This session explores CISA’s Secure by Demand guidance, highlighting 12 critical security elements that should seamlessly integrate into OT/ICS products for a defense-in-depth strategy, mitigating vulnerabilities and prioritizing Secure by Design principles.

The 12 Critical Security Elements:

1. Configuration Management: Securely track modifications to configurations and logic.
2. Logging in the Baseline Product: Standardized logs for security and incident response.
3. Open Standards: Interoperable standards ensure secure functionality and flexibility.
4. Ownership: Operator autonomy over maintenance and updates.
5. Protection of Data: Integrity and confidentiality of operational data at all times.
6. Secure by Default: Security features enabled out of the box to reduce attack surfaces.
7. Secure Communications: Authenticated encrypted communication with simplified certificate management.
8. Secure Controls: Resilience against malicious commands, ensuring system availability.
9. Strong Authentication: Phishing-resistant multifactor authentication; no shared role-based passwords.
10. Threat Modeling: Up-to-date threat model detailing security risks and mitigation.
11. Vulnerability Management: Rigorous testing and timely remediation of vulnerabilities.
12. Upgrade and Patch Tooling: Owner-controlled security updates with a streamlined process.
Attendees gain actionable insights for protecting OT/ICS environments against evolving threats. By embedding security into design and procurement, organizations foster a resilient industrial cybersecurity ecosystem that proactively defends against cyber risks.

This session will explore strategic approaches for integrating Secure by Demand principles and fortifying OT/ICS defenses.