NSA and Others Publish Guidance for Secure OT Product Selection > National Security Agency/Central Security Service > Press Release View

An official website of the United States government

Here's how you know

Official websites use .gov

A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS

A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

CSI: Secure by Demand: Priority Considerations for Operational Technology Owners and Operators in the Selection of Digital Products Graphic

PHOTO INFORMATION

Download

Details

CSI: Secure by Demand: Priority Considerations for Operational Technology Owners and Operators in the Selection of Digital Products Graphic

CSI: Secure by Demand: Priority Considerations for Operational Technology Owners and Operators in the Selection of Digital Products Graphic

FORT MEADE, Md. - The National Security Agency (NSA) joins the Cybersecurity and Infrastructure Security Agency (CISA) and other organizations to publish guidance helping operational technology (OT) owners and operators integrate security when selecting OT products.

The joint Cybersecurity Information Sheet (CSI), “Secure by Demand: Priority Considerations for Operational Technology Owners and Operators in the Selection of Digital Products,” highlights key security elements to consider when purchasing industrial automation and control systems and other OT products, as well as specific questions to ask manufacturers. Many OT products are not designed or developed securely, and they commonly have weaknesses that make them a target for cyber threat actors, including the following: weak authentication, shared software vulnerabilities, limited logging, default settings, default credentials, and default protocols.

“The guidance not only helps owners and operators of critical systems secure their OT procurement lifecycles, it also sends a message to manufacturers to establish a more resilient and flexible cybersecurity foundation in their products,” said Dave Luber, NSA’s Cybersecurity Director.

The CSI urges OT owners and operators to select products with the following key security elements:

configuration management,
logging in the baseline product,
open standards, ownership,
protection of data,
secure by default,
secure communications,
secure controls,
strong authentication,
threat modeling,
vulnerability handling, and
upgrade tooling.

The other agencies co-sealing the CSI are the Federal Bureau of Investigation (FBI), the U.S. Department of Energy, the U.S. Environmental Protection Agency (EPA), the U.S. Transportation Security Administration, the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS), European Commission, Germany’s Federal Office for Information Security (BSI), Netherland’s National Cyber Security Centre (NCSC-NL), New Zealand’s National Cyber Security Centre (NCSC-NZ), and the United Kingdom’s National Cyber Security Centre (NCSC-UK).

The report complements a previously published CSI, “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software,” jointly released in April 2023 and updated in October 2023.

Read the full report here.

Visit our full library for more cybersecurity information and technical guidance.

NSA Media Relations
MediaRelations@nsa.gov
443-634-0721

cybersecurity CSI Secure by demand secure by design Operational Technology OT Procurement