By Meidan Zemer, Kfir Tzukrel, and Michael Benis
In a recent interview at CES 2023, U.S. Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly highlighted how crucial it is for technology companies to create products that are secure by design, rather than responding to security issues after products are brought to market. This is particularly critical for operational technology (OT) security platforms because critical infrastructure and industrial manufacturing companies rely on them to assess and identify risks, mitigate vulnerabilities, and safeguard operational environments against cyber attacks.
“We've essentially accepted as normal that technology is released to market with dozens or hundreds or thousands of vulnerabilities and defects and flaws,” Director Easterly lamented. It is simply unacceptable, she warned, that “critical infrastructure that we rely upon is all underpinned by a technology ecosystem that unfortunately has become really unsafe.”
OTORIO agrees. Our industrial-native OT security platform is certified as secure by design from the outset because our customers must protect everything they operate.
Secure by design in OT security means that industrial OT security platforms like OTORIO’s RAM2 must be free of security gaps and vulnerabilities at every stage of their Secure Software Development Life Cycle (SSDLC) product design. This ensures that end users of OTORIO’s OT cybersecurity platform, like critical infrastructure and industrial manufacturing organizations, can rely on the product being free of security gaps and vulnerabilities at every stage of the product’s development, implementation, and end-of-life — from planning, design, creation, QA, and deployment, through continued security testing, patch management, compliance, and verification, throughout the cybersecurity product’s entire lifecycle.
The International Electrotechnical Commission (IEC) created globally-recognized industry standards via IEC 62443-4-1 to ensure that cybersecurity software products are secure by design for use in industrial automation and control systems (ICS and IACS) operational environments. The IEC standard refers to secure development life-cycle (SDL) requirements because it covers not only software but also hardware and firmware. These strict requirements apply to those who develop and maintain ICS and IACS cybersecurity products, not to end users.
Industrial OT security platforms are certified and awarded the IEC 62443 certification via an independent third-party auditor. The auditing company verifies that we adhere to the IEC’s rigorous, secure-by-design requirements at every stage of our OT security platform’s SSDLC / SDL. This means that our customers with ICS and IACS operational environments can be assured that OTORIO’s cybersecurity products are secure by design because they are not released with vulnerabilities and defects and our customers can rely on them.
Over the last few years, criminal hackers, Advanced Persistent Threat (APT) actors, and nation-states have focused on targeting critical infrastructure operators and industrial manufacturers. Their modus operandi is finding security gaps and vulnerabilities in OT, IT, and IIoT environments, and then exploiting them. Following their security breaches, such actors introduce malware, cause operational downtime, demand ransomware payments, and much more.
Reacting only after a security breach has already occurred is too late, the same way airbags deploy only after a car accident happens; they don’t prevent it. OTORIO’s approach is therefore to empower clients with our secure by design OT security platform so they can proactively mitigate risks that make their operational environments vulnerable. This helps an organization strengthen its security posture and reduce the likelihood of APT attacks. Maintaining a proactive approach is like new cars with automatic braking system technology designed to help prevent accidents. Auto manufacturers put these braking systems in vehicles to improve passengers' security via the technology’s design.
OTORIO utilizes a host of key security principles in our secure by design framework based on the OWASP Development Guide. Here are a few of them:
OTORIO’s OT security platform meets the IEC’s rigorous secure by design cybersecurity standards for ICS and IACS operational environments. This ensures that our critical infrastructure and industrial manufacturing clients benefit from our adherence to these stringent requirements when they utilize our industrial-native OT security platform.
OTORIO agrees with CISA Director Easterly that, when it comes to industrial cybersecurity, “we need to fundamentally change the relationship between government and industry.” That is why OTORIO adopted the IEC’s 62443 secure by design standards in all of our OT industrial cybersecurity products. It is an excellent example of how our private company helps support the OT security needs of governments, companies, and communities whose needs are served by our solutions.
Contact OTORIO to speak with our OT security professionals and discover how our cybersecurity platform empowers you to protect everything you operate.