What is the purpose of the CISA “Secure by Demand” guide?
The CISA Secure by Demand guide helps you improve cybersecurity when purchasing industrial and Operational Technology (OT) products.
It encourages you to shift part of the responsibility for security to manufacturers by selecting vendors who integrate protection into their products from the beginning. Instead of securing systems after deployment, you choose products designed to be safe by default.
By following the guide, you:
Reduce design-level security risk
Avoid costly retrofitting
Build a stronger security baseline
Why are OT products frequently targeted by cyberattacks?
Attackers usually exploit weaknesses in products rather than targeting organizations directly.
Many OT systems were built without modern security practices. Once attackers discover a vulnerability, they can reuse it across all environments using the same product.
Common weaknesses include default passwords, outdated protocols, missing logging, insecure configurations, and unpatched flaws.
What does “Secure by Default” mean?
Secure by Default means systems are protected from the moment they are installed.
Manufacturers should ship products without default passwords, with insecure services disabled, and with secure communication protocols enabled automatically. Security features should not be paid add-ons.
This is especially important in OT environments where systems remain in place for decades and uptime is critical.
What does CISA expect for authentication in OT systems?
CISA expects access to critical systems to be tightly controlled.
Manufacturers should support:
These measures limit who can access systems and prevent unauthorized changes.
What does proper vulnerability management look like?
OT systems often last for decades, so manufacturers must demonstrate long-term commitment to security.
You should expect vendors to provide:
A Software Bill of Materials (SBOM)
Public vulnerability disclosure and CVE publication
Security advisories in readable formats
A security.txt file for reporting issues
How does Secure by Demand change your relationship with manufacturers?
It makes cybersecurity a purchase criterion rather than a technical afterthought.
When buyers demand secure products, manufacturers improve design practices and retire unsafe defaults.
Over time, this creates more resilient OT environments and safer supply chains.
