(CS)²AI Online™ Seminar: Applying

In April 2023, CISA and 17 U.S. and international partners issued a joint publication on "Secure-by-Design" principles and guidance, kicking off a campaign urging software manufacturers to take urgent steps necessary to ship products that are secure by design and revamp their design and development programs to permit only secure by design products to be shipped to customers. The importance of building security into industrial control system (ICS) products has been recognized by the OT security community for many years and has been incorporated into standards such as ISA/IEC 62443-4-1 and 62443-4-2 as well as in the ISASecure certification program.

Furthermore, the OT security community has recognized that "Secure-by-Design" principles also need to be applied to the design and implementation of OT systems, which involve the complex integration of ICS-specific products and applications with IT infrastructure. Similar to ICS product security, OT system security requirements have been incorporated into standards such as ISA/IEC 62443-3-3 and 62443-2-4 as well as in the ISASecure certification program.

This presentation will discuss the challenges of designing cybersecurity into new (i.e., greenfield) OT systems and how "Security by Design" principles can and should be applied by the organizations that design and integrate these systems. The presentation will also discuss the importance of understanding the security capabilities of the products being integrated into OT systems. proper design documentation, design reviews, risk assessments, cyber acceptance testing (e.g., Cyber FAT and SAT), as well as the integration of technology to monitor, maintain, and manage security during operations.