📺 Missed the runZero Day livestream? Watch it now! Let's Go
runZero CAASM

On This Page:

  1. Principle 1: Balance the risks and opportunities
  2. Principle 2: Limit the exposure of your connectivity
  3. Principle 3: Centralize and standardize network connections
  4. Principle 4: Use standardized and secure protocols
  5. How runZero helps

Securing OT connectivity: The foundational four

Colin Dupreay
|
Updated

Experts from national cybersecurity agencies in seven countries released guidance earlier this year titled “Secure Connectivity Principles for Operational Technology (OT)” to help organizations strengthen their defenses as IT and OT continue to converge.

We are continuing our blog series on this guidance by taking a closer look at the first four principles that lay the foundation for a robust OT security posture and how runZero can help empower OT network defenders.

Let’s dive in.

Principle 1: Balance the risks and opportunities #

At the heart of the first principle is the idea that connectivity decisions should be risk‑informed and auditable. Before adding or modifying any connection into or out of an OT system, organizations must create and document business use cases for all permitted connectivity within OT systems. These must clearly document why the connection is needed, the benefits it provides, and what risk it introduces. Specifically, when documenting the justification and use case of connections, organizations should consider, at a minimum, the following:

  • Why the connection is required and what operational function it enables

  • What benefits are expected, like improved monitoring or predictive maintenance

  • What risks are acceptable based on organisational threat context

  • Potential impacts if the connection is misused or compromised

  • How new dependencies might affect isolation or resilience

  • Who is accountable at a senior level for the decision

This principle also deliberately highlights two major considerations for organizations to weigh that greatly increase risk when expanding OT connectivity: obsolete products (both software and hardware) and operational risks that ensure the safety, reliability, and availability of OT systems.

Organizations need to understand, evaluate, and address the risks associated with obsolete products. These risks may include the lack of security updates and the loss of institutional knowledge to help support older systems.

To reduce operational risk, organizations also need to consider loss of connectivity, single points of failure, and manual fallback capabilities.

This principle ensures OT system owners and operators carefully consider and document the impacts, effects, and ramifications of increasing the connectivity of their OT systems, especially when they are using old or obsolete products that could compromise the integrity of the OT system.

Principle 2: Limit the exposure of your connectivity #

Exposure refers to how accessible OT systems are to both internal networks and external systems. The more reachable an OT asset is, the broader the potential attack surface becomes. To protect against exploitation, organizations should adopt an exposure management approach to their environment. It’s important to note that exposure management is not the same as vulnerability management and should not be treated as such.

An exposure management approach considers factors such as internet, adjacent, or internal network accessibility, End of Life (EOL) devices, obsolete protocol usage, administrative service or interface accessibility, and the many non-CVE risks that often lead to exploitation.

The guidance provides suggestions for limiting the exposure of OT systems, including:

  • Reduce time of exposure

    • When possible, utilize just-in-time (JIT) access to reduce the time window for attacks to occur.

  • Remove inbound port exposure

    • Only brokered connections through a secure gateway should be allowed. All other connections should initiate outbound from the OT system.

  • Manage obsolescence risks

    • When obsolete OT devices cannot be upgraded, system owners should implement network segmentation, boundary controls, access restrictions, and device monitoring and logging.

  • Manage unique connectivity risks

    • Even if encrypted, wireless communications like WiFI or radio are not bound by the physical perimeter of your site and introduce risk. Compensating controls should be implemented to mitigate risk from wireless mediums.

The second principle highlights the necessity for organizations to understand what is on their networks and how those components are connected to reduce their risk.

Principle 3: Centralize and standardize network connections #

Principle three encourages organizations to standardize their network connections to combat the ever-present decentralized, inconsistent, and needlessly complex connections that introduce risk. The guidance recommends:

  • Flexibility

    • Maintain a robust change management process to protect against emerging threats by continuously evaluating and refining connectivity and controls. Organizations must select products with ongoing support to adapt to regulatory changes and newer threat models.

  • Repeatability

    • Connectivity models and plans should be standardized and reusable to reduce or eliminate the need for bespoke solutions that can lead to unnecessary and unexpected exposures.

  • Categorized

    • While repeatability is necessary, distinctions in device and data types (across and within systems) allow selection of the most appropriate protections and controls for each system.

