Critical infrastructure organisations are being helped by the The National Cyber Security Centre (NCSC) to secure their operational technology (OT) systems from growing cyber threats with new guidance agreed by cyber experts internationally.
The NCSC – a part of GCHQ – alongside agencies from the Five Eyes intelligence and security alliance and European partners have issued new advice recently which sets out key security considerations for organisations when purchasing OT products.
The guide aims to help OT owners and operators choose products and manufacturers that follow secure-by-design principles, so that their systems have a cyber resilient foundation from the point of purchase, minimising the risks posed by a successful cyber attack.
Operational technology systems are used widely in critical sectors globally but many components are not developed with security as a priority, presenting weaknesses which are being successfully exploited by cyber attackers.
Threat actors often target specific OT products, rather than specific organisations, because they can easily replicate attacks across multiple victims and sectors.
Organisations that own and operate OT systems are strongly encouraged to integrate the 12 security considerations outlined in the guide into their procurement processes to help defend against threats and to send a clear signal to manufacturers about the level of security they expect from products.
“As cyber attackers increasingly target operational technology around the world, it has never been more vital for critical infrastructure operators to ensure security is baked into the systems they use,” Jonathon Ellison, NCSC Director of National Resilience and Future Technology, said. “This new guide gives organisations practical advice on how to prioritise OT products that are secure by design when making purchasing decisions, helping to mitigate the very real cyber threats they face.
“I strongly advise UK operators of OT systems to follow this guidance to help set a strong foundation for their cyber resilience and to send a signal to manufacturers that security is more than just an extra feature for products but a requirement in demand.”
Vendors and manufacturers have a key role to play in fixing foundational insecurities and taking responsibility for cyber security outcomes.
The 12 security considerations that organisations should consider when buying an OT product include: whether the product allows for security and safety logging, has strong authentication controls, protects data, is configured in a secure way by default, and is supported by established vulnerability management processes by the manufacturer.
The NCSC has previously outlined the importance of implementing secure-by-design principles within technology products at source so as to improve overall resilience and develop a safer cyberspace.
This work aligns with the objectives of the government’s forthcoming Cyber Security and Resilience Bill.
The joint guide has been issued by the NCSC alongside:
- The US Cybersecurity and Infrastructure Security Agency (CISA)
- The US National Security Agency (NSA)
- The US Federal Bureau of Investigation (FBI)
- The US Environmental Protection Agency (EPA)
- The US Transportation Security Administration (TSA)
- The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
- The Canadian Centre for Cyber Security (CCCS)
- Directorate General for Communications Networks, Content and Technology (DG CONNECT), European Commission
- Germany’s Federal Office for Information Security (BSI)
- The Netherlands’ National Cyber Security Centre (NCSC-NL)
- New Zealand’s National Cyber Security Centre (NCSC-NZ)
To read more NCSC news, click here.
