Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products

The Cybersecurity and Infrastructure Security Agency (CISA) and partners warn that cyber threat actors, when compromising operational technology (OT) components, target specific OT products rather than specific organizations. Many OT products are not designed and developed with Secure by Design principles and commonly have weaknesses, such as weak authentication, known software vulnerabilities, limited logging, insecure default settings and passwords, and insecure legacy protocols. Cyber threat actors can easily exploit these weaknesses across multiple victims to gain access to control systems.

When security is not prioritized nor incorporated directly into OT products, it is difficult and costly for owners and operators to defend their OT assets against compromise. This Secure by Demand guide, authored by CISA with contributions from the following partners, describes how OT owners and operators should integrate security into their procurement process when purchasing industrial automation and control systems as well as other OT products.