Your digital "Home of IT Security"
365 days a year: solutions, knowledge and networking.
Find and offer innovative IT security solutions, take part in our diverse action program and make and maintain contacts.
Become part of the it-sa 365 community!
Make an appointment with
So that you can make an appointment, the calendar will open in a new tab on the personal profile of your contact person.
Create an onsite appointment with
So that you can make an onsite appointment, the appointment request will open in a new tab.
Choosing the right IT product poses major challenges for operators of OT systems. The US security authority CISA has published a guide with criteria for selection.
The US security authority CISA (Cybersecurity and Infrastructure Security Agency) has published a guide with 12 important security features for monitoring and control systems in the OT sector. Their recommendations help to take cybersecurity into account as early as the procurement process.
Almost every week, the US cyber security authority CISA warns of new vulnerabilities in industrial control systems (ICS). Most recently, devices from BD Diagnostic Solutions, B&R, Rockwell and Schneider Electric, many of which are also used in Germany, were hit. At the same time, ransomware attacks on critical infrastructure (CI, in German KRITIS) have increased significantly. Last year alone, there were around 300, reports the online magazine SC-Media.
As a result, KRITIS organisations had to report significantly more security incidents involving OT systems to the German Federal Office for Information Security (BSI) last year than in previous years. Compared to the previous year, the number rose by 43 per cent, according to a parliamentary enquiry.
Safety of OT products: inadequate
The market for digital systems in the OT segment has grown significantly in recent years. For many OT operators, this makes choosing the right automation or control system an even greater challenge. Although security features are advertised, they are implemented differently or only offered at an additional cost. Attackers have adapted to this and therefore almost always focus on specific OT products rather than individual organisations, warns CISA.
The US authority therefore felt compelled to publish criteria for the selection of secure products. This is because many OT products are still not designed and developed according to the principles of "security by design", i.e. security is not considered from the outset.
Deficits in authentication and passwords
As a result, numerous products have security deficits, such as weak authentication, a lack of access logging, insecure default settings or default passwords, the authority criticises. This makes it very easy for attackers to exploit these vulnerabilities simultaneously for several potential victims in order to gain access to their control systems and hijack installations, warns CISA. These security flaws also increase the effort required by operators to protect critical systems.
12 Security touchstones as a criterion in the procurement process
CISA recommends taking cybersecurity into account when procuring critical components. To this end, it has published guidelines for the procurement of secure operational technology (OT) such as industrial automation technology and control systems (ICS), in which the FBI, the NSA and the German Federal Office for Information Security (BSI), among others, have also participated. "The guidelines are intended to help industrial companies and operators of critical infrastructures (KRITIS) to take the 'Secure by Design' principle into account as early as possible - right from the purchasing and procurement processes," explains the BSI.
The guide focusses on twelve points on which well-founded recommendations are made. The following is a small selection. However, CISA emphasises that the weighting of the individual recommendations depends on the framework conditions on site. These include, for example, the systems used, fields of application and budget issues.
When manufacturer dependency becomes dangerous
One of the key recommendations addresses the dependence on manufacturers. All too often, operators of CI systems are "dependent on support contracts from providers or manufacturers for the maintenance and operation of systems". This can go so far that configuration or administration is not possible without the involvement of third parties. This can hinder secure configuration or the rectification of security flaws. Sometimes security features are even only offered as an additional service for a fee.
Dealing with updates plays a similar role to traditional IT. They are particularly important in order to close security gaps quickly as soon as they are discovered. The recommendation here is to favour manufacturers who provide free updates over a long period of time. This also includes free porting to new operating systems if the original operating system is no longer supported. This addresses a process that repeatedly leads to problems in the Windows world, for example when existing software can no longer be used after the release of a new Windows version. In addition, manufacturers are required to carry out extensive tests to ensure that updates function smoothly, as faulty updates repeatedly lead to failures. As this requirement is not easy for potential customers to check in advance, the recommendation is to ensure that an automatic recovery function is available in the event that a patch leads to problems.
Security as a basic requirement
Of course, "security by default" is also an important decision criterion. This means, among other things, that OT devices can be used securely as delivered without the need for complex configurations in advance. A system should be able to withstand the most common attacks without further measures, explains CISA. This also means that no universal default passwords are assigned and the latest versions of communication protocols are used. All security features should also be activated ex works. Device security must be considered a basic requirement of the customer and not just a technical feature.
CISA emphasises the positive impact of these proposals: By consistently enforcing purchasing decisions with security features in mind, CI organisations can help mitigate current and emerging cyber threats and find a path away from outdated environments. In addition, these operators send a signal to manufacturers to encourage the provision of secure-by-design products. In addition, they are better positioned for regulatory requirements such as the European NIS2 directive.
Author: Uwe Sievers
What you should know about the use of AI!
In the cyber underground, we see AI systems that specialise in different attack scenarios. This makes social engineering or phishing attacks, for example, even more dangerous. But AI is now also being used intensively in cybersecurity. AI therefore also increases the efficiency of defence measures in security solutions such as threat detection, incident response, phishing protection or SIEM.
Source:
CISA: CISA Releases Seven Industrial Control Systems Advisories
Süddeutsche Zeitung: Mehr Cybersicherheitsvorfälle gegen kritische Infrastruktur
BSI: CISA veröffentlicht "Secure by Demand"-Leitfaden für Betreiber von Operational Technology
SC-Magazine: Ransomware attacks against critical infrastructure exceed 2K in a decade
