Software manufacturers participating in the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Secure by Design pledge are focusing on enhancing security across various offerings including on-premises software, cloud services, and software as a service (SaaS). The initiative encompasses manufacturers from the critical infrastructure sector who commit to adhering to CISA’s Secure by Design principles, thereby significantly improving product security across all sectors.
The commitment emphasizes incorporating security into a product from the initial design phases—not just as an addition later. It ensures a manufacturer’s software is resilient to cyber-attacks, trying to reduce as many vulnerabilities as possible that cyber attackers may exploit.
Such a commitment would foster good secure coding techniques, periodic security testing, and in-depth threat modeling as responsible proactive cybersecurity practices. This not only strengthens resilience in critical infrastructure but also fosters trust among end-users and stakeholders in the outcome. Energy, health, and transport are sectors that form the backbone of national security and daily life, and these benefit greatly from enhanced security measurements.
The Secure by Design pledge fosters a culture of security awareness and continuous improvement among software manufacturers. Through collaboration with CISA, they will be up-to-date on evolving threats and regulatory requirements to ensure their products reach the highest level of security attainable. Moreover, collaboration can enable information sharing and best practices to foster improvements in critical infrastructure sector security postures. Ultimately, the Secure by Design pledge is one giant leap toward a more secure, more resilient digital landscape.
Agency focus on boosting cybersecurity across critical infrastructure
Addressing the role CISA’s Secure by Design pledge plays when it comes to safeguarding product security across critical infrastructure sectors, Lauren Zabierek, senior advisor for the cybersecurity division at CISA told Industrial Cyber that the agency’s Secure by Design pledge is intended to facilitate action by software manufacturers that collectively underpin our critical infrastructure. “To date, more than 150 software manufacturers have signed the pledge, demonstrating their commitment to demonstrating measurable progress towards Secure by Design principles.”
The pledge is scoped to IT components and software, which all critical infrastructure relies on for at least business infrastructure, Zabierek detailed adding that some of the benefits from IT will also spread into critical infrastructure from the convergence of IT and OT (operational technology), as well as movement to cloud infrastructure. “For critical infrastructure, this might manifest through fewer vulnerabilities in their products, better observability into networks, and an easier time signing up for best practices like multifactor authentication and single sign on in their business networks.”
She also mentioned that “For sector-specific infrastructure, we are currently exploring an OT-specific pledge, which would address unique considerations present with OT products.”
Zabierek addresses the timeline for engaging manufacturers of IoT, ICS (industrial control systems) devices, and consumer products not currently covered by the pledge. Additionally, she explores CISA’s strategies to maintain robust cybersecurity for critical infrastructure installations amidst these challenges.
“CISA is beginning to explore a secure by design pledge focused on OT,” Zabierek said. “The key complexity is understanding how to move the needle in legacy environments relying on older technology while encouraging secure greenfield devices and deployments. We’re engaging with industry and expect something to come out in the next few months.”
In the meantime, Zabierek noted that the “CISA is continuing our work in critical infrastructure, including as part of the implementation of the National Security Memorandum on security and resilience — NSM-22 National Security Memorandum on Critical Infrastructure Security and Resilience | The White House and providing free services and tools to owners and operators. Additionally, we plan to publish Secure by Design guidance focused on ICS in the near future.”
With major tech manufacturers pledging to achieve specific, measurable targets by adopting radical transparency and accountability within the next year, Zabierek explores how CISA will coordinate these initiatives, the potential challenges that may arise, and strategies for overcoming them. “At CISA, we look forward to seeing what progress companies make and demonstrate as part of the pledge. Doing so will allow companies to differentiate themselves on the basis of security to their customers and the public. As businesses develop strategies to meet our desired outcomes, we plan to convene pledge signers to exchange lessons learned,” she added.
“CISA will be working very closely with the pledge signers to make progress on the pledge goals. We worked collaboratively with industry to develop seven concrete actions and we will maintain that collaboration,” Zabierek identified. “Our goal is that increased radical transparency and responsibility for customer outcomes on the part of companies, and increased awareness among customers will shift demand so that security is more valued and prioritized more than it is now.”
Given that, she added “we will look to actions that companies have taken as a result of the pledge based on what they publish, and both these companies’ customers and the public will be able to evaluate their actions taken. Of course, there will be challenges, but the more we can learn from each other and work together, the better off we’ll be.”
Impact of pledge on critical infrastructure cybersecurity
Industrial Cyber reached out to industrial cybersecurity experts to uncover the specific measures their companies have implemented to align with the Secure by Design pledge and how these actions will enhance the cybersecurity stance across critical infrastructure installations.
