For the OPC Foundation, security has always been a mainstay in its standardization activities. Over the years, this focus on security standards not only resulted in using the latest security methods in the transport of information exchange, but also to standardize security management of OT systems. With this deep experience in OT security, the OPC Foundation is proud to have provided input to a group of government security experts. The resulting paper “Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products,” has received accreditation from 11 top security agencies worldwide. This recognition shows the importance that government bodies place on OT cybersecurity and their acknowledgement of the importance that this document highlights in fortifying operational technology (OT) environments against cyber threats.
Developed in collaboration with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and international experts, “Secure by Demand” addresses critical vulnerabilities in OT products. It offers practical best-practices to help OT owners and operators enhance their security measures. The guide covers common weaknesses such as authentication issues, software vulnerabilities, limited logging, and insecure default settings and passwords.
The document has been endorsed by security agencies, including:
- U.S. Cybersecurity and Infrastructure Security Agency (CISA)
- Germany’s Federal Office for Information Security (BSI)
- Netherlands’ National Cyber Security Centre (NCSC-NL)
- New Zealand’s National Cyber Security Centre (NCSC-NZ)
- United Kingdom’s National Cyber Security Centre (NCSC-UK)
- Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
- U.S. Federal Bureau of Investigation (FBI)
- U.S. National Security Agency (NSA)
- U.S. Environmental Protection Agency (EPA)
- Canadian Centre for Cyber Security (CCCS)
- Directorate General for Communications Networks, Content and Technology (DG CONNECT), European Commission
Michael Clark, Director OPC Foundation North America, one of the contributing authors, says, “This document has been several months in the making and now, with its timely release, we see well-articulated guidance directed toward OT owners and operators”. Clark continues, “By following the principles and best practices outlined therein, OT owners and operators are effectively securing critical infrastructure, thus, making it more difficult for threat actors to be successful in their disruptive behaviors.”
Describing the motivation behind this document, Dr. Matthew Rogers, ICS Expert at Cybersecurity and Infrastructure Security Agency (CISA) explained, “The risk of a threat actor accessing the OT network is increasing due to business drivers for interconnectivity and the compromise of edge devices that enable segmentation. This Secure by Demand guidance for OT is the product of asset owners, governments, industrial automation and control system vendors, and industry groups, like the OPC Foundation, all collaborating toward a more flexible and resilient implementation with their unique viewpoints and subject matter expertise, creating an implementation that has a better chance of escaping the label of “legacy” in a few years’ time.” Dr. Rogers further emphasizes, “Asset owners should take this guidance to their vendors and procurement officials as they consider procuring new OT equipment.”
“This document outlines a checklist of capabilities that align with the vision of the OPC UA standard. These capabilities give asset owners specific requirements to give to their perspective vendors, thus, ensuring that owner/operators can secure their factories from modern cyber security threats.” asserts Randy Armstrong, Chairman of the Security Working Group of the OPC Foundation. Mr. Armstrong emphasizes, “This document further serves as a valuable tool that allows asset owners to change the conversation with their vendors about what their needs will be when it comes to secure-by-design principles.”
This collaborative effort by global security experts and agencies provides the OT community with sound advice and practical guidance to safeguard their systems against evolving cyber threats.
For more information and to download the document, visit the OPC Foundation website:
https://opcfoundation.org/news/press-releases/secure-by-demand-document-accredited-by-11-top-security-agencies-from-around-the-world/