The initiative focuses on 'secure by design' principles
The National Cyber Security Centre (NCSC) has partnered with the US Cybersecurity and Infrastructure Security Agency (CISA) and other international organisations to release new guidelines aimed at improving the cybersecurity of operational technology (OT) systems.
The guidance is designed to assist OT owners and operators in incorporating security measures into the procurement process, particularly for industrial automation and control systems.
This initiative focuses on "secure by design" principles, encouraging buyers to prioritise security when selecting OT products. Many OT systems, such as those used in critical infrastructure, have historically been vulnerable to cyberattacks due to weaknesses like weak authentication, insecure default settings, and limited logging capabilities. By addressing these vulnerabilities at the procurement stage, organisations can reduce risks, ensure compliance with evolving regulatory requirements, and establish a resilient cybersecurity foundation.
The guidance outlines several key areas that buyers should consider when evaluating OT products. Products should support secure configuration management, allowing modifications to be tracked and managed securely. They should include logging capabilities in their baseline versions to enable monitoring of security and operational events. Products that adhere to open standards for secure functions and interoperable systems are recommended to facilitate future upgrades or replacements.
Buyers are also encouraged to select products that grant operators full autonomy over maintenance and updates, minimizing dependency on vendors. Ensuring the integrity and confidentiality of operational data is another critical requirement, with products expected to protect data both in transit and at rest. Products delivered "secure by default," with pre-enabled security features and minimized vulnerabilities, are highlighted as a key priority to reduce attack surfaces.
The guide further stresses the importance of secure communication channels, resilient safety-critical controls, and robust authentication measures, such as multifactor authentication and the elimination of shared passwords. Manufacturers are urged to provide detailed threat models, comprehensive vulnerability management programs, and clear patching and upgrade processes. These measures are vital for protecting OT systems from exploitation and ensuring long-term system reliability.
The guidance also aligns with regulatory frameworks like the European Union’s NIS2 Directive and Cyber Resilience Act, which require critical infrastructure operators to deploy secure products. Adherence to such regulations not only strengthens organizational security but also signals to manufacturers the growing demand for "secure by design" products.
By integrating these security considerations into procurement decisions, OT operators are expected to mitigate current and emerging cyber threats, fostering a culture of cybersecurity within the industry. The full guidance is available for download on the CISA website.