“To evolve security organizations to embrace more closely DevSecOps culture by building satellite security positions in product teams and designate developers with security roles for effective operation, patch management, and incident response,” Jon Clay, vice president for threat intelligence at Trend Micro, told Industrial Cyber. “To design security indicators and build overall secure development metrics for better visibility and efficient risk identification and prevention. To expedite consolidation of identity service across different products and fortify default configuration through the adoption of security technology such as MFA, CAPTCHA, WAF, and so on.”
Clay also pointed to the need to enhance cloud infrastructure security by implementing security best practices across different cloud providers and adopting critical solutions like Cloud Security Posture Management for security visibility and enforcement. “To systematically reduce technical debts in critical security development systems and frameworks, and to develop more specific and comprehensive security training and introduce role-based training to ensure all employees obtain necessary job-related security skills and awareness,” he added.
Robert Huber, CSO and head of research at Tenable stated that as a provider of comprehensive and rapid coverage for CISA’s Known Exploited Vulnerabilities (KEVs), the company is committed to detecting and addressing critical vulnerabilities. Tenable aids organizations, including critical infrastructure providers, in prioritizing risk remediation effectively.
“To this end, Tenable already has a few initiatives in place. We have a dedicated cross-functional team driving the Secure Software Development Lifecycle (SSDLC),” Huber told Industrial Cyber. “This team coordinates, communicates, refines, develops, and ensures adherence to security controls throughout our processes. To deliver secure, high-quality products rapidly, Tenable employs automated security testing to identify potential vulnerabilities in source code, dependencies, and underlying infrastructure before releasing products to our customers.”
Last year, Huber pointed out that Tenable “implemented the Supply-chain Levels for Software Artifacts (SLSA) framework for our Nessus product, underscoring our proactive approach to secure development. The SLSA framework, developed by Google, provides guidelines for enhancing supply chain security, ensuring the integrity of software artifacts across the entire supply chain. Supporting the pledge further enhances our capabilities and reinforces our security initiatives.”
Huber mentioned that to ensure timely patching and fixing of vulnerabilities by vendors, Tenable publishes a machine-readable version of its public vulnerability disclosure policy, enhancing operational security for customers and the broader community. “We are also committed to working with researchers to fully understand and resolve security vulnerabilities through our bug bounty program,” he added.
“Forescout implements a ‘security by design’ approach in its secure software development lifecycle (SSDLC) today, integrating security measures from the design through the build/delivery phases, and continuing into maintenance and operational monitoring phases,” Kevin O’Leary, chief development officer at Forescout, told Industrial Cyber. “This ensures that security features are inherent and not retroactively applied, minimizing vulnerabilities across critical infrastructure installations. Forescout is now embracing the Secure by Design pledge and extending our security measures to incorporate the advanced goals into our offerings.”
He added that the Forescout team actively participates with regulatory bodies to implement security certifications to ensure its solutions meet stringent security benchmarks.
Blending ‘Secure by Design practices into software development lifecycle
The executives assess the integration of Secure by Design practices into the software development lifecycle, detailing the challenges encountered while implementing these principles and the strategies used to address them.
Clay mentioned that Trend Micro will build standard security services to be used and integrated with the software development lifecycle. “We’ll also build security in the early design phase instead of patching the product after it is developed. These services will provide necessary checks and validations on security posture before software artifacts move on to their next stage. In addition, there will be a security dashboard to show security posture of all products under development so that security organizations can step in or intervene when we see indications of risks,” he added.
“Sometimes when new technology is adopted, it usually causes impact and disruption, such as Generative AI. The countermeasures we implemented include AI service vetting and review process to mitigate potential pitfalls before adoption,” Clay said. “Another example of challenges is that although people use the same technology, different development teams use it differently. This causes accumulation of technical debts and inconsistencies. Our countermeasure is developing standard template/service/modules to unify these different practices to ensure consistency of security quality.”
Huber identified that foundational steps include appointing a dedicated security lead for the project, establishing and maintaining an asset register from project inception, implementing measures to prevent asset tampering, prioritizing identity management and user access control throughout the project lifecycle, and ensuring ongoing training and awareness initiatives.
“Additionally, addressing security concerns necessitates the adoption of a structured framework, and one such framework is the IEC 62443 standard, widely utilized across operational technology (OT) devices and plant-level systems,” Huber detailed. “Developers integrate this standard into product development, while operators utilize it to fortify overall security within plant infrastructures.”
