Full Report
A joint government advisory has set out steps critical infrastructure firms should take to ensure any OT products they purchase are secure by design
Analysis Summary
# Best Practices: Secure-by-Design for Operational Technology (OT) Procurement
## Overview
These practices address critical guidance issued by international government agencies (Five Eyes and European partners) urging Critical Infrastructure (CI) organizations to prioritize security when purchasing Operational Technology (OT) products. The goal is to shift the security burden toward manufacturers by demanding "secure-by-design" principles, thus reducing the likelihood of damaging attacks against essential infrastructure.
## Key Recommendations
### Immediate Actions (Procurement Screening & Policy Review)
1. **Prioritize Security in RFPs (Requests for Proposals):** Immediately update all OT product procurement policies to mandate that vendors demonstrate adherence to secure-by-design criteria before any contract award.
2. **Eliminate Default Credentials:** For any new or replacement OT system, explicitly reject products that ship with default or easily guessable passwords. Demand cryptographic unique credentials or strong initial setup requirements.
3. **Demand Phishing-Resistant MFA:** Ensure all new remote access points and management interfaces for OT products support phishing-resistant Multi-Factor Authentication (MFA).
### Short-term Improvements (1-3 months)
1. **Require Detailed Threat Modeling Documentation:** For high-risk or sensitive OT purchases, require vendors to submit a comprehensive, documented threat model detailing potential attack vectors and the specific security controls implemented to mitigate them.
2. **Evaluate Patching and Upgrade Processes:** Prioritize vendors offering transparent, non-disruptive, and easily manageable patching and upgrade procedures that grant OT owners full autonomy over maintenance scheduling.
3. **Verify Initial Vulnerability Status:** Require signed attestations from manufacturers that, prior to shipment, the product underwent rigorous testing and contains no known, exploitable vulnerabilities (i.e., adherence to an internal vulnerability management regime).
### Long-term Strategy (3+ months)
1. **Establish Security Culture in Contracting:** Implement a "Secure by Demand" strategy where purchasing decisions financially incentivize manufacturers who demonstrably invest in secure product development lifecycles over the coming years.
2. **Mandate Resiliency Testing:** Require vendors to demonstrate product resiliency, particularly safeguarding against malicious emergency, safety, or diagnostic commands, ensuring essential functions remain available even under cyberattack.
3. **Move Away from Legacy Environments:** Develop a phased roadmap to replace legacy OT systems that cannot meet modern secure-by-design requirements with modern, resilient alternatives.
## Implementation Guidance
### For Small Organizations
- **Focus on Vendor Accountability:** Since resources for deep technical vetting are limited, focus heavily on contractual clauses requiring manufacturers to guarantee security baselines (e.g., no default passwords, documented patching SLAs).
- **Leverage Government Advisories Directly:** Use the joint advisory as a checklist when evaluating vendor security sheets; if a vendor cannot confirm basic features like robust MFA, deem the product unsuitable.
### For Medium Organizations
- **Develop a Security Scorecard:** Create a weighted scorecard based on the guidance provided in the advisory (MFA, patching ease, threat modeling) to objectively rank competing OT products.
- **Pilot Secure Upgrades:** Test the patching/upgrade process of a proposed system in an isolated lab environment before general deployment to ensure owner autonomy is genuinely possible.
### For Large Enterprises
- **Integrate Security into Supply Chain Risk Management (SCRM):** Formally integrate secure-by-design requirements into the enterprise-wide SCRM program, making adherence a mandatory prerequisite for vendor acceptance.
- **Establish Continuous Monitoring Requirements:** Mandate that vendors provide mechanisms (or data) for continuous vulnerability monitoring or reporting throughout the product's lifecycle, ensuring zero-day exposures are rapidly addressed.
## Configuration Examples
*While the article focuses on procurement requirements rather than specific technical configuration commands, the following required features translate directly into configuration demands:*
| Security Feature Required | Specific Implementation Demand |
| :--- | :--- |
| Default Password Elimination | Mandate factory configuration requires immediate, unique password establishment on first boot. |
| Multi-Factor Authentication | Requirement for FIDO2 or certificate-based MFA for all remote administrative access. |
| Resiliency Against Malicious Commands | Require testing that shows protection mechanisms successfully reject or sanitize unauthorized safety/diagnostic commands injected externally. |
## Compliance Alignment
- **NIST Cybersecurity Framework (CSF):** Primarily aligns with **Identify (ID)** functions related to asset management and risk assessment, and **Protect (PR)** functions related to access control and awareness/training (if personnel are educated on new secure systems).
- **ISO/IEC 27001/27002:** Aligns with controls relating to supplier relationships, system acquisition, development, and maintenance.
- **CIS Critical Security Controls (CSC):** Aligns with Control 4 (Secure Configuration of Hardware and Software) and Control 14 (Software Application Security).
## Common Pitfalls to Avoid
- **Accepting "Security as an Add-on":** Do not treat security features as optional extras that can be added later or bypassed for operational convenience. Secure-by-design must be foundational.
- **Ignoring Maintenance Burden:** Selecting a product with high initial security but an opaque or user-hostile patching process shifts the long-term burden back onto the operator, risking unpatched systems.
- **Failure to Signal Market Intent:** Purchasing insecure products validates the current market dynamic. Ensure procurement decisions actively reward secure manufacturers to drive industry change.
## Resources
- **CISA Secure by Demand Strategy Documentation:** (Search for CISA Secure by Demand Strategy)
- **NCSC OT Security Guidance:** (Search for NCSC OT security product guidance)
- **Joint Advisory (Five Eyes/Partners):** (Review official government advisories released around mid-January referencing OT security procurement).