{"id":1531,"date":"2025-01-15T11:59:46","date_gmt":"2025-01-15T11:59:46","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1531"},"modified":"2025-01-15T11:59:46","modified_gmt":"2025-01-15T11:59:46","slug":"cisa-unveils-secure-by-demand-guidelines-to-bolster-ot-security","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1531","title":{"rendered":"CISA unveils \u2018Secure by Demand\u2019 guidelines to bolster OT security"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>The US Cybersecurity and Infrastructure Security Agency (CISA), along with its international cybersecurity allies, has unveiled the \u201c<a href=\"https:\/\/www.cisa.gov\/resources-tools\/resources\/secure-demand-guide\">Secure by Demand<\/a>\u201d guidelines to safeguard operational technology (OT) environments. The framework provides a blueprint for OT owners and operators to prioritize cybersecurity when procuring digital products.<\/p>\n<p>This initiative addresses growing concerns about vulnerabilities in critical infrastructure, including energy grids, transportation networks, and manufacturing facilities, which have increasingly become targets for sophisticated cyberattacks.<\/p>\n<p>Historically, weak authentication, outdated protocols, and insecure configurations have made OT systems particularly susceptible, underscoring the need for a proactive approach to procurement, the Secure by Demand guidelines stated in the document.<\/p>\n<p>\u201cDriving demand is essential, but achieving lasting change requires fostering accountability and industry-wide adoption of SbD principles \u2014 from the CEO\u2019s office to the developer\u2019s desk,\u201d CISA Director Jen Easterly <a href=\"https:\/\/www.cisa.gov\/news-events\/news\/building-secure-design-ecosystem\">wrote in a blog<\/a> corresponding to the announcement of the guidelines.<\/p>\n<h2 class=\"wp-block-heading\">From reactive measures to proactive resilience<\/h2>\n<p>The guidelines advocate embedding security principles during procurement rather than retrofitting solutions post-deployment. Key aspects include mandating detailed vulnerability patch histories, secure default settings, strong authentication, and modern encryption capabilities from vendors. <\/p>\n<p>The emphasis is on selecting secure technologies and ensuring a transparent partnership with suppliers that adhere to security standards throughout the product lifecycle.<\/p>\n<p>\u201cOperational technologies underpin critical infrastructure, and when vendors deliver products with security flaws, it compromises the entire ecosystem,\u201d the guidance stated. The recommendations stress resilience by design, enabling organizations to thwart potential attacks and maintain the integrity of their systems without delays caused by post-breach recovery efforts.<\/p>\n<h2 class=\"wp-block-heading\">Challenges and implications for vendors and operators<\/h2>\n<p>Adopting the \u201cSecure by Demand\u201d principles may require significant operational adjustments, particularly for vendors and organizations new to such stringent guidelines. Vendors are expected to provide transparency around security certifications, patching schedules, and mechanisms to address future vulnerabilities. For OT operators, this implies overhauling procurement protocols to align with cybersecurity priorities, potentially delaying adoption but ultimately fortifying defenses.<\/p>\n<p>While the guidelines emphasize preemptive measures, experts recognize challenges for smaller vendors that may struggle with compliance due to resource constraints. Similarly, transitioning existing OT systems to align with <a href=\"https:\/\/www.cisa.gov\/securebydesign\">secure by design<\/a> principles could strain budgets and timelines.<\/p>\n<p>\u201cThe legacy nature of OT systems, with lifecycles much longer than IT services, often results in outdated infrastructure that is difficult to patch or update without operational disruptions,\u201d said Shivraj Borade, senior analyst at Everest Group. \u201cVendor dependencies for updates and integration complexities further compound these challenges.\u201d<\/p>\n<p>Borade emphasized the heightened vulnerabilities of OT systems, \u201cWidely used in critical infrastructure, these products are prime targets for threat actors. Building secure OT products has now become an urgent priority.\u201d<\/p>\n<p>He suggested that CISA\u2019s new guidelines could reshape enterprise procurement strategies for OT products. \u201cThese guidelines are poised to increase collaboration between OT product companies and <a href=\"https:\/\/www.csoonline.com\/article\/3595787\/ot-security-becoming-a-mainstream-concern.html\">OT security<\/a> Independent Software Vendors (ISVs), unlocking significant opportunities in the OT security market,\u201d he added.<\/p>\n<h2 class=\"wp-block-heading\">A roadmap for resilience in OT<\/h2>\n<p>The \u201cSecure by Demand\u201d guidelines represent a significant move toward a more secure and resilient operational landscape. By placing cybersecurity at the forefront of procurement, CISA\u2019s framework encourages industries to prioritize long-term security over short-term convenience.<\/p>\n<p>The successful implementation of these recommendations could position the framework as a global standard, paving the way for reduced risks and stronger international cooperation in defending against cyber threats. For OT stakeholders, the guideline serves as both a warning and an opportunity \u2014 to adapt, innovate, and safeguard their critical systems for a rapidly evolving digital world.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>The US Cybersecurity and Infrastructure Security Agency (CISA), along with its international cybersecurity allies, has unveiled the \u201cSecure by Demand\u201d guidelines to safeguard operational technology (OT) environments. The framework provides a blueprint for OT owners and operators to prioritize cybersecurity when procuring digital products. This initiative addresses growing concerns about vulnerabilities in critical infrastructure, including [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":1524,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1531","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1531"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1531"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1531\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1524"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1531"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1531"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1531"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}