OPC Foundation releases 'Secure by Demand' document

The OPC Foundation has announced the release of ‘Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products’.

Cyberthreat actors are commonly targeting specific OT products rather than specific organisations. In an effort to help industry exercise vigilance and best practices, the Cybersecurity and Infrastructure Security Agency (CISA), a division of the United States Department of Homeland Security, in cooperation with global contributors, has created this document, which outlines how several OT products are not designed nor developed with secure-by-design principles. This means that these hardware and software components commonly have weaknesses when it comes to authentication, software vulnerabilities, limited logging, and insecure default settings and passwords.

“This document has been several months in the making and now, with its timely release, we see well-articulated guidance directed toward OT owners and operators,” said Michael Clark, Director OPC Foundation North America, one of the contributing authors. “By following the principles and best practices outlined therein, OT owners and operators are effectively securing critical infrastructure, thus making it more difficult for threat actors to be successful in their disruptive behaviours.”

Describing the motivation behind this document, Dr Matthew Rogers, ICS Expert at Cybersecurity and Infrastructure Security Agency (CISA), said: “The risk of a threat actor accessing the OT network is increasing due to business drivers for interconnectivity and the compromise of edge devices that enable segmentation. This Secure-by-Demand guidance for OT is the product of asset owners, governments, industrial automation and control system vendors, and industry groups like the OPC Foundation, all collaborating toward a more flexible and resilient implementation with their unique viewpoints and subject matter expertise, creating an implementation that has a better chance of escaping the label of ‘legacy’ in a few years’ time.

“Asset owners should take this guidance to their vendors and procurement officials as they consider procuring new OT equipment.”

Eleven internationally recognised security agencies have accredited the document:

• US Cybersecurity and Infrastructure Security Agency (CISA)
• Canadian Centre for Cyber Security (CCCS)
• United Kingdom’s National Cyber Security Centre (NCSC-UK)
• Germany’s Federal Office for Information Security (BSI)
• Australian Signals Directorate’s Australian Cyber Security Centre (ACSC)
• Netherlands’ National Cyber Security Centre (NCSC-NL)
• New Zealand’s National Cyber Security Centre (NCSC-NZ)
• Directorate General for Communications Networks, Content and Technology (DG CONNECT), European Commission
• US Federal Bureau of Investigation (FBI)
• US National Security Agency (NSA)
• US Environmental Protection Agency (EPA)
   

The document can be downloaded here.

Image credit: iStock.com/sankai