Run an operational technology (OT) environment in a factory or utility? Here's a guide for buying secure equipment

Cybersecurity agencies in the Five Eyes co-operative and several European countries have issued a list of priority considerations for administrators of OT environments when shopping for digital products.

Threat actors usually target specific OT products, not specific organizations, the report warns, so buying the safest technology is vital.

"When security is not prioritized nor incorporated directly into OT products, it is difficult and costly for owners and operators to defend their OT assets against compromise," says the report.

OT administrators shouldn't forget the 2021 cyber attack on a Florida water treatment facility that leveraged dormant remote control access software.

When shopping for OT products -- everything from switches, routers, wireless access points, servers, sensors, industrial control systems, programmable logic controllers and more -- buyers should chose products from manufacturers that prioritize

--secure configuration management

--thorough logging of all actions, including changes to configuration

--open standards, which will help in replacing or adding products to the environment

--the protection of the integrity and confidentiality of data, services and functions

--is secure by default (for example, by not having default passwords and allow for appropriate password length and complexity and doesn't unnecessarily expose external interfaces

--secure authenticated digital certificates

--resilience to threat actors sending out malicious emergency, safety or diagnostic commands

--strong login authentication in the baseline version of the product

--products that have a full and detailed threat model that articulates the ways in which it might be compromised -- and suggested measures to reduce these threat scenarios

--proof the manufacturer has a vulnerability management regime that tests for known exploitable vulnerabilities. Look for vendors who include hardware and software bills of materials

--an easy to follow product patch and upgrade process.

All of this is summarized by calling these products Secure by Design.

"By rigorously enforcing purchasing decisions that require and prioritize the purchase of products that enforce these elements, critical infrastructure organizations can help mitigate current and emerging cyber

threats to critical infrastructure and create a path away from legacy environments." says the report.

"Additionally, OT owners and operators will send a message to manufacturers to stimulate the supply of Secure by Design products."

The full report can be accessed here.

The Five Eyes countries are the U.S., Canada, the U.K., Australia and New Zealand.