The role of security by design for OT systems

Sarah Kolberg | August 1, 2024

Security by design is a design concept in hardware and software development that provides for continuous testing of security precautions. The security of a product is considered in all phases of the development process and throughout the entire life cycle: from brainstorming till the end-of-life of the product. In today's practice, security measures and concepts are often only added at the end of the process chain, when a product is already in operation. This can cause considerable problems, especially in OT environments. Find out what opportunities security by design brings for the security, reliability, and continuity of OT systems.

Security by design is one of the requirements set out in the European Cyber Resilience Act for products with digital elements in the European Single Market. The aim is to implement a suitable security architecture in the product itself so that it has as few vulnerabilities as possible when it is launched on the market. This state is maintained over the life cycle of the product with security updates by the manufacturer. The aim is to achieve integrated and sustainable product security.

• Minimization of the attack surface: e.g. by omitting superfluous components, application of the least privilege principle

• Data encryption: Encryption of the data traffic received and sent by the product

• Secure authentication: Authentication of product users via a secure method, multi-factor authentication

• Isolation: Separation of security-relevant areas

• Regular tests: Carrying out periodic security tests

• Security updates: Provision of regular security updates by the manufacturer

Security by design is particularly important for OT systems. In operational technology, especially in critical infrastructures, cyber-attacks and system failures usually have far-reaching consequences. Robust and reliable systems are therefore needed to ensure continuous cyber-resilient operation. By defining and testing security requirements throughout the entire development process, cybersecurity is no longer seen as an add-on, but as an integral part of a product.

The Internet of Things (IoT) and Industrial Internet of Things (IIoT) devices are increasingly being used in industrial plants, hospitals, and other critical utilities. They promise more efficient processes and new value creation potential. At the same time, they are often seen as a gateway for attackers, as the manufacturers' security precautions are not mandatory. As a result, IoT and IIoT devices sometimes have security gaps that must be subsequently compensated for by security solutions. In sensitive processes and companies, there is often uncertainty among those responsible as to whether they should utilize such devices. This is where the Security by Design concept can have a particularly positive effect, as it can help to create more customer confidence, minimize risks, and dispel any concerns about use.

1. In OT, the life cycles of machines, plants and systems are often long, and security requirements were not originally considered when they were implemented. Security by Design integrates security into products right from the start, risk analyses are carried out and corresponding requirements are defined.
2. Secure by Design means developing robust products with up-to-date security precautions and understanding security as a quality feature: Vulnerabilities in the architecture and code of the products are minimized and thus offer as little attack surface as possible.
3. Improvements and interventions in ongoing operations can result in high costs and far-reaching consequences. These potential future costs are saved by the design concept. The application of security by design can therefore be profitable in the long term, particularly in OT, as it creates a secure basis for reliable use of the products in operation.