In addition to IEC 62443, Huber noted other standards like NIST SP 800-82 serve similar purposes and can be seamlessly integrated into frameworks such as the NIST Cybersecurity Framework to enhance implementation efficacy. “This collaborative approach enables organizations to tailor security measures to their specific needs while adhering to established best practices and industry standards,” he added.
O’Leary said that Forescout implements a comprehensive and bi-weekly security scanning protocol, which includes vulnerability scans, Static Application Security Testing (SAST), Software Composition Analysis (SCA), and software supply chain security analysis of the product binaries. Additionally, the zero trust principles are adopted and integrate the same rigorous security lifecycle.
“The main challenge is staying ahead of the latest security exploits. To achieve this, an integrated process within the Continuous Integration/Continuous Delivery (CI/CD) environment is used to continuously evaluate code and products,” O’Leary identified. “Any findings are addressed by applying security patches for Common Vulnerabilities and Exposures (CVEs) and Known Vulnerability Exposures (KVEs) to resolve potential issues.”
Collaborative efforts and responses to Secure by Design pledge
The experts discuss their collaboration with other software manufacturers and industry partners as part of the Secure by Design pledge, while also reflecting on the response received so far.
“At this point, we have not collaborated with other manufacturers as we look to build and implement our own secure by design processes,” Clay said. “This is a work in progress and we will look to reach out to other vendors who have signed the pledge in the near future. We have not received any outreach by these vendors either.”
Huber highlighted that to enhance the sharing of tactical and strategic security details and to provide early insight into emerging threats, detection techniques, and containment measures, Tenable is an active member of OT-ISAC and IT-ISAC.
“We also actively participate in industry working groups such as ETHOS to establish and promote security best practices, contribute to open-source projects focused on enhancing security, and engage in research and development initiatives to address common security challenges,” according to Huber. “We maintain open communication channels within the CISO community for sharing information on vulnerabilities and threats, provide security training to our teams through partnerships, and ensure compliance with the latest standards and regulations.”
He added that as part of the company’s third-party risk management program, Tenable reviews each vendor rigorously. “This process includes evaluating the vendor’s scope, assessing their criticality, conducting a legal review, administering a security questionnaire, performing an architecture assessment, and reviewing certifications. The list of third parties is periodically reassessed based on the evolving risk landscape, service dependencies, and vendor criticality. Additionally, we inquire about secure software development practices or a secure-by-design pledge as part of the vendor evaluation.”
“Forescout collaborates in the cyber security space to provide threat intelligence analysis and reporting cyber threats trends via the publicly accessible Forescout Vedere Lab Dashboard,” O’Leary said. “The Vedere Lab dashboard continuously collects anonymized data from Forescout customers to provide accurate data in the cyber security community, with strong focus on the OT/ICS domain.”
Looking ahead…
The experts address their expectations for the evolution of the Secure by Design pledge over the next five to ten years and discuss the role they anticipate emerging technologies will play in the future of software security.
“We see more software manufacturers joining the Secure By Design pledge and implementing their own internal support of this pledge,” Clay detailed. “We could see regulations implemented that require software manufacturers to adhere to this type of pledge in their development process, especially if we see more breaches caused by exploits of minor vulnerabilities that should have been found in the design process. Technology advances should help with this as we see capabilities like AI/GenAI that can be used to scan for vulnerabilities.”
He added that the more “we can automate many of the existing functions done via humans, we will be able to improve and secure the software lifecycle.”
As more customers increasingly demand manufacturers to embrace and provide products and services that are secure by design, it becomes imperative for companies to integrate robust security measures throughout the development process, Huber said. “Secure by design will no longer be just a pledge but a mandatory guideline, ensuring that every product and service meets stringent security standards from the outset,” he added.
“Forescout believes the Secure by Design pledge, as everything IT, is destined to evolve significantly over the next five to ten years, driven by rapid advancements in technology and an increasingly complex cybersecurity landscape,” according to O’Leary. “We anticipate that there will likely be a deeper integration of AI (Artificial Intelligence) in security frameworks, enhancing threat detection and response capabilities, further improving the resilience of systems against sophisticated attacks.”
Moreover, he added that the continuing growth of IoT (Internet of Things) devices will require new approaches to Secure by Design principles. “These devices will need to follow rigorous standards to ensure they are inherently secure from their inception, which will require adoption of contract programming languages, software bill of materials (SBOM), and focus on OSS security. These practices will be essential to prevent widespread vulnerabilities in interconnected environments,” he concluded.