Cybersecurity Snapshot: CISA Lists Security Features OT Products Should Have and Publishes AI Collaboration Playbook

Shopping for OT systems? A new CISA guide outlines OT cyber features to look for. Meanwhile, the U.S. government publishes a playbook for collecting AI vulnerability data. Plus, a White House EO highlights AI security goals. And get the latest on IoT security; secure app dev; and tougher HIPAA cyber rules.

Dive into six things that are top of mind for the week ending Jan. 17.

1 - How to choose cybersecure OT products

Is your organization evaluating operational technology (OT) products for purchase? If so, a new guide from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) aims to help OT operators choose OT products designed with strong cybersecurity features.

The publication, titled “Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products,” highlights 12 cybersecurity elements that OT products should have, including:

• Support for controlling and tracking modifications to configuration settings
• Logging of all actions using open-standard logging formats
• Rigorous testing for vulnerabilities and timely provision of free and easy-to-install patches and updates
• Strong authentication methods such as role-based access control and phishing-resistant multi-factor authentication to prevent unauthorized access
• Protection of the integrity and confidentiality of data at rest and in transit

According to CISA, many OT products aren’t designed and developed securely, so they ship with security issues such as weak authentication, known vulnerabilities and insecure default settings. 

In fact, the agency says it’s common for hackers to target handpicked OT products instead of going after specific organizations. Thus, it’s critical for organizations, especially those in critical infrastructure sectors, to pick OT products built securely by using CISA’s “Secure by Design” principles.

“When security is not prioritized nor incorporated directly into OT products, it is difficult and costly for owners and operators to defend their OT assets against compromise,” reads the guide, published in collaboration with other U.S. and international agencies.

For more information about OT systems cybersecurity, check out these Tenable resources: 

• “What is operational technology (OT)?” (guide)
• “Discover, Measure, and Minimize the Risk Posed by Your Interconnected IT/OT/IoT Environments” (on-demand webinar)
• “How To Secure All of Your Assets - IT, OT and IoT - With an Exposure Management Platform” (blog)
• “Blackbox to blueprint: The security leader’s guidebook to managing OT and IT risk” (white paper)
• “OT Security Master Class: Understanding the Key Principles, Challenges, and Solutions” (on-demand webinar)

2 - JCDC publishes playbook to collect AI security info 

A new playbook published by the U.S. government aims to facilitate the collective, voluntary sharing of information among AI providers, developers and users about AI vulnerabilities and cyber incidents.

The “AI Cybersecurity Collaboration Playbook” from CISA’s Joint Cyber Defense Collaborative (JCDC) details ways in which AI community members in government and in the private sector – both in the U.S. and abroad – can collaborate to help boost AI security for everybody.

“The development of this playbook is a major milestone in our efforts to secure AI systems through active collaboration,” CISA Director Jen Easterly said in a statement.

AI systems introduce unique cybersecurity challenges which make them vulnerable to attacks including model poisoning, data manipulation and malicious inputs. “These vulnerabilities, coupled with the rapid adoption of AI systems, demand comprehensive strategies and public-private partnership to address evolving risks,” the 33-page playbook reads.

By collecting, analyzing and enriching information on AI vulnerabilities and cyber incidents, CISA would be able to help the AI community in a variety of ways, including by:

• Sharing information to improve detection and prevention of AI threats
• Exposing attackers’ tactics and infrastructure
• Identifying and notifying victims
• Generating threat advisories and intelligence reports
• Offering tailored recommendations, vulnerability management strategies and cyber defense best practices

The playbook’s target audience is operational cybersecurity professionals, including incident responders and security analysts, and its goal is to help them collaborate and share information with CISA and JCDC about AI security.

In addition, CISA also envisions organizations adopting the document’s guidance internally “to enhance their own information-sharing practices, contributing to a unified approach to AI-related threats across critical infrastructure.”

For more information about industry efforts for collaborating on AI security:

• Cloud Security Alliance’s “AI Safety Initiative”
• MITRE’s “AI Incident Sharing initiative”
• Open Worldwide Application Security Project’s “AI Exchange”
• U.S. government’s “Testing Risks of AI for National Security (TRAINS) Taskforce”

3 - New White House cybersecurity EO includes AI requirements

The Biden Administration issued a sweeping cybersecurity executive order (EO) this week aimed at boosting U.S. cyberdefenses, and AI security is one area that it says must be strengthened.

The “Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity” calls for promoting security “with and in” AI, saying it can speed up the identification of new vulnerabilities, scale up threat detection and automate cyberdefenses.

“The Federal Government must accelerate the development and deployment of AI, explore ways to improve the cybersecurity of critical infrastructure using AI, and accelerate research at the intersection of AI and cybersecurity,” the executive order reads.

Among the executive order’s requirements for AI are:

• Launching a pilot program on using AI to improve cyberdefense of critical infrastructure in the energy sector. The Secretaries of Energy, Defense and Homeland Security would be in charge of the program, in collaboration with private-sector critical infrastructure organizations. The program may include:
  • vulnerability detection
  • automatic patch management
  • identification and categorization of anomalous and malicious activity across IT or OT systems
• The Secretary of Defense must establish a program to use advanced AI models for cyberdefense.
• The Secretaries of Commerce, Energy and Homeland Security, and the National Science Foundation Director, must prioritize funding for their respective programs that encourage the development of “large-scale, labeled datasets needed to make progress on cyber defense research.”
• The Secretaries of Defense and Homeland Security, and the Director of National Intelligence must incorporate management of AI software vulnerabilities and compromises into their agencies’ process and “and interagency coordination mechanisms for vulnerability management.” These efforts should include incident tracking, response, reporting and sharing AI systems’ indicators of compromise.

