Operational Technology Products Face Potentially Harmful Cyber Intrusions Highlighted in Fresh Study
The Cybersecurity and Infrastructure Security Agency (CISA) has published a new report titled "Secure by Demand: Priority Considerations for Operational Technology Owners and Operators When Selecting Digital Products." The report, which was released this week, is a collaborative effort with international partners.
The report underscores the potential damage from attacks on operational technology products, such as those used in the energy, health, and transport sectors, which are identified as critical to daily life and requiring robust cyber security protections. According to Alan Marjan, Assistant Director-General of Cyber Security Resilience, it is crucial for critical infrastructure owners and operators, including energy, water supply, and transportation providers, to ensure their operating software is resilient to cyber-attacks.
The report highlights that many operational technology products are not designed with secure-by-design principles, leaving them with weaknesses that threat actors can easily exploit. Threat actors can gain access to control systems across multiple victims and sectors of critical infrastructure by exploiting these weaknesses.
Alan Marjan emphasized the importance of reducing as many vulnerabilities as possible that could be exploited by cyber attackers. The new guidance, supported by the Five Eyes, indicates that cyber threat actors are targeting known vulnerabilities and insecure default settings in operational systems.
The ACSC reports that threat actors are not targeting specific organizations, but rather the weakest points in operational systems. The report emphasizes key security elements that organizations should consider when selecting operational technology products, particularly industrial automation and control system products.
The full report can be found online, offering valuable insights for organizations seeking to strengthen their cybersecurity measures in the operational technology domain. It is a timely reminder of the importance of prioritizing cybersecurity considerations when selecting and implementing digital products in critical infrastructure sectors.
