Enhancing OT cybersecurity with secure-by-design
Share
Operational technology (OT) systems play a key part in managing essential services such as energy, water, and transportation, and they face increasing threats from advanced cyberattacks. The Australian Cyber Security Centre (ACSC) introduced Secure by Demand: Priority Considerations for OT Owners and Operators When Selecting Digital Products. International cyber security experts created this guidance to help leaders in Australia’s public sector tackle vulnerabilities in OT products. This initiative emphasises the critical importance of integrating security-by-design principles to protect national security and uphold public confidence.
Mitigating operational risks
Cyberthreat actors exploit weaknesses in OT products, targeting them rather than specific organisations. This approach creates significant vulnerabilities across multiple critical infrastructure sectors. Key weaknesses include:
- Weak authentication mechanisms: Many OT systems rely on default or commonly shared passwords and often lack strong multifactor authentication protocols, making them vulnerable to exploitation.
- Known software vulnerabilities: Outdated and unpatched software leaves systems vulnerable to known threats.
- Insecure legacy protocols: Legacy communication protocols, such as Telnet and SNMPv1, continue to be in use despite their significant vulnerabilities.
- Limited logging and monitoring: Inadequate tracking and auditing capabilities create significant challenges for identifying malicious activities and anomalies.
- Insecure default settings: Many OT products come with settings that increase vulnerability to cyber threats, requiring users to put in considerable effort to secure them.
Check Out: “ASD boosts secure-by-design cybersecurity”
Strengthening cybersecurity frameworks
The Secure by Demand publication outlines a detailed framework for selecting OT products that integrate robust cybersecurity protocols. Public sector leaders must embrace these 12 essential considerations to strengthen system resilience:
- Configuration management: Products must enable secure tracking and authorisation of configuration changes, detect tampering, and facilitate seamless recovery processes.
- Comprehensive logging: Choose products that log configuration changes, user activities, and security events by default in open standard formats to aid forensic investigations.
- Open standards: Select products that follow widely accepted standards to enhance interoperability, minimise vendor dependence, and streamline system upgrades.
- Data protection: Focus on products that provide encryption and integrity verification for data both at rest and in transit, reducing the risks of unauthorised access and tampering.
- Secure-by-defaultfeatures: Choose products that come with hardened configurations, remove default passwords, and enable the latest secure communication protocols right from the start.
- Strong Authentication: Implement role-based access control (RBAC) and phishing-resistant multifactor authentication to protect against unauthorised access.
- Threat modeling and vulnerability management: Manufacturers must provide transparent threat models, a Software Bill of Materials (SBOM), and a coordinated vulnerability disclosure process to effectively address known risks.
- Resilient patching mechanisms: Pick products with reliable and tested patch management processes to minimise downtime and ensure the timely application of security updates.
- Secure communications: Products should support authenticated and encrypted communication channels while simplifying certificate management to maintain data integrity.
- Secure controls: Ensure products resist harmful commands and operate securely in challenging environments, maintaining stability during security evaluations and inspections.
- Ownership and autonomy: Select products that enable operators to maintain and configure independently, reducing reliance on external vendors.
- Upgrade and patch tooling: Select solutions that feature efficient, clear, and secure patching processes, along with support for managing hardware and software lifecycles.
By following these guidelines, public sector organisations can establish robust OT environments that endure both existing and future cyber threats.
Securing operational technology
As OT increasingly supports essential services, such as energy, water, and transportation, government leaders must prioritise the evolving landscape of cybersecurity threats. OT systems have weaknesses that pose serious risks to national security, public safety, and the management of digital affairs. To protect essential infrastructure, embrace the guidance from the ACSC and apply secure-by-design principles effectively.
The outlined principles ensure that OT systems stay strong against cyber threats, securing essential services for the long term and maintaining public confidence in Australia’s digital governance structure. Australia’s public sector increasingly relies on OT, highlighting the significant cybersecurity risks associated with these systems that require attention. The Australian Cyber Security Centre provides guidance on secure-by-design principles, offering an essential framework to address these risks effectively.
Leaders in the public sector ensure the safety of vital services and defend critical infrastructure against emerging threats by focusing on secure product selection and incorporating strong cybersecurity measures. These strategies will significantly enhance the security and resilience of OT systems, strengthen digital governance and national security, and ensure the ongoing stability of Australia’s public sector operations.
Public Spectrum is the first knowledge-sharing platform in Australia to embrace the entire public sector. This website is a platform where you can connect, collaborate, empower, inspire, and upskill with public sector professionals.
Today’s Pick
11th Annual Aus Goverment Data Summit
April 1, 2025
7th Annual NZ Government Data Summit
May 7, 2025
3rd Public Sector Comms Week
May 14, 2025
Subscribe
We send emails,
but we do not spam
Join our mailing list to be on the front lines of healthcare , get exclusive content, and promos.
AI appointment Australia Australian boost boosts business businesses covid-19 cyber cyber attack cybersecurity cyber security data data breach data management defence Digital employment enhance enhances fraud funding governance government grants infrastructure Innovation Lockdown management new zealand NSW NZ online privacy public Public Sector queensland renewable energy scams security Social Media Technology telecommunications victoria
-
Understanding and building your digital strategy
Digital Government, Opinion
-
Featured Leader: Jamie Morse on multi-channel strategies for communication
Communications, Featured Leader
-
Featured Leader: Tegan Tembe of NSW Treasury on creating solid planning strategies and processes
Featured Leader
-
Wirraka Maya Health Service improves patient care with My Health Record
Learning
Show More-
Effects of ineffective communication in the workplace
Communications, Personal Development
-
7 ways you can enhance your personal development skills
News, Personal Development
-
5 advantages of working in the public sector
News, Personal Development, Professional Development
-
7 causes of communication issues in the workplace
Communications, News, Personal Development
Show MoreLast Viewed