In April of 2025, the US National Security Agency (NSA) Cybersecurity Directorate published a cybersecurity technical report (CTR), “Operational Technology Assurance Partnership: Smart Controller Security within National Security Systems” aimed at updating ISA 62443-4-2 with six new common-sense controls.
ISA 62443-4-2 itself is a proprietary standards document available from the International Society of Automation, and for use by designers of operational technology and industrial control systems (OT/ICS), and specifically those components that are part of defined National Security Systems (NSS).
The Six Common-Sense Requirements #
The NSA looked at this set of standards, and noted six common-sense security controls that are lacking specific callouts in the current version of ISA 62443-4-2. Specifically, the NSA’s investigation is focused on the security of “smart controllers,” those components of OT/ICS systems that automate functionality and often have their own computing, storage, and networking capabilities.
The NSA flagged the following for standardization:
- Disable Wireless Interfaces - Prevents unauthorized wireless access vectors.
- Disable SSID Broadcasting - Avoids passive network discovery by adversaries.
- Pattern-Hiding Displays – Protects sensitive on-screen info from shoulder surfing or remote observation.
- Restrict Removable Media Devices - Reduces infection risks from USB drives and similar attack vectors.
- Encrypt Data in Transit - Ensures secure communication across networked environments.
- Use NSA-Approved Cryptography - Enforces strong, vetted encryption standards appropriate for NSS.
Anyone familiar with the basics of cybersecurity will note, fairly immediately, that these are not particularly exotic new requirements, and so the folks who are tasked with the regular care and feeding of OT/ ICS in their environments should be on the lookout for these features to become commonplace for vendors that follow ISA 62443-4-2.
More importantly, if you have OT/ICS devices in your network that don’t already enforce things like physically disabling Wi-Fi capabilities or use normal cryptographic standards for encrypting local data, it’s probably time to start making some noise with your vendors.
I don’t see any reason why the ISA wouldn’t adopt these new required controls for OT/ICS smart controllers. The recommendations are backed by pretty solid research — looking at recent CVEs and the MITRE ATT&CK framework, and conducted by none other than the NSA. Check out the NSA’s report if you want to get down in the weeds, especially if your job involves securing your OT/ICS footprint.
What Comes Next #
The NSA plans to:
Incorporate these requirements into an OT conformance pilot program
Propose formal adoption through future revisions of ISA 62443‑4‑2
Extend this analysis to other OT components beyond smart controllers
While the focus is on NSS, the recommendations are broadly applicable to public and private infrastructure alike. Organizations managing industrial automation, utilities, or ICS environments should take note.
How runZero Can Help #
In the meantime, runZero can help you ferret out those stragglers that are using deprecated cryptographic libraries and unexpected multi-homed controllers, to name but two likely violations of these new suggested requirements, as well as the likely avalanche of end-of-life / end-of-service devices that don’t support internal controls like systems that don’t support sensible screen locks or allow for USB drives to be plugged in all willy-nilly.
Furthermore, runZero combines proprietary active scanning with passive discovery — a method the U.S. Department of Energy (DOE) has validated as safe for sensitive OT and ICS environments.
Kick off your free trial in minutes, or request a demo to get expert answers tailored to your environment.
