In an ongoing effort to help system owners better protect Operational Technology (OT) environments, government cybersecurity agencies from several allied nations have recently released new guidance on securing OT connectivity. Contributors include the National Cyber Security Centre (NCSC) in the UK, the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) in the United States, alongside international partners from Australia, Canada, New Zealand, Netherlands, and Germany.
This guidance builds on the earlier publication Foundations for OT Cybersecurity, which focused on helping organizations establish a foundational OT asset inventory — because you can’t secure what you can’t see. The newly released Secure Connectivity Principles for Operational Technology expands on that work by providing system owners with a framework to design, implement, and manage secure connectivity across both new and existing OT environments.
Why secure OT connectivity matters #
OT environments differ significantly from traditional IT systems because they directly interact with the physical world. As a result, cyber incidents affecting OT systems can have far more serious consequences than typical IT disruptions. Potential impacts include environmental damage, disruption of essential services, or even risks to human safety.
Historically, many OT environments were air-gapped or heavily segmented from enterprise IT networks. However, modernization, remote management, and increasing integration with IT systems have made OT environments far more connected than they once were. While this connectivity enables greater efficiency and visibility, it also expands the attack surface and increases the risk of compromise.
The new guidance is intended to help organizations navigate this reality by providing practical principles for securing connectivity while still enabling the operational benefits that modern OT environments require.
8 principles for a secure OT environment #
Threat actors are consistently, effectively, and intentionally targeting OT systems with the intent to steal, disrupt, or destroy critical infrastructure. As a result, organizations responsible for OT environments should treat this guidance as a desired end-state, even when it is not a regulatory requirement. Given the importance of these systems, the agencies responsible for this guidance believe all OT system owners should expediently operationalize the principles outlined to help secure critical infrastructure against adversarial action.
The Secure Connectivity Principles for Operational Technology guidance outlines eight core principles designed to help organizations reduce risk and strengthen their defensive posture:
- Balance risks and opportunities
- Limit the exposure of connectivity
- Centralize and standardize network connections
- Use standardized and secure protocols
- Harden your OT boundary
- Limit the impact of compromise
- Ensure all connectivity is logged and monitored
- Establish an isolation plan
Together, these principles provide a practical roadmap for designing and operating OT networks that are resilient to modern cyber threats while still supporting operational requirements.
What’s next #
In the coming weeks, we’ll take a closer look at each of these principles — exploring why they matter, how organizations can implement them in real-world OT environments, and what challenges teams may encounter along the way.
Stay tuned for parts two and three. We’ll unpack these principles and discuss how runZero can help operators gain visibility and control to better protect critical infrastructure.
