk of cyberattacks. This will have a direct impact on the resilience and reliability of critical infrastructure and industrial control systems.
Relevant Stakeholders
The relevant stakeholders affected by this update are operational technology (OT) owners and operators, including businesses and organizations involved in critical infrastructure and industrial control systems. Manufacturers that develop digital products for OT markets also need to take heed of this guidance, as it highlights the importance of secure by design principles in their product development process.
Next Steps
To comply with or respond to this update, operational technology owners and operators should consider the following next steps:
- Review the “Secure by Demand” guide and familiarize themselves with the priority considerations for selecting digital products.
- Evaluate their current procurement processes and integrate secure by design elements into their decision-making process.
- Consider partnering with manufacturers that prioritize security elements in their product development process.
- Update their risk management strategies to reflect the potential risks associated with insecure OT components.
Any Other Relevant Information
For more information on questions to consider during procurement discussions, stakeholders can refer to CISA’s “Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem.” Additionally, stakeholders can visit the Secure by Design website to learn more about secure by design principles and practices.
