37.7 F
Washington D.C.
Saturday, February 15, 2025

Cyber Threat Actors Target Operational Technology Products: New Guidance Highlights Security in Procurement

In an advisory released by the Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the FBI, NSA, EPA, TSA, and international cybersecurity partners, a warning has been issued to operational technology (OT) owners and operators. The guidance underscores that cyber threat actors are increasingly targeting specific OT products, exploiting common design weaknesses, rather than focusing on specific organizations.

The Growing Threat to Operational Technology

Operational technology systems, including industrial automation and control systems, are critical to the functioning of industries such as energy, transportation, water management, and manufacturing. However, many of these systems were not designed with robust security in mind. The lack of Secure by Design principles in their development has left them vulnerable to exploitation. Common weaknesses include:

  • Weak authentication mechanisms: Passwords and access controls that are easy to compromise.
  • Known software vulnerabilities: Unpatched flaws in software components.
  • Limited logging capabilities: Insufficient monitoring of system activity to detect intrusions.
  • Insecure default settings and passwords: Factory-set configurations that provide minimal protection.
  • Insecure legacy protocols: Outdated communication standards still in use.

Cyber actors have capitalized on these vulnerabilities to gain unauthorized access to critical OT systems, sometimes impacting multiple organizations through a single product flaw.

The Cost of Insecurity in OT Products

The advisory warns that when security is not prioritized during the design and manufacturing of OT products, the burden of safeguarding these systems falls heavily on the owners and operators. Retrofitting security measures into inherently insecure products is both complex and costly, often requiring significant operational downtime and resource allocation.

Secure by Demand: A Proactive Approach

To address these challenges, CISA and its partners have published the Secure by Demand guide. This document outlines best practices for integrating security considerations into the procurement process of OT products. By demanding secure products at the procurement stage, owners and operators can reduce vulnerabilities and better protect their systems against cyber threats.

Key recommendations from the guide include:

  1. Engaging with Vendors on Security Standards: Organizations should require vendors to demonstrate adherence to Secure by Design principles and provide evidence of rigorous security testing during development.
  2. Including Security Requirements in Contracts: Procurement contracts should specify security expectations, such as the use of multi-factor authentication, encrypted communications, and ongoing support for vulnerability patches.
  3. Assessing Lifecycle Support: Operators should prioritize products with long-term vendor support, including regular security updates and timely response to emerging threats.
  4. Utilizing Risk-Based Procurement: Decision-makers should evaluate the security risk associated with OT products and prioritize those with stronger security measures.
  5. Collaborating with Trusted Partners: Leveraging guidance and support from agencies such as CISA and international allies can strengthen procurement processes.

International and Industry Collaboration

This guidance is part of a broader effort to promote resilience across critical infrastructure sectors globally. By collaborating with international partners, the U.S. government aims to create a unified approach to mitigating risks in OT environments.

Click here to read the full guidance.

Matt Seldon
Matt Seldon
Matt Seldon, BSc., is an Editorial Associate with HSToday. He has over 20 years of experience in writing, social media, and analytics. Matt has a degree in Computer Studies from the University of South Wales in the UK. His diverse work experience includes positions at the Department for Work and Pensions and various responsibilities for a wide variety of companies in the private sector. He has been writing and editing various blogs and online content for promotional and educational purposes in his job roles since first entering the workplace. Matt has run various social media campaigns over his career on platforms including Google, Microsoft, Facebook and LinkedIn on topics surrounding promotion and education. His educational campaigns have been on topics including charity volunteering in the public sector and personal finance goals.

Related Articles

- Advertisement -

Latest Articles