Secure by 3Ds (Demand | Design | Default)

Industry Overview - Relationships between Secure by Demand vs. Design vs. Default

The relationship can be explained as:

• Secure By Demand = initiates the need for security measures based on external pressures or threats.

• Secure By Design = builds a robust foundation that addresses these demands through integrated security practices throughout the system / product development lifecycle.

• Secure By Default = ensures that once a product is designed securely, it is delivered with those protections enabled automatically.

Security is a collective responsibility involving various stakeholders, each with distinct roles and responsibilities. These stakeholders interact at multiple points, as illustrated in the simplified representation of key participants below on the left.

There’s plenty of regulatory and industry guidance available for asset owners on the Trifecta of Secure by Demand, Design and Default, to be leveraged for both IT and OT security to be used as cybersecurity requirements specification, in order to achieve differing cybersecurity priorities respectively as shown on the right.

While IT Security practices across organisations have gotten mature over the years, however, OT security practices have gained industry wide attention in last couple of years only and there’s much more work to be done for many manufacturers.

The Trifecta guidelines and industry regulations are here to support asset owners in their journey to demand secure products and ensure a safe and cyber resilient IT and OT operations.

Secure by Demand - Simplified

Highlights the importance of customers demanding strong security features from technology providers or manufacturers. By prioritizing security in procurement, organizations can influence manufacturers to adopt Secure by Design and Secure by Default practices. This approach ensures products and services meet specific security requirements, particularly crucial for Operational Technology (OT) environments. It extends Secure by Design principles to procurement, emphasizing security as a key requirement in selecting products or services.

Key Features:

• Encourages organizations to demand security features from vendors.

• Supports a culture where security is considered in purchasing decisions.

• Aligns procurement strategies with security best practices.

OT owners and operators, at procurement stage, should select products from manufacturers who prioritize the security elements. Below is a list in my own order of considerations for OT Product Selection:

• Open Standards

• Ownership

• Threat Modelling

• Protection of Data

• Vulnerability Management

• Upgrade and Patch Tooling

• Secure by Default

• Secure Controls

• Strong Authentication

• Secure Communications

• Configuration Management

• Logging in the Baseline Product

• Resources.

Secure by Design - Simplified

This approach integrates security throughout the entire development lifecycle, proactively identifying and mitigating vulnerabilities from the design phase. By embedding security from the outset, products become more resilient. The Cybersecurity and Infrastructure Security Agency (CISA) and international partners advocate for prioritizing security during system or software development lifecycle, using practices like threat modelling and secure coding standards.

Key features:

• Security is a fundamental aspect of design.

• Involves continuous assessment throughout the software development lifecycle (SDLC).

• Requires investment in secure development practices.

Secure by Default - Simplified

This concept ensures products are securely configured out of the box with default settings that prioritize security, minimizing user or operator intervention and reducing misconfiguration risks. Practices include eliminating default passwords and enforcing multi-factor authentication, providing protection against common threats.

Key factors:

• Automatic activation of essential security controls (e.g., multi-factor authentication).

• Eliminates default passwords and ensures secure configurations out of the box.

• Focuses on reducing user error by simplifying security measures.

Conclusion

Guidance for Critical Infrastructure Organizations and Asset Owners:

1. Define IT & OT Cybersecurity Security Requirements Specification: Clearly articulate security requirements during the procurement process to ensure products meet organizational security standards.

2. Stay Informed on Industry Guidance & Regulatory Changes: Regularly monitor updates to cybersecurity regulations / industry guidance and adjust security requirements specification and security practices accordingly to maintain compliance and mitigate potential risks.

3. Integrate Security into Procurement Processes: Incorporate IT & OT Cybersecurity Security Requirements Specification into procurement criteria, ensuring that acquired products and services meet established security standards. Establish procurement policies that prioritize vendors who adhere to these security principles.

4. Assess Vendor Security Posture & Practices: Ensure that vendors adhere to secure development practices and provide products that are secure by design and default. Prioritize vendors that demonstrate a commitment to Secure by Design and Secure by Default principles. This includes evaluating their development processes, security features, and response protocols.

5. Adopt Secure by Design Principles: Ensure that all new systems internally developed are designed with security as a core component.

6. Implement Secure by Default Settings: Configure all systems to be secure out of the box, minimizing user intervention.

7. Implement Continuous Monitoring and Improvement: Establish processes for ongoing monitoring of IT & OT systems and networks, coupled with regular security assessments to identify and address emerging threats promptly.

By embracing these principles, organizations can significantly enhance their cybersecurity posture, mitigating risks associated with both IT and OT environments.

Related Resources:

Here are some interesting references to the guidance and other resources.

• Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products by CISA along with U.S. National Security Agency (NSA) U.S. Federal Bureau of Investigation (FBI) U.S. Environmental Protection Agency (EPA) U.S. Transportation Security Administration (TSA) Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) Canadian Centre for Cyber Security (CCCS) Directorate General for Communications Networks, Content and Technology (DG CONNECT), European Commission Germany’s Federal Office for Information Security (BSI) Netherlands’ National Cyber Security Centre (NCSC-NL) New Zealand’s National Cyber Security Centre (NCSC-NZ) United Kingdom’s National Cyber Security Centre (NCSC-UK).

• Secure-by-Design: Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software

• Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem by CISA.

• Unsafe At Any Speed: CISA's Plan to Foster Tech Ecosystem Security by CISA.

• Security By Design Decision by Sarah Fluchs breaks it down for us lots of ideas for OT security by design.

My Recent Most Viewed Social Posts

In case you’ve missed - here are some of my recent most viewed social posts.

• Tip to remember ISA/IEC 62443 Standards Group & Overview Part 2.

• This is it - Good Bye. Happy New Year! Recap on 2024 and the Future of Securing Things in 2025.

• Cybersecurity (IT, OT/ICS, AI, Open source) Insights from Q4 2024

• What the heck is ITDR - A crash course on Identity Threat Detection & Response.

• IT & OT/ICS Cybersecurity Policy(/ies) - Deciding on the Policy Route for your industrial environments.

• Digital Manufacturing at Risk - Start with Cybersecurity and Digital Transformation Maturity Assessment Reviews Now!

• "Boost Your Defense Game - IT & OT/ICS Cybersecurity Training [Securing Things by M. Yousuf Faisal]"

• IT & OT/ICS CySEAT - only on Securing Things Academy (40% off) - Training course brief introduction.

Ways in which I can help?

Whenever you are ready - I can help you / your organization / your customers with:

A - IT & OT Cybersecurity Advisory / Consulting services - for securing your organisation’s or client’s digital transformation journey.

B - Security Awareness Training & Phishing Awareness Portal - Train your staff and build a Security awareness program.

C - Securing Things Academy (STA) - Security trainings for IT & OT practitioners.

D - Securing Things Newsletter - Get your brand (personal / business) in front of global audience by sponsoring this newsletter. And or simply subscribe to Get smarter at Securing Things.

Reach out at info[at]securingthings[dot]com or DM me via LinkedIn.