WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) today released a new guide to help operational technology (OT) owners and operators implement secure communications and advise OT manufacturers on reducing barriers and improving usability. The guide, Barriers to Secure OT Communications: Why Johnny Can’t Authenticate, was developed from interviews with control systems stakeholders, asset owners and operators across sectors including Water and Wastewater Systems, Transportation Systems, Chemical, Energy, and Food and Agriculture Sectors.
Many OT owners and operators continue to use insecure legacy industrial protocols that lack basic authentication and integrity checks. With insecure communications, threat actors can impersonate a device or modify a message in transit to an OT device. Secure versions of industrial protocols have been available for over two decades; however, a variety of barriers have prevented the control systems community from widely adopting these protocols which enable secure communication.
“Adopting secure communications in OT environments is a long-term effort with complexities, costs and risks. Over the past year, CISA conducted customer-led research to create this secure communication guide,” said CISA Acting Director Madhu Gottumukkala. “CISA encourages asset owners and operators, system integrators, service providers, and OT manufacturers to review this guide and collaborate together to implement secure communication.”
This guide provides insightful information on why secure communication is not widely adopted and offers actionable recommendations for OT owners, operators and manufacturers to overcome key barriers that include:
- Cost and complexity issues through procurement, deployment and maintenance
- Latency and bandwidth concerns
- Inspection issues from encryption
- Interoperability and legacy product issues
“There is a critical need for OT environments to use secure communication that protects against threats like actor-in-the-middle attacks and unauthorized updates,” said CISA Executive Assistant Director for Cybersecurity Nick Andersen. “This guide demonstrates CISA’s commitment to collaborate with industry and government partners to develop tangible outcomes that strengthen security and build trust. We encourage the control systems community to review and implement recommended actions in this guide.”
Asset owners and integrators should use this guidance to avoid disruptions from secure communication and identify what to prioritize when procuring new components. OT manufacturers should use the lessons from this customer research to reduce customer friction with security and ultimately create a more usable and safer product.
This guidance expands on the security communication concepts in CISA’s joint guide, Secure by Demand: Priority Considerations for OT Owners and Operators When Selecting Digital Products, including key questions owners and operators should be asking OT product manufacturers.
For more information and resources, please visit CISA’s Industrial Control Systems webpage.
###
About CISA
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.
Visit CISA.gov for more information and follow us on X, Facebook, LinkedIn, Instagram.