What is CISA’s “Secure by Demand” guidance for OT products?
CISA’s Secure by Demand is a framework that helps OT owners and operators make cybersecurity a core part of their procurement process.
It recognizes that many OT products are not designed with security in mind and that attackers often exploit the same product vulnerabilities across multiple organizations.
The guide provides clear, actionable recommendations for evaluating and selecting OT products that:
Are built securely from the start (secure by design).
Are configured securely by default, reducing setup risks.
Support logging, monitoring, and configuration management as standard features.
Give operators control and visibility over their systems without depending on the manufacturer.
In short, Secure by Demand helps you buy smarter, deploy safer, and operate with confidence.
Why is configuration management critical when selecting OT products?
Strong configuration management allows you to detect unauthorized changes, prevent persistence by threat actors, and recover faster from incidents.
When evaluating OT products, prioritize those that:
Securely back up and restore configurations and engineering logic.
Require authenticated, auditable configuration changes.
Offer documented interfaces for creating and restoring backups.
These capabilities make it easier to identify tampering and restore operations quickly after a cyber incident — reducing downtime and protecting critical services.
What logging capabilities should be included by default?
Logging is your first line of defense and your best tool for investigation.
Select products that include comprehensive security and safety logging in the baseline version — not as an optional feature.
They should use open, standard formats and log key events such as:
Successful and failed authentication attempts.
Configuration or firmware changes.
Deletion or modification of logs.
Without proper logging, attackers can act invisibly and responders lose vital evidence.
Why do open standards matter for OT product security?
Open standards ensure interoperability and transparency, giving you flexibility to adapt as technology evolves.
They allow you to:
Apply new security protocols (like stronger encryption) without waiting for vendor updates.
Move between vendors without system redesign.
Avoid vendor lock-in and unsupported proprietary systems.
Open standards make your architecture more adaptable and resilient, reducing long-term operational and cybersecurity risks.
What does “Ownership” mean in the context of OT product security?
Ownership means you — not the manufacturer — have full control over your system.
That includes the ability to maintain, secure, and recover it independently.
Choose products and vendors that:
Empower operator autonomy and minimize vendor dependence.
Clearly define roles and responsibilities in product support.
Allow you to add your own security tools, such as monitoring or firewalls.
Avoid restricting data access or charging extra for built-in security.
When you truly own your systems, you control your risk.
What makes a product “Secure by Default”?
A Secure-by-Default product is ready to deploy safely the moment you turn it on — reducing the risk of misconfiguration and attack.
Such products should:
Remove default passwords from firmware and user accounts.
Use secure, modern protocols (e.g., SSH) automatically.
Disable outdated and insecure protocols (e.g., Telnet, SSL, TLS 1.0/1.1).
Include all security features in every version.
Provide a secure reset option to restore trusted settings.
Secure-by-Default products protect you even when human error or limited patch cycles occur — a vital advantage in long-lived OT environments.