While more concise, the third principle should not be overlooked, given that complexity in systems can create unknown connections, leading to an increased attack surface.

Principle 4: Use standardized and secure protocols #

OT system owners most often prioritize availability in the CIA (confidentiality, integrity, and availability) triad, especially in industrial or critical infrastructure environments. With that said, they should implement all components of the triad, including confidentiality and integrity, where possible.

The guidance suggests two main approaches:

Protocol Validation:

System owners should validate both the protocol and the data payloads within and between systems to ensure the traffic seen is expected and valid. The protocols in use and the payloads should be inspected at key trust boundaries, for example, the OT/IT boundary or between services, such as SCADA control software and a PLC. It is recommended that the validation of allowed traffic should be schema-based, that is, following a ‘known good’ model that only allows expected and desired traffic.

Industrial Protocols:

When evaluating what industrial protocols to use in your OT system, you should:

  • Use modern, secure versions of protocols (CIP Security vs CIP or DNP2-SAv5 vs DNP3) that support cryptographic protections for integrity.

  • Implement protocols that use open standards to allow for vendor-agnostic solutions to avoid vendor lock in and bespoke implementations.

  • If utilized, require a business use case for the use of insecure protocols and implement compensating controls to manage the risk.

  • Restrict OT protocols to isolated OT network segments, blocking, or when necessary, brokering external connections.

OT system owners need to implement modern and secure OT protocols to reduce the attack surface of their environments.

How runZero helps #

When implemented correctly, these first four principles create a structured, repeatable approach to designing OT connectivity that simultaneously supports operational goals and strengthens cybersecurity posture.

runZero helps OT system owners implement these principles by:

  1. Providing an asset inventory of OT, IoT, and IT assets

    • You can’t protect what you can’t see. runZero’s asset inventory enables system owners to see everything on the network.

  2. Obsolete device detection

    • runZero natively provides EOL information for devices. In cases where EOL information is unavailable, runZero provides deep asset-level insight, including software and hardware version information. This allows system owners to know exactly what is on the network.

  3. Detection of protocols and ports

    • With safe active scanning, runZero enables system owners to find the open ports and protocols on devices that may have been missed by other methods.

  4. Segmentation validation
  5. Exposure management

    • runZero’s unauthenticated scanning provides a unique opportunity for system owners to uncover risks and exposures that matter. Instead of focusing on vulnerabilities that will never be exploited, runZero surfaces the problems that plague OT systems: obsolete protocols, misconfigurations, exposed admin interfaces, and more.

In OT environments — where uptime, safety, and reliability are paramount — these four foundational principles, along with runZero, empower OT systems owners to reduce their attack surface and keep their critical infrastructure secure.

Stay tuned for our third and final blog in this series as we discuss the final four principles from the guidance.

Written by Colin Dupreay

Colin is a Federal Solutions Engineer at runZero. With almost a decade of experience supporting Public Sector customers, Colin is passionate about protecting and securing our nations networks.

More about Colin Dupreay
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Explore more

Watch Now • On Demand
Vulnerability management is broken: what's the fix?

HD Moore and Omdia analyst Rik Turner discuss why traditional vulnerability management is struggling in modern IT infrastructures, why CVEs don’t tell the full story, and why prioritization alone isn’t enough to close critical security gaps.

Watch Now
runZero Hour, Episode 17
The State of Vuln Management, Our Approach, and a Deep Dive into New Risk Findings
On this special edition of runZero Hour, join VP of Security Research Tod Beardsley and Security Research Director Rob King for a deep dive into the future of exposure management.
Watch Now
Product Release
Tackling the New Era of Exposure Management
Fixing what’s broken with legacy tools and overcoming decades-old problems requires a new approach. Dive into how we do it at runZero.
Read More
Webcast
The Unreasonable Effectiveness of Inside Out Attack Surface Management
HD Moore, founder of runZero (and previously Metasploit), presents new research that will forever redefine how you approach attack surface management.
Watch Now

See Results in Minutes

See & secure your total attack surface. Even the unknowns & unmanageable.

Try runZero for Free
runZero CAASM
© Copyright 2026 runZero, Inc. All Rights Reserved