CISA’s 2025 OT Priorities

Read full article here: https://corsha.com/blog/secure-by-demand-how-cisas-latest-guidance-informs-ot-cybersecurity-priorities/?source=nhimg

On Jan 13, 2025, the Cybersecurity & Infrastructure Security Agency (CISA) joined by the NSA, FBI, and international cyber agencies, released “Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products.” The message is blunt: adversaries are increasingly targeting specific OT products, not just organizations, because too many devices still ship with weak authentication, limited logging, and known vulnerabilities.

If you run industrial or manufacturing environments, this is the wake-up call. Connectivity brought efficiency; it also created a sprawling machine-to-machine (M2M) attack surface. Identity, encrypted communications, and verifiable telemetry are now table stakes.

Why this matters now

• Targeted product attacks scale pain. Compromising one widely deployed device or software version can ripple across many plants.

• Assumed-trusted devices are over. OT that can’t prove identity, can’t be monitored, or can’t be updated safely will become uninsurable liabilities.

• NHIs dominate. In many enterprises, non-human identities (NHIs) outnumber humans by an order of magnitude or more. Leaving them unmanaged invites silent privilege creep and data exposure.

What “Secure by Demand” means for OT buyers

CISA’s recommendations center on picking products (and vendors) that make security provable and operable. In practice, look for:

1. Strong identity & auth for devices, workloads, and clients (no shared/static secrets; support for short-lived credentials and mutual auth).

2. Encrypted communications by default (end-to-end/mTLS) with modern cipher suites.

3. Granular policy & least privilege you can actually enforce (scoped access, time-bound tokens, role/attribute-based controls).

4. Actionable logging & auditability (who/what/when/where; tamper-resistant logs; easy export to your SIEM).

5. Lifecycle security (key rotation, revocation, patchability, and configuration baselines you can attest to).

6. Operational visibility (behavior analytics, anomaly detection, and simple ways to quarantine or block abuse).

How Corsha aligns (quick map)

If you’re evaluating architectural fit against CISA’s priorities, here’s how Corsha’s Identity Provider for Machines maps:

• Machine identity, not static secrets - Issue dynamic, cryptographic identities to trusted API clients and OT workloads; eliminate shared keys.

• One-time / short-lived credentials - Enforce ephemeral, single-use MFA credentials and scheduled access to minimize standing privilege.

• End-to-end encrypted comms - Protect OT↔OT and OT↔IT data flows with enforced encryption and mutual authentication.

• Deep visibility & logging - The Corsha Console provides real-time traffic observability, per-identity request trails, and violations of secret lifecycle policies (age, validity, expiry).

• Policy enforcement at the gate - Gatekeepers (including Dual Gatekeeper mode) verify inbound requests and add MFA to outbound—letting you allow/deny in either direction and quarantine abuse fast.

• Agentless coverage where needed - Not every legacy asset can run an agent; Corsha supports agentless clients while still enforcing identity-aware controls.

• IdP integration for governance - Microsoft Entra ID import pulls in app registrations (secrets/certs/UPNs), monitors usage, detects credential reuse across IPs, and keeps your IdP the source of truth.

OT procurement checklist you can use 

Ask these questions during vendor evaluations (and expect clear demos, not just promises):

• Identity & Auth - How do devices and clients prove identity? Do you support short-lived, scope-bound credentials and mTLS?

• Secrets Hygiene - Can we rotate and revoke credentials centrally, instantly, and at scale? How do you prevent secret reuse?

• Policy - Can we enforce least privilege (role/attribute/time-bound) per device/workload/tool?

• Telemetry - What logs do we get? Are they tamper-evident? How easily do they flow to our SIEM?

• Visibility - Can we see who/what called what, from where, and how often—in real time?

• Containment - How quickly can we block a misbehaving identity or path without taking the line down?

• Lifecycle - What’s the process for patching, config baselines, and key/cert rotation? Can we attest to it?

Bottom line

CISA’s guidance raises the bar for OT procurement: choose products that are secure by design and verifiable in operation. Given the overwhelming growth of NHIs, securing machine identities and their communications is no longer optional. With Corsha, operators gain the identity foundation, encrypted data paths, and live observability to meet the spirit of “Secure by Demand” while keeping plants running.