GRI

New advice helps organisations select secure operational technology products in face of rising cyber threat

News Cybersecurity Guidance
Date: 13th Jan, 2025 Source: National Cyber Security Centre (NCSC) Country: United Kingdom Original Source

Brief

"On January 13, 2025, the National Cyber Security Centre (NCSC) issued an update regarding new advice helping organisations select secure operational technology products in face of rising cyber threat. The joint guide sets out key security considerations for organisations when purchasing OT products to help them choose manufacturers that follow secure-by-design principles."


  • GCHQ’s National Cyber Security Centre shares guide to help owners and operators of operational technology (OT) demand improved security in products

  • Common weaknesses in OT components present opportunities for threat actors, who can replicate attacks across multiple victims, international cyber experts warn

  • Operators of critical services are strongly advised to integrate security into procurement processes now to limit cyber risks 


CRITICAL infrastructure organisations are being helped to secure their operational technology (OT) systems from growing cyber threats with new guidance agreed by cyber experts internationally.


The National Cyber Security Centre (NCSC) – a part of GCHQ – alongside agencies from the Five Eyes intelligence and security alliance and European partners have issued new advice today (Monday) which sets out key security considerations for organisations when purchasing OT products


The guide aims to help OT owners and operators choose products and manufacturers that follow secure-by-design principles, so that their systems have a cyber resilient foundation from the point of purchase, minimising the risks posed by a successful cyber attack.


Operational technology systems are used widely in critical sectors globally but many components are not developed with security as a priority, presenting weaknesses which are being successfully exploited by cyber attackers.


Threat actors often target specific OT products, rather than specific organisations, because they can easily replicate attacks across multiple victims and sectors.


Organisations that own and operate OT systems are strongly encouraged to integrate the 12 security considerations outlined in the guide into their procurement processes to help defend against threats and to send a clear signal to manufacturers about the level of security they expect from products.


Jonathon Ellison, NCSC Director of National Resilience and Future Technology, said:


“As cyber attackers increasingly target operational technology around the world, it has never been more vital for critical infrastructure operators to ensure security is baked into the systems they use.


“This new guide gives organisations practical advice on how to prioritise OT products that are secure by design when making purchasing decisions, helping to mitigate the very real cyber threats they face.


“I strongly advise UK operators of OT systems to follow this guidance to help set a strong foundation for their cyber resilience and to send a signal to manufacturers that security is more than just an extra feature for products but a requirement in demand.”


Vendors and manufacturers have a key role to play in fixing foundational insecurities and taking responsibility for cyber security outcomes.


The 12 security considerations that organisations should consider when buying an OT product include: whether the product allows for security and safety logging, has strong authentication controls, protects data, is configured in a secure way by default, and is supported by established vulnerability management processes by the manufacturer.


The NCSC has previously outlined the importance of implementing secure-by-design principles within technology products at source so as to improve overall resilience and develop a safer cyberspace.


This work aligns with the objectives of the government’s forthcoming Cyber Security and Resilience Bill.


The joint guide has been issued by the NCSC alongside:



  • The US Cybersecurity and Infrastructure Security Agency (CISA)

  • The US National Security Agency (NSA)

  • The US Federal Bureau of Investigation (FBI)

  • The US Environmental Protection Agency (EPA)

  • The US Transportation Security Administration (TSA)

  • The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)

  • The Canadian Centre for Cyber Security (CCCS)

  • Directorate General for Communications Networks, Content and Technology (DG CONNECT), European Commission

  • Germany’s Federal Office for Information Security (BSI)

  • The Netherlands’ National Cyber Security Centre (NCSC-NL)

  • New Zealand’s National Cyber Security Centre (NCSC-NZ)

Highlights content goes here...

Purpose:
The National Cyber Security Centre (NCSC), a part of GCHQ, has collaborated with international agencies to issue new guidance on securing operational technology (OT) systems from growing cyber threats. The guide aims to help OT owners and operators choose products that follow secure-by-design principles, minimizing the risks posed by a successful cyber attack.

The NCSC’s goal is to provide practical advice on prioritizing OT products that are secure by design when making purchasing decisions, helping to mitigate the very real cyber threats faced by critical infrastructure operators. This guidance is crucial in today’s digital landscape, where operational technology systems are widely used in critical sectors globally, but many components are not developed with security as a priority.

