The Cybersecurity Infrastructure & Security Agency’s (CISA) recent release of a procurement guide for operational technology (OT) owners and operators describes 12 security elements that buyers should be looking for, and hopefully influencing automation and control system vendors to implement. The hope, according to Matthew Rogers, ICS Cybersecurity Strategy & R&D Lead at CISA, is to not only give OT asset owners some agency during procurement, but also to create a market-influenced demand among leading vendors to integrate these security elements by default into OT products.
“One of the initiatives that CISA has been running for the past year is something called the Secure by Design Pledge,” Rogers said on the latest episode of the Nexus Podcast. “We have over 250 companies that have signed on to a pledge to not solve cybersecurity in a year, but to demonstrate progress that they can actually transparently show that they are really working toward securing their customers and really taking ownership of some of their customer security outcomes.”
"How do we take our role as a government agency and actually make it easier for folks to do what they've wanted to do this whole time, which is secure their critical infrastructure.”
—Matthew Rogers, CISA
The guide’s cybersecurity selection criteria reduce OT exposures, and include a demand that products are secure by default; default passwords would be eliminated, current versions of communication protocols are in use, and older, insecure protocols are disabled by default. Other elements include configuration management capabilities that include engineering logic, logging, strong authentication, vulnerability management, and upgrade and patch tooling by default, among other things.
“I don't know that there's very much novel about a lot of the secure by design work,” Rogers said. “What we're really trying to do is elevate a lot of the hard work of cybersecurity researchers who've been doing all of this and advocating for this for years, if not decades. There's one paper from the 1970s we cite in some of our presentations about how it's very difficult to add cybersecurity after the fact if you do not design it in from the beginning. People have been saying this for years. How do we take our role as a government agency and actually make it easier for folks to do what they've wanted to do this whole time, which is secure their critical infrastructure.”
The genesis of the guide began at last year’s S4 Conference, and evolved quickly to include a host of international partners, including the Five Eyes, and others in the European Union. Rogers said there was a baseline of seven elements that were agreed upon as must-haves, and the document evolved based on threat activity, one example of which is Volt Typhoon’s targeting of edge devices, which are critical to secure and proper network segmentation projects.
“Segmentation is one of those security controls that is undoubtedly a good idea for operational technology. But we've also seen that it's really difficult to get right. And it's really difficult to implement, 100% correct,” Rogers said. “There's always going to be a flaw for actors who are motivated enough to try and find it. And so a lot of our drivers were really saying: If we know that this barrier is going to be further eroded by actors compromising edge devices, how can we make sure that you can put resilience into the OT network itself?”
In the meantime, there are challenges to this initiative that range from potentially increased costs to vendors—and ultimately buyers—to a general lack of requirements that would force vendors to adhere to the recommendations in the guide.
“I think the real challenge for CISA is going to be helping people actually navigate and bridge that gap between the legacy technology they have today and that future greenfield state, because it's always going to be messy,” Rogers said.
“There's always going to be a bunch of old stuff and old dependencies. And then there's always going to be those one-off operational challenges. What we're hoping to inspire with this work is to really reveal some of those research and development challenges, so we can highlight the progress that's been made so far and then contribute ourselves, as well as to do more.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
