Secure by Demand: Priority Considerations for OT Owners and Operators when Selecting Digital Products

In an era where operational technology (OT) systems are increasingly connected, they are also more exposed to cyber threats and ensuring robust security for OT is no longer optional—it is a critical business need. But what’s the best way to approach such a complex task?

The newly released guide, Secure by Demand Priority Considerations for OT Owners and Operators,” published by The US Cybersecurity and Infrastructure Security (CISA) together with other US federal agencies and counterparts in the EU, Germany, Canada, Australia and New Zealand, is a joint initiative aimed at helping industrial organizations navigate the complexities of safeguarding OT infrastructure. The publication addresses the rapidly changing cybersecurity landscape, proposing a structured approach that places security at the forefront of design, implementation, and long-term operation. It is a counterpart to CISA’s “Secure by Design” publication that focuses on secure software development.

1. The Evolving Landscape of OT Cybersecurity

The guide opens by highlighting the unprecedented pace of innovation in OT environments. As industrial and maritime OT systems become more networked—often converging with IT systems—cyber risks proliferate. Traditional “air-gapped” strategies are no longer adequate, and OT owners must account for threats that can exploit even minor vulnerabilities. The document urges stakeholders to take a proactive stance, transforming security from an afterthought to a continuous, strategic priority.

2. “Secure by Demand” vs. “Secure by Design”

A central theme in this guide is the concept of “Secure by Demand,” an evolution of the widely familiar “Secure by Design.” While “Secure by Design” emphasizes integrating security requirements during system development, “Secure by Demand” broadens the scope to consider real-time security needs based on evolving risks and operational constraints. Instead of viewing security as a one-time checklist item (such as during commissioning), the guide suggests making security an ongoing demand-based imperative that reflects the dynamic nature of cyber risks.

Key differences include:

  • Adaptability: “Secure by Demand” recognizes that OT environments must react to emergent threats quickly, adapting countermeasures and policies as conditions shift.
  • Lifecycle Coverage: The focus extends from design and implementation to continuous monitoring, threat intelligence updates, and rapid patching or mitigation measures.
  • Resource Allocation: By quantifying the potential impact of vulnerabilities, owners can allocate resources effectively to mitigate high-priority risks first.

3. Emphasis on Risk Assessment and Management

Given the complexity of industrial control systems, a robust risk management program is essential. The guide underscores the importance of:

  • Comprehensive Risk Assessments: Analyze all layers of an OT network, from sensor level to supervisory control layers.
  • Prioritization: Distinguish between high-impact vulnerabilities (e.g., a safety-critical system) and less critical ones, ensuring that remediation follows a clear hierarchy.
  • Regulatory Compliance: Familiarize teams with relevant industry standards (like IEC 62443, NIST SP 800-82, and sector-specific regulations – for example, IACS UR E26 and E27, NIS2 and others) and map your organization’s internal controls against these standards.

4. Building a Cybersecurity Culture

Technical measures alone are insufficient if employees do not buy into secure operations. The guide calls for:

  • Security Awareness Training: Continuous education for staff—from top-level executives to on-site engineers—about evolving cyber threats and best practices.
  • Cross-Functional Collaboration: Departments such as engineering, maintenance, IT, and procurement must actively coordinate on security decisions.
  • Executive Sponsorship: Leadership must champion cybersecurity initiatives, ensuring they receive adequate funding and visibility in organizational priorities.

5. Technology and Architectural Considerations

Although people and processes form the bedrock of effective security, leveraging the right technologies can significantly reduce the risk profile of OT systems. The guide suggests:

  • Network Segmentation: Isolate critical systems from less critical networks and external connections to contain potential breaches.
  • Identity and Access Management (IAM): Adopt robust authentication systems, role-based permissions, and secure remote access solutions.
  • Monitoring and Anomaly Detection: Deploy continuous monitoring solutions that detect unusual behavior or unexpected traffic across control systems.
  • Patch Management and Vulnerability Scanning: Regularly assess OT networks for known vulnerabilities, schedule updates, and validate patches in test environments to minimize disruptions.

6. Vendor and Supply Chain Security

Modern OT environments rely on a global supply chain of hardware, software, and third-party support. This guide stresses:

  • Vendor Transparency: Encourage openness from suppliers regarding product vulnerabilities, patch release cycles, and secure development practices.
  • Lifecycle Management: Conduct periodic reviews of vendor performance, ensuring that they maintain security controls throughout a product’s lifecycle.
  • Contractual Safeguards: Incorporate cybersecurity clauses in procurement and service agreements, delineating roles, responsibilities, and liability in case of breaches.

7. Incident Response and Recovery

Finally, the publication underscores that cyber incidents are not a matter of “if” but “when.” OT owners must:

  • Develop Comprehensive Incident Response Plans: Map out communication channels, designate incident response leads, and rehearse procedures through drills.
  • Build Resilience: Invest in redundancy and backup strategies to reduce downtime when breaches or system failures occur.
  • Post-Incident Analysis: Investigate root causes and integrate lessons learned into ongoing security strategies to prevent recurrence.

Conclusion

With the rise of interconnected industrial systems, security can no longer be an add-on. “Secure by Demand Priority Considerations for OT Owners and Operators” proposes an integrated approach that acknowledges the immediacy and gravity of modern threats. By balancing proactive design principles with real-time adaptability, OT owners can strengthen their defenses, protect critical infrastructures, and maintain operational continuity against an ever-shifting threat landscape.

Secure by Demand 2
You are invited to leave your details and book a session with our expert.
share the article
BOOK A DEMO

About

  • Stories
  • Community
  • Blog
  • Careers
  • Brand Assets
Envelope Linkedin Twitter
Skip to content