IT & OT Cybersecurity Requirements Specifications — Do’s & Don’ts

Hi there,

Hope you are doing well.

In this edition, I’ll be sharing some:

• ✍️Common Don’ts (SINs) & Do’s (WINS) on cybersecurity requirements specification.

• 📘Announcement on upcoming multi-part series - an Ultimate guide to OT Cybersecurity Procurement Process and Practices (OTCS PPP) with Alana Murray & call for expert contributions.

• 📲Updates - Upcoming OT virtual conferences, where I am delivering a mini course.

But before we begin, do me a favour and make sure you “Subscribe” to let me know that you care and keep me motivated to publish more. Thanks!

Ready? let’s dig in.

Yours truly.

— Yousuf.

Together with (Sponsor):

Streamline IT management with 'The World at Work 2024: Deel IT

Discover how you can transform your IT operations, enhancing operational efficiency & compliance across borders. Our guide has essential strategies for managing a global workforce.

Download free guide

🚨Procurement Alert: IT & OT Cybersecurity Requirements Don’ts & Do’s! — You Can’t Afford to Ignore! 🚨

Buying industrial tech without solid cybersecurity specs?

That’s like handing the keys to your plant! 🔑💥 

I have reviewed and or looked at a few IT and OT environments in critical infrastructure sectors e.g. power / utility and in particular manufacturing sector; and there’s a common set of issues, mistakes and errors I have observed when it comes to IT and OT / ICS Cybersecurity Requirements Specification that a typical manufacturing organisation makes, whether big or small (in no particular order):

DON’TS (SINS):
❌ Skip embedding clear cybersecurity requirements in RFPs — ambiguity = risk

❌ Assume IT security practices fit OT purchases — OT needs tailored controls!

❌ Overlook vendor’s secure development & patch management practices

❌ Accept products without strong authentication, logging, and secure defaults

❌ Ignore supply chain security and origin of components — know your vendor’s risk!

❌ Forget to require secure remote access and encrypted communications

❌ Neglect continuous vulnerability management and incident notification clauses

❌ Fail to plan for lifecycle security — procurement isn’t a one-time deal!

So how do we address these issues?

while not the intent of this article to go into details on how to fix each of these problems, here’s what you should be doing instead.

How to get procurement RIGHT for critical infrastructure & manufacturing:

DO’s (WINS):

✅ Base specs on well know and proven frameworks and certifications (e.g. ISA Secure, ISA/IEC 62443 etc.) and relevant industry standards for OT security

✅ Require vendors to demonstrate secure design, development, and patching processes

✅ Demand detailed cybersecurity requirements: access control, logging, threat modelling

✅ Insist on secure default configurations and strong authentication mechanisms

✅ Include clauses for timely vulnerability disclosure and patch deployment

✅ Ensure supply chain transparency and secure hardware/software delivery

✅ Specify secure remote access methods and encrypted communications

✅ Plan for ongoing cybersecurity validation throughout the asset lifecycle

✅ Collaborate cross-functionally: procurement, IT, OT & cybersecurity teams must align!

Your procurement process is the first line of defense for your OT environment — make it bulletproof! 🛡️

Together with (sponsor)

Start learning AI in 2025

Keeping up with AI is hard – we get it!

That’s why over 1M professionals read Superhuman AI to stay ahead.

• Get daily AI news, tools, and tutorials

• Learn new AI skills you can use at work in 3 mins a day

• Become 10X more productive

Sign up and start mastering AI

Announcement

Are you ready to master "OT Cybersecurity Procurement Process & Practices" and safeguard your critical infrastructure in the era of Industry 3.0 and Industry 4.0?

🚨Attention: IT-OT Tech, Cybersecurity, & Industrial Procurement Professionals! 🚨

🔐 Introducing an exclusive Multi-Part Series on " OT Cybersecurity Procurement Process & Practices (OTCS PPP) - ultimate guide"- for procuring / buying industrial solutions / services that protect industrial operations across water/wastewater utilities, manufacturing plants, and beyond.

🔥 What we’ll cover and what you’ll learn in this series:

• Part 1 - Foundations & international best practices for OT cybersecurity procurement  

• Part 2 - Tailored strategies for the Water & Wastewater Utility sector  

• Part 3 - Procurement insights for the Manufacturing industry  

• Part 4 - Industry 4.0 supply chain security dos & don’ts every buyer must know

• Part X - other industry sectors. See call for contributions from expert from specific sectors.

What would you like us to add more to it? Let us know in the comments below.

Whether you’re a cybersecurity expert or a procurement pro in industrial sectors, this series will equip you with the knowledge to make smarter, safer buying decisions.

💡 Don’t miss out on securing your OT environment against rising cyber threats - follow us and stay tuned for Part 1 dropping soon!

