The UK’s National Cyber Security Centre (NCSC) has joined forces with its Five Eyes partners and other agencies from the European Union (EU) to publish a new guide designed help critical national infrastructure (CNI) bodies and others that rely on operational technology (OT) demand improved security in products when making buying decisions.
With operators of CNI under near-constant threat from malicious actors – many of them working at the behest of hostile intelligence agencies – the NCSC said it was aiming to provide clear guidance on choosing products and manufacturers that adhere to secure-by-design principles, giving their own systems a resilient foundation and minimising the risks posed by cyber attacks.
Historically, such components have not been developed with security as a priority – or in many cases at all – giving threat actors an open window to access their tech estates, one that is becoming much wider as more and more OT components connects into wider IT systems.
Moreover, such components are often heavily targeted because a successful compromise can be easily replicated across multiple victims.
“As cyber attackers increasingly target operational technology around the world, it has never been more vital for critical infrastructure operators to ensure security is baked into the systems they use,” said NCSC director of national resilience and future technology, Jonathan Ellison.
“This new guide gives organisations practical advice on how to prioritise OT products that are secure by design when making purchasing decisions, helping to mitigate the very real cyber threats they face.
“I strongly advise UK operators of OT systems to follow this guidance to help set a strong foundation for their cyber resilience and to send a signal to manufacturers that security is more than just an extra feature for products but a requirement in demand.”
The guidance, which is officially available to download from the website of the NCSC’s American counterpart CISA, lays down 12 security considerations that OT users should integrate into their procurement process, both to help defend themselves, and to force manufacturers to do better.
The considerations buyers should look to – and the answer to these questions should always be ‘yes’ – are as follows:
- Does the product support controlling and tracking modifications to configuration settings and engineering logic?
- Does the baseline product support logging of all actions, including changes to configuration, security and safety events, using open standard formats?
- Does the product use open standards to support secure functionality and services, and to migrate configuration settings and engineering logic?
- Does the product give owners and operators full autonomy over it, including the ability to conduct maintenance and make other changes, and minimise dependence on the supplier?
- Does the product protect the integrity and confidentiality of data, services and functions, including configuration settings and engineering logic, both at rest and in transit?
- Does the product arrive secure ‘out-of-the-box’, reducing attack surfaces and removing the burden on owners by including all security features in all versions, eliminating default passwords and allowing for complex ones, with older protocols disabled by default, not exposing external interfaces, and giving users the ability to reset them to their original state?
- Does the product support secure authenticated communications that fail ‘loudly’ but let critical processes continue, and that do not require significant cyber skills to achieve?
- Does the product come with secure controls that guard it against threat actors sending malicious commands, protect the availability of essential functions, and minimise the impact of an incident on wider systems?
- Does the baseline version of the product appropriately protect against unauthorised access through measures such as multifactor authentication or role-based access control?
- Does the product have a full, detailed threat model that lays out how it might be compromised, and measures to reduce such scenarios?
- Does the product manufacturer have a vulnerability disclosure and management programme in place, including testing, support and management, and free patching?
- Does the product have a well-documented and straightforward patching and upgrade process that enables users to move to a supported operating system gratis if the original can no longer be supported?
Cyber seatbelts
CISA director Jen Easterly, writing today, compared the current situation to the period just before public pressure forced car manufacturers to start to build in safety features – such as seatbelts, anti-lock breaks and so on – as standard. In the US, outrage over sky-high road fatalities was driven by the publication 60 years ago of a landmark text, Unsafe At Any Speed, by consumer advocate and politician Ralph Nader.
“We don’t have a cyber security problem; we have a software quality problem,” said Easterly. “We are now at a tipping point – with foreign adversaries rampantly exploiting defective software – where this recognition is leading to a concerted demand for better security.
“Just as automobile safety reforms only succeeded when the public demanded safer cars as a basic standard, the software industry will only prioritise secure design when we…demand it as the baseline for a functioning, secure, digital ecosystem.
“The secure-by-design initiative supports this demand by equipping customers with key questions to ask vendors about their software – just as public safety campaigns taught the nation how to evaluate the safety features of their cars. By empowering users, we aim to create a seismic shift in software security.”