The UK’s National Cyber Security Centre (NCSC) has teamed up with its Five Eyes partners and EU agencies to release a new guide aimed at improving security for critical national infrastructure (CNI) and those relying on operational technology (OT). This guide is crucial for helping these organizations make informed purchasing decisions based on security.
CNI operators face constant threats from cyber attackers, often linked to hostile intelligence agencies. The NCSC wants to offer straightforward advice for selecting products and manufacturers that prioritize security in their design. Historically, many OT components didn’t consider security at all, creating vulnerabilities that threat actors can exploit. As OT systems increasingly connect to broader IT networks, the risks grow.
Jonathan Ellison, NCSC’s director of national resilience and future technology, emphasized the urgency. He said it’s crucial for CNI operators to embed security into their systems. This new guide provides practical steps to prioritize secure-by-design OT products, helping organizations defend against real cyber threats.
Ellison urges UK operators to adopt this guidance to strengthen their cyber resilience. It sends a message to manufacturers that security must be a fundamental feature, not just an added benefit.
This guide, available on the NCSC’s website, outlines 12 key security considerations for OT users during the procurement process. Buyers should ensure their chosen products meet these criteria:
1. Does the product allow for tracking modifications to configuration settings?
2. Does it log all actions, including configuration changes and security events, in open standard formats?
3. Does it utilize open standards for secure functionality and configuration migration?
4. Do owners have full control over maintenance and changes, minimizing reliance on suppliers?
5. Does it protect the integrity and confidentiality of data and functions?
6. Is the product secure upon arrival, reducing attack surfaces and eliminating default passwords?
7. Does it support secure communications that maintain critical functions under attack?
8. Are there protections against malicious commands and measures to mitigate impacts on wider systems?
9. Does it include robust unauthorized access protection, like multifactor authentication?
10. Is there a comprehensive threat model detailing vulnerability and mitigation strategies?
11. Does the manufacturer have a vulnerability disclosure program with free patching?
12. Is there a clear and easy patching process for users to upgrade when support ends?
CISA director Jen Easterly likened this moment to the pre-seatbelt era in cars. She noted that public concern over road safety eventually urged car manufacturers to innovate and prioritize safety features. “We don’t have a cyber security problem; we have a software quality problem,” she said, calling for a shift towards demanding better security standards in software.
The secure-by-design initiative empowers customers to ask crucial questions when evaluating software, drawing parallels to how safety campaigns helped the public judge car features. By doing this, stakeholders aim to transform software security for the better.