CISA and OTORIO Agree on Secure by Design Technology

24 Jan 2023

By Meidan Zemer, Kfir Tzukrel, and Michael Benis

In a recent interview at CES 2023, U.S. Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly highlighted how crucial it is for technology companies to create products that are secure by design, rather than responding to security issues after products are brought to market. This is particularly critical for operational technology (OT) security platforms because critical infrastructure and industrial manufacturing companies rely on them to assess and identify risks, mitigate vulnerabilities, and safeguard operational environments against cyber attacks.

“We've essentially accepted as normal that technology is released to market with dozens or hundreds or thousands of vulnerabilities and defects and flaws,” Director Easterly lamented. It is simply unacceptable, she warned, that “critical infrastructure that we rely upon is all underpinned by a technology ecosystem that unfortunately has become really unsafe.”

OTORIO agrees. Our industrial-native OT security platform is certified as secure by design from the outset because our customers must protect everything they operate.

What is ‘secure by design’ for OT cybersecurity?

Secure by design in OT security means that industrial OT security platforms like OTORIO’s RAM2 must be free of security gaps and vulnerabilities at every stage of their Secure Software Development Life Cycle (SSDLC) product design. This ensures that end users of OTORIO’s OT cybersecurity platform, like critical infrastructure and industrial manufacturing organizations, can rely on the product being free of security gaps and vulnerabilities at every stage of the product’s development, implementation, and end-of-life — from planning, design, creation, QA, and deployment, through continued security testing, patch management, compliance, and verification, throughout the cybersecurity product’s entire lifecycle.

The International Electrotechnical Commission (IEC) created globally-recognized industry standards via IEC 62443-4-1 to ensure that cybersecurity software products are secure by design for use in industrial automation and control systems (ICS and IACS) operational environments. The IEC standard refers to secure development life-cycle (SDL) requirements because it covers not only software but also hardware and firmware. These strict requirements apply to those who develop and maintain ICS and IACS cybersecurity products, not to end users.

Industrial OT security platforms are certified and awarded the IEC 62443 certification via an independent third-party auditor. The auditing company verifies that we adhere to the IEC’s rigorous, secure-by-design requirements at every stage of our OT security platform’s SSDLC / SDL. This means that our customers with ICS and IACS operational environments can be assured that OTORIO’s cybersecurity products are secure by design because they are not released with vulnerabilities and defects and our customers can rely on them.

Why is secure by design technology so important?

Over the last few years, criminal hackers, Advanced Persistent Threat (APT) actors, and nation-states have focused on targeting critical infrastructure operators and industrial manufacturers. Their modus operandi is finding security gaps and vulnerabilities in OT, IT, and IIoT environments, and then exploiting them. Following their security breaches, such actors introduce malware, cause operational downtime, demand ransomware payments, and much more.

Reacting only after a security breach has already occurred is too late, the same way airbags deploy only after a car accident happens; they don’t prevent it. OTORIO’s approach is therefore to empower clients with our secure by design OT security platform so they can proactively mitigate risks that make their operational environments vulnerable. This helps an organization strengthen its security posture and reduce the likelihood of APT attacks. Maintaining a proactive approach is like new cars with automatic braking system technology designed to help prevent accidents. Auto manufacturers put these braking systems in vehicles to improve passengers' security via the technology’s design.

Key security principles

OTORIO utilizes a host of key security principles in our secure by design framework based on the OWASP Development Guide. Here are a few of them:

  1. Minimize the attack surface
    Every feature that is added to an application adds a certain amount of risk to the overall application. The goal of secure development is to reduce overall risk by reducing the attack surface area.

  2. Principle of least privilege
    The principle of least privilege recommends that accounts have the least amount of privilege required to perform their business processes.

  3. Adopt a secure coding standard
    Develop and/or apply a secure coding standard for the target development language and platform.

  4. Model threats
    Use threat modeling to anticipate the threats to which the software will be subjected.

Protect Everything You Operate with OTORIO

OTORIO’s OT cyber security platform meets the IEC’s rigorous secure by design cybersecurity standards for ICS and IACS operational environments. This ensures that our critical infrastructure and industrial manufacturing clients benefit from our adherence to these stringent requirements when they utilize our industrial-native OT security platform.

OTORIO agrees with CISA Director Easterly that, when it comes to industrial cybersecurity, “we need to fundamentally change the relationship between government and industry.” That is why OTORIO adopted the IEC’s 62443 secure by design standards in all of our OT industrial cybersecurity products. It is an excellent example of how our private company helps support the OT security needs of governments, companies, and communities whose needs are served by our solutions.

Contact OTORIO to speak with our OT security professionals and discover how our cybersecurity platform empowers you to protect everything you operate.

11 Jan 2022 A House of Cards: The OT Digital Supply Chain is Exposed more...
02 Mar 2021 OTORIO’s Pen-Testers discovered more than 20 vulnerabilities in a popular Industrial Remote Access Solution more...
10 Feb 2021 Florida’s Water Poisoned by Hackers: A Warning Signal more...