I am extremely excited and glad to be partnering on this series with an expert from the field "Ms. Alana Murray", an OT expert, alongside my learnings and experience from manufacturing and other critical infrastructure sector.

Alana Murray is an industrial controls expert with 35+ years of experience in critical infrastructure sectors, including water/wastewater utilities. She writes on operational technology security and just about everything else in the industrial control system industry.

Anyone in Cybersecurity involved in deal with establishing these processes and practices - this is going to be an exciting MUST READ!

ONLY on Securing Things newsletter - coming this June-July 2025.

Call out for expert insights:

Also, if you are an expert in Power, Transportation (Airport and Railway) and Oil & Gas sectors and want to contribute to this series ✍ me a DM 📥 / drop a comment 👇 for guest posts and attribution and a shout out! 📢 

♻️ if you know someone in your professional circle will benefit from this guidance and or are interested in learning.

Thanks 🌟

Upcoming Virtual Conference

• My thoughts along with leading experts, Mike & Tim, was published - here.

• It was great to participate and present “Securing the Digital Factory: Lessons from the Field on Security Challenges from Industry 3.0 to 4.0 and Beyond” in Industrial Cyber Days for Manufacturing conference series for both US (13th May) and EMEA (21st May). The last stop is APAC which is on 3rd June be sure to register → APAC.

The upcoming session for APAC serves as a mini-course introduction to the Securing Things IT-OT CySEAT (Cyber Security Education and Transformation) program, providing insights into securing digital factories.

This session explores the challenges of securing manufacturing operations during the transition from Industry 3.0 to Industry 4.0. Drawing from experiences across three different manufacturers, the discussion highlights the limitations of traditional security approaches and their applicability in modern manufacturing environments that incorporate UNS and IIoT-based architectures.

Key Learning Objectives:

Understanding Industry 4.0, the manufacturing lifecycle, automation stack, and digital transformation Exploring secure UNS-based architecture and the lack of industry-specific security guidance. Developing a strategic approach for securing the digital factory.

If you haven’t checked out yet - do join IT-OT CySEAT waiting List before the launch discount closes.

My Recent Most Viewed Social Posts

In case you’ve missed - here are some of my recent most viewed social posts.

• 📰[ST # 63] IT & OT Network Security - Example Do's & Don'ts ✅ Deadly Sins (Common Mistakes) & Quick Wins (recommended fixes) for Industrial / Manufacturing environments. Plus CISO's query and my response on Managed vs. Unmanaged switches for production environment🚀 [Securing Things by M. Yousuf Faisal]

• 📰 [ST # 62] ✅Cybersecurity Insights from Q1 2025 - ✅ IT, OT, AI Cybersecurity Market Insights, M&As, Incidents, breaches, ransomware, threats and changing regulatory landscape🚀 [Securing Things by M. Yousuf Faisal]

• 📰 [ST # 61] ✅My list of IT-OT & Cybersecurity, Leadership, Productivity, Personal Development, and Money/Business books - must read for Cyber Leaders and Practitioners. Few updates on OT Security conference, & more.🚀 [Securing Things by M. Yousuf Faisal] 📰

• 📢 [ST #60] All Series Index - Securing Things 📢✅IT, OT & AI Cybersecurity – Program, Digital Factory, Guides, Standards, Crash Courses, Quarterly Insights & more.🚀 [Securing Things by M. Yousuf Faisal] 🗞️🗞️🗞️

• Cybersecurity and AI Across the Industrial Automation Stack - Monthly Digest # 1 - ✅ Industry Trends, Market Insights on cybersecurity and AI across the layers of industrial automation stack (Cloud, ERP, DMZ, MES, SCADA, HMI, PLC/Edge), physical devices & more.🚀 [Securing Things by M. Yousuf Faisal].

• ISA/IEC 62443 Standards - Part 5 - Security Program Elements (SPEs) for 62443-2-1:2024, Upcoming Asset Owner ACS Security Assurance (ACSSA) Certification Scheme to ISA/IEC 62443-2-1, 2-4, 3-2, 3-3 by ISCI, CISO's role, other interesting reads.

Ways in which I can help?

Whenever you are ready - I can help you with:

A - IT & OT Cybersecurity Advisory / Consulting services - for securing your business and or its digital transformation journey.

B - Security Awareness Training & Phishing Awareness Portal - Train your staff and build a Security awareness program through our subscription based service.

C - Securing Things Academy (STA) - Security trainings for IT & OT practitioners.

Visit the newsletter website for Links to above services and or reach out at info[at]securingthings[dot]com or DM me via LinkedIn.

D - Securing Things Newsletter - Sponsor this newsletter to showcase your brand globally, or subscribe to simply Get Smarter at Securing Things.

Reach out at newsletter[at]securingthings[dot]com or DM me via LinkedIn.