The NCSC Director of National Resilience and Future Technology, Jonathon Ellison, emphasized the importance of integrating security into procurement processes now to limit cyber risks. He urged UK operators of OT systems to follow this guidance to set a strong foundation for their cyber resilience and send a signal to manufacturers that security is more than just an extra feature for products.

Effects on Industry:
The joint guide issued by the NCSC and international agencies will have significant effects on the industry, particularly in the areas of operational technology and cybersecurity. The guide’s 12 security considerations will help organizations prioritize OT products that are secure by design when making purchasing decisions.

This guidance will likely influence vendors and manufacturers to fix foundational insecurities and take responsibility for cyber security outcomes. As a result, the guide may lead to changes in procurement processes, with organizations demanding more secure OT products from manufacturers.

Additionally, this guidance aligns with the objectives of the government’s forthcoming Cyber Security and Resilience Bill, which aims to improve overall resilience and develop a safer cyberspace.

Relevant Stakeholders:
The stakeholders affected by this update include:

  • Critical infrastructure operators (e.g., energy, transportation, healthcare)

  • OT owners and operators

  • Vendors and manufacturers of OT products

  • Cybersecurity experts and agencies (NCSC, CISA, NSA, FBI, EPA, TSA, ASD’s ACSC, CCCS, DG CONNECT, BSI, NCSC-NL, NCSC-NZ)

These stakeholders will need to consider the 12 security considerations outlined in the guide when purchasing OT products.

Next Steps:
To comply with this update, organizations should:

  • Integrate the 12 security considerations into their procurement processes

  • Prioritize OT products that are secure by design when making purchasing decisions

  • Demand more secure OT products from manufacturers

Manufacturers and vendors should also take responsibility for cyber security outcomes and fix foundational insecurities in their products.

Any Other Relevant Information:
The joint guide issued by the NCSC and international agencies is a significant step towards improving cybersecurity resilience. It highlights the importance of implementing secure-by-design principles within technology products at source, as emphasized by the NCSC’s previous work on market incentives.

This guidance is particularly relevant in today’s digital landscape, where operational technology systems are widely used in critical sectors globally, but many components are not developed with security as a priority. The joint guide provides practical advice on prioritizing OT products that are secure by design when making purchasing decisions, helping to mitigate the very real cyber threats faced by critical infrastructure operators.

National Cyber Security Centre (NCSC)

Quick Insight
RADA.AI
RADA.AI
Hello! I'm RADA.AI - Regulatory Analysis and Decision Assistance. Your Intelligent guide for compliance and decision-making. How can i assist you today?
Suggested
Related Documents
CISA and US and International Partners Publish Guidance on Priority Considerations in Product Selection for OT Owners and Operators
Date: 13th Jan, 2025 Source: Cybersecurity and Infrastructure Security Agency Country: USA
News Cybersecurity Guidance
New Secure by Demand guidance available for operational technology owners and operators
Date: 14th Jan, 2025 Source: Australian Cyber Security Centre (ACSC) Country: Australia
News Cybersecurity Guidance
NSA and Others Publish Guidance for Secure OT Product Selection
Date: 13th Jan, 2025 Source: National Security Agency (NSA) Country: USA
News Cybersecurity Guidance

Form successfully submitted. One of our GRI rep will contact you shortly

Thanking You!

Click here
Login

Enter your Email

Enter your email id below to signup.

Enter your Email

Enter your email id below to signup.
Individual Plan
  • Designed for Growing Compliance Teams
$125 / month OR $1250 / year
Features
  • • Coverage for 20 jurisdictions
  • • Monitoring from 500+ regulatory authorities
  • • AI compliance summaries
  • • RaDa.ai : Single-Role
Best for: Researchers, Legal professionals, Academics
Subscribe Now
Enterprise Plan
  • Perfect for Global Enterprises
Contact for Pricing
Features
  • • Custom jurisdictional coverage
  • • Custom monitoring of regulatory authorities
  • • RaDa.ai : Customizable multi-role
  • • Custom reporting and dashboard capabilities
  • • API access for seamless integration
Best for: Law Firms, Corporations, Government Bodies
Contact Sales