Critical infrastructures play a fundamental role in the functioning of modern society, managing
essential services such as energy, water and transportation. However, it is also well known that
they are attractive targets for malicious actors seeking to exploit vulnerabilities in operational
technology (OT). In this context we share a summary of the "Secure by Demand" report,
developed by CISA in collaboration with several international agencies, which provides a
comprehensive guide for OT developers and operators interested in integrating security as a
key criterion when selecting digital products.
The OT Security Challenge
Despite their strategic relevance in industrial, energy, transportation and other critical infrastructure
sectors, OT systems often suffer from design and configuration issues that make them vulnerable to
cyber threats. These problems include the following key areas:
● Weak authentication: Many OT devices still operate with factory default passwords, making
them easy targets for attackers. In many cases, systems do not even offer options to
improve authentication, such as enabling strong passwords or implementing multi-factor
authentication methods. This lack of strong credentials represents a critical risk, as it allows
unauthorized access that could compromise critical operations.
● Limited event logging: One of the main difficulties in managing security in OT systems lies
in the limited ability to log and monitor relevant events. Without an adequate activity log, it
becomes practically impossible to identify suspicious activities, analyze incidents or
implement corrective measures in time. This lack of visibility creates blind spots in the
infrastructure, leaving security teams at a disadvantage in the face of potential attacks.
● Insecure protocols: Reliance on legacy communication protocols, originally designed for
isolated environments, represents a significant problem. Many of these protocols lack
encryption or authentication mechanisms, making it easy for malicious actors to intercept
and manipulate data. In addition, the lack of regular updates leaves open backdoors for
attackers to exploit.
● Unnecessary dependencies: In many cases, OT system manufacturers impose restrictions
that force owners to rely on them for maintenance, software upgrades or equipment repair.
These dependencies generate additional costs and, in some cases, delay the
implementation of security patches, which amplifies risk exposure.
These vulnerabilities not only hinder the day-to-day management of OT systems, but also
significantly increase the risk of targeted cyberattacks. Malicious actors, from organized
cybercriminals to insider threats, exploit these weaknesses to infiltrate networks, sabotage critical
operations or even cause disruptions to essential services.
Selection Priorities
The Secure by Demand report identifies 12 priority elements that organizations should consider
when procuring Operational Technology (OT) solutions. These elements seek to ensure the security,
resilience and efficiency of OT systems in industrial and critical environments.
1 – Configuration Management
Products must allow control and monitoring of changes in configurations and engineering logic. A
system with poor configuration management can quickly become vulnerable, either through
accidental errors or unauthorized changes. Recommended:
● Implement early warning mechanisms for unsafe configurations.
● Include versioning and change control tools to track what changes have been made, when
and by whom.
● Secure backup and restore options are available to revert changes if necessary.
2 – Logging as Standard
Event logging capability should be enabled by default and use open formats that facilitate data
correlation across different platforms. Adequate logging allows:
● Monitor changes in configurations and access, detecting intrusion attempts or misuse.
● Facilitate incident response, as detailed logs help analyze past events and understand the
scope of a potential security breach.
● Ensure traceability of all activities performed in the system.
3 – Open Standards
The use of open standards is essential to avoid vendor-specific dependencies and ensure
interoperability with other technologies. This implies:
● Adoption of open and widely accepted industry protocols.
● Use of common log formats, ensuring compatibility with analysis and monitoring tools.
● Incorporation of robust and auditable encryption protocols, avoiding the use of proprietary
mechanisms that may generate hidden vulnerabilities.
4 – Operator Autonomy
Operational safety and efficiency depend on operators having full control over the systems without
relying solely on the manufacturer. To achieve this, products must enable:
● Autonomous management of maintenance and configuration by the operators.
● Full access to essential functionalities, without vendor-imposed restrictions.
● The ability to apply security updates and configuration settings without requiring
manufacturer intervention.
5 – Data Protection
Ensuring data confidentiality, integrity and availability is essential in OT environments. To this end,
the following must be implemented:
● Encryption at rest and in transit, protecting information against unauthorized access.
● Strict access controls, limiting access to data to authorized personnel only.
● Mechanisms for detection and prevention of data manipulation, avoiding malicious or
accidental alterations.
6 – Default Security
Safety should not be an add-on option, but an integrated feature from the initial product design. This
includes:
● Elimination of default credentials to prevent unauthorized access.
● Disabling insecure protocols that can be exploited by attackers.
● Initial configuration with recommended security settings, reducing the need for manual
adjustments by the user.
7 – Secure Communications
The integrity and confidentiality of communications is critical to prevent interception and Man-in-the-
Middle (MitM) attacks. OT systems must:
● Include end-to-end encryption in all communications.
● Incorporate strong authentication mechanisms to prevent unauthorized access.
● Ensure that solutions are easy to implement, ensuring adoption without compromising
usability.
8 – Safe Controls
To prevent malicious manipulation of devices, they must be designed with robust security
mechanisms. This means that OT products must:
● Be resistant to malicious commands, preventing external actors from manipulating its
operation.
● Have protections against unauthorized code execution, preventing an attacker from loading
malicious software.
● Operate securely even under attempted attacks, minimizing the impact of incidents.
9 – Strong Authentication
OT systems must implement authentication methods that minimize the risk of improper access. To
this end, it is recommended:
● Use role-based access controls (RBAC), limiting privileges according to the user's level of
responsibility.
● Implement multi-factor authentication (MFA) on critical systems, adding an additional layer of
security.
● Log and audit all access attempts, allowing intrusion attempts to be identified.
10 – Threat Modeling
To ensure that an OT product is safe, manufacturers must conduct a detailed analysis of potential
threats. This involves:
● Document detailed threat models, identifying potential attack vectors.
● Include risk mitigation strategies, ensuring that the product can withstand known and
emerging attacks.
● Assess system resilience through periodic security testing and audits.
11 – Vulnerability Management:
The ability to identify and correct vulnerabilities in a timely manner is a fundamental pillar of OT
system cybersecurity. To this end, products must:
● To have mature processes for identifying and resolving vulnerabilities.
● Deliver security updates on a regular basis and without operational interruptions.
● Adopt a transparent disclosure policy, informing customers about detected vulnerabilities and
recommended corrective actions.
12 – Updating and Patching Tools:
Applying security patches and updates is key to reducing risks and maintaining system integrity over
time. To this end, it must be ensured:
● Ease of implementation of updates, ensuring that they can be applied without affecting
operability.
● Verification of patch authenticity, avoiding the introduction of malicious software.
● Extended support for critical products, ensuring that they continue to receive security
updates throughout their life cycle.
A Call to Action
Adopting a proactive cybersecurity posture is not just an option, but a strategic necessity for critical
infrastructure protection and business continuity. Requiring that Operational Technology (OT)
solutions comply with fundamental security principles not only helps reduce the risk of cyberattacks,
but also drives a transformation in the industry, fostering an ecosystem where manufacturers
prioritize security from the design and development of their products.
Every procurement decision must be based on sound security criteria, ensuring that the products
selected are not only functional and efficient, but also resilient to emerging threats.
In addition, ensuring compliance with established regulatory frameworks is a fundamental part of this
strategy. Regulations such as the European Union's NIS2 Directive not only establish minimum
security requirements, but also reinforce the need to implement strict controls in the selection and
management of critical technologies. Complying with these regulations not only avoids sanctions
and penalties, but also strengthens the position of organizations in the face of legal and operational
risks.
The call to action is clear: demand high security standards at every stage of the OT systems
lifecycle. Only through a joint commitment between operators, manufacturers and regulators can we
ensure a more secure and resilient environment in the face of current and future threats.
