CISA and several other Western security agencies have published guidance to help operational technology (OT) owners and operators select secure products.

The authoring agencies warn that threat actors are targeting particular OT products rather than specific organizations, pointing out that vulnerable OT products can grant attackers access to the systems of multiple victims across various critical infrastructure sectors.  

“Many OT products are not designed and developed with Secure by Design principles and commonly have weaknesses, such as weak authentication, known software vulnerabilities, limited logging, insecure default settings and passwords, and insecure legacy protocols. Cyber threat actors can easily exploit these weaknesses across multiple victims to gain access to control systems,” the agencies said.

They have advised OT owners and operators to procure products from manufacturers that prioritize a series of 12 security elements.

Save the date: 2025 ICS Cyber Security Conference – October 27-30, Atlanta

The security elements buyers should look for are configuration management, logging in the baseline product, open standards, ownership, protection of data, secure by default, secure communications, secure controls, strong authentication, threat modeling, vulnerability management, and upgrade and patch tooling. It should be noted that they are not listed in the order of their priority. 

For each of these elements, the guidance provides a brief description of the selection criteria and questions to ask before acquiring a product.

For instance, a product that logs all actions using standard formats makes it easier for OT network defenders to gather evidence of intrusions. Potential buyers should ask questions about whether a product logs restarts, logins or changes, whether it provides telemetry and logs that help predict and prevent process failure, and whether security and safety events are logged by default.

Regarding ownership, customers need to have full autonomy over a product, including changes and maintenance, to enable quick incident response and recovery.  

In terms of data protection, an OT product must ensure the integrity and confidentiality of data, services and functions.

“OT data rarely changes and is valuable for threat actors trying to understand a system. An understanding of operational data is often needed to bypass safety checks and cause sustained harm,” the agencies explained in their guidance.

Secure by default implies that a product is secure and resilient against prevalent threats and vulnerabilities out of the box, without requiring configuration changes.

As for secure controls, products need to have mechanisms to protect themselves against malicious commands — working under the assumption that a threat actor is present on the network the product is deployed on.

Industrial control systems (ICS) and other OT products also need to have a detailed threat model, which enables asset owners to understand the risks associated with the product and prioritize security controls.

The guidance was written by security agencies in the US, Australia, Canada, Germany, Netherlands, New Zealand, and UK, as well as an agency of the European Commission. The document is available in PDF format. 

Related: Four-Faith Industrial Router Vulnerability Exploited in Attacks

Related: Rockwell PowerMonitor Vulnerabilities Allow Remote Hacking of Industrial Systems

Related: Navigating Your OT Cybersecurity Journey: From Assessment to Implementation