Secure by Demand Document Accredited by 11 Top Security Agencies from Around the World

01/24/2025

As a contributor to this document, the OPC Foundation is proud to announce the completion of “Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products”.

Download document here https://opcfoundation.org/wp-content/uploads/2025/01/joint-guide-secure-by-demand-priority-considerations-for-ot-owners-and-operators-508c_0.pdf


Scottsdale, AZ – January 23rd, 2025 – Cyber threat actors are commonly targeting specific OT products rather than specific organizations. In an effort to help industry exercise vigilance and best practices, the Cybersecurity and Infrastructure Security Agency (CISA), a division of the United States Department of Homeland Security, in cooperation with global contributors, have created this document, which outlines how several OT products are not designed nor developed with secure by design principles. This means that these hardware and software components commonly have weaknesses when it comes to authentication, software vulnerabilities, limited logging, as well as insecure default settings and passwords.

With 11 internationally recognized security agencies accrediting this document, including affixing their official seals thereupon, it stands to reason that this is sound advice for the operational technology (OT) community and the suppliers that service this industry. These agencies include:

  • U.S. Cybersecurity and Infrastructure Security Agency (CISA)
  • Germany’s Federal Office for Information Security (BSI)
  • Netherlands’ National Cyber Security Centre (NCSC-NL)
  • New Zealand’s National Cyber Security Centre (NCSC-NZ)
  • United Kingdom’s National Cyber Security Centre (NCSC-UK)
  • Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
  • U.S. Federal Bureau of Investigation (FBI)
  • U.S. National Security Agency (NSA)
  • U.S. Environmental Protection Agency (EPA)
  • Canadian Centre for Cyber Security (CCCS)
  • Directorate General for Communications Networks, Content and Technology (DG CONNECT), European Commission

 
 
 
 

Michael Clark, Director OPC Foundation North America, one of the contributing authors, says, “This document has been several months in the making and now, with its timely release, we see well-articulated guidance directed toward OT owners and operators”. Clark continues, “By following the principles and best practices outlined therein, OT owners and operators are effectively securing critical infrastructure, thus, making it more difficult for threat actors to be successful in their disruptive behaviors.”

Describing the motivation behind this document, Dr. Matthew Rogers, ICS Expert at Cybersecurity and Infrastructrue Security Agency (CISA) explained, “The risk of a threat actor accessing the OT network is increasing due to business drivers for interconnectivity and the compromise of edge devices that enable segmentation. This Secure by Demand guidance for OT is the product of asset owners, governments, industrial automation and control system vendors, and industry groups, like the OPC Foundation, all collaborating toward a more flexible and resilient implementation with their unique viewpoints and subject matter expertise, creating an implementation that has a better chance of escaping the label of “legacy” in a few years’ time.” Dr. Rogers further emphasizes, “Asset owners should take this guidance to their vendors and procurement officials as they consider procuring new OT equipment.”

“This document outlines a checklist of capabilities that align with the vision of the OPC UA standard. These capabilities give asset owners specific requirements to give to their perspective vendors, thus, ensuring that owner/operators can secure their factories from modern cyber security threats.” asserts Randy Armstrong, Chairman of the Security Working Group of the OPC Foundation. Mr. Armstrong emphasizes, “This document further serves as a valuable tool that allows asset owners to change the conversation with their vendors about what their needs will be when it comes to secure by design principles.”

 

About the OPC Foundation
Since 1996, the OPC Foundation has facilitated the development and adoption of the OPC information exchange standards. As both advocate and custodian of these specifications, the Foundation’s mission is to help industry vendors, end-users, and software developers maintain interoperability in their manufacturing and automation assets. The OPC Foundation is dedicated providing the best specifications, technology, process and certification to achieve multivendor, multiplatform, secure, reliable interoperability for moving data and information from the embedded world to the enterprise cloud. The Foundation serves over 1010 members worldwide in the Industrial Automation, IT, IoT, IIoT, M2M, Industrie 4.0, Building Automation, machine tools, pharmaceutical, petrochemical, and Smart Energy sectors.

For more information about the OPC Foundation, please visit www.opcfoundation.org.

For more information, contact:

Stefan Hoppe
OPC Foundation
Stefan.Hoppe@opcfoundation.org

 

#