These AI-related actions all must be completed at various dates during 2025.

The executive order covers multiple other areas. To get all the details and expert analysis, read our blog “New Cybersecurity Executive Order: What It Means for Federal Agencies” from Robert Huber, Tenable’s Chief Security Officer, Head of Research and President of Tenable Public Sector.

4 - CISA publishes secure software development best practices

Software makers interested in improving the security of their development process and of their products have fresh guidance to peruse.

As part of its “Secure by Design” program, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published cybersecurity recommendations for protecting organizations’ software development lifecycle.

The best practices are organized into two categories — Software development process goals; and Product design goals — and include:

• Software development process goals:
  • Address vulnerabilities before releasing the software product, and publish a vulnerability disclosure policy.
  • Separate all software development environments, including development, build and test, to reduce the lateral movement risk.
  • Enforce multi-factor authentication across all software development environments.
  • Securely store and transmit credentials.
• Product design goals
  • Reduce entire classes of preventable vulnerabilities, such as SQL injection vulnerabilities, memory safety vulnerabilities and cross-site scripting vulnerabilities.
  • Provide timely security patches to customers.
  • Don’t use default password in your products.
  • Let users know when your products are nearing end-of-life status and you will no longer provide security patches for them.

The recommendations “will help to protect the sector from cyber incidents, identify and address vulnerabilities prior to product release, improve incident response, and significantly improve software security,” reads a CISA statement.

To get more details, read the full “Information Technology (IT) Sector-Specific Goals (SSGs)” fact sheet.

For more information about secure software development:

• “CISA Tells Tech Vendors To Squash Command Injection Bugs, as OpenSSF Calls on Developers To Boost Security Skills” (Tenable)
• “Secure Development” (Software Engineering Institute, Carnegie Mellon Univ.)
• “Secure Software Development Framework” (NIST)
• “Secure development and deployment guidance” (UK NCSC)
• “OWASP Developer Guide” (Open Worldwide Application Security Project )

5 - U.S. gov’t launches security label for IoT products

To encourage the development of safer internet of things (IoT) devices for consumers, the U.S. government has introduced a new label for IoT products that meet National Institute of Standards and Technology (NIST) cybersecurity standards.

Called the U.S. Cyber Trust Mark, the label will also help U.S. consumers know which IoT products are more secure, as they shop for internet-connected ware, such as baby monitors, security cameras, refrigerators, garage door openers and thermostats.

“These devices are part of Americans’ daily lives. But Americans are worried about the rise of criminals remotely hacking into home security systems to unlock doors, or malicious attackers tapping into insecure home cameras to illicitly record conversations,” reads a White House statement.

IoT manufacturers will soon be able to seek the U.S. Cyber Trust Mark label by submitting their IoT products to accredited labs for testing. Tests will cover areas including password authentication, data protection, software updates and incident detection. 

IoT products that earn the label will also have a QR code that’ll link consumers to information such as:

• How to change default passwords
• How to configure the device securely
• How to access software updates and patches if they’re not delivered automatically
• The end date of the product’s support period

Participation in the U.S. Cyber Trust Mark program is voluntary for IoT manufacturers. IoT devices excluded from the program include motor vehicles, medical devices, and products used for manufacturing, industrial control and enterprise applications.

To get more details, visit the U.S. Cyber Trust Mark home page.

For more information about securing consumer IoT devices, check out resources from the IoT Security Foundation; the European Telecommunications Standards Institute; TechAccord; Internet Society; the U.K. National Cyber Security Centre; and the International Organization for Standardization (ISO). 

6 - U.S. gov’t seeks tougher cybersecurity rules for health providers

Doctors, hospitals, health insurers and other healthcare organizations may face stricter cybersecurity regulations in the U.S.

That’s because the U.S. government is seeking to tighten the cybersecurity requirements in the Health Insurance Portability and Accountability Act (HIPAA).

The new cybersecurity rules proposed by the Department of Health and Human Services (HHS) include:

• Develop and revise on an ongoing basis a technology asset inventory and a network map that illustrates the movement of electronic protected health information (ePHI) throughout the organization’s electronic information systems.
• Make risk analysis more specific by submitting written assessments that include:
  • A review of the technology asset inventory and network map
  • Reasonably anticipated threats to ePHI’s confidentiality, availability and integrity
  • Potential vulnerabilities to the organization’s electronic information systems
  • A risk-level assessment of identified threats and vulnerabilities
• Strengthen contingency planning and security incident response with steps including:
  • Draft written plans to restore certain electronic information systems and data within 72 hours.
  • Prioritize restoration by analyzing criticality of systems and tech assets.
  • Outline in writing how employees and the organization will respond to known or suspected security incidents.
• Conduct an audit at least once per year to ensure the organization’s compliance with HIPAA’s cybersecurity rules.
• With limited exceptions, encrypt ePHI at rest and in transit and require the use of multi-factor authentication.
• Conduct vulnerability scanning at least every six months, and penetration testing at least once a year.

For more details about HHS’ new proposed HIPAA cybersecurity rules and to submit public comments about them, go to the Federal Register’s “HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information” page. The comment period ends on March 7, 2025.