WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA), United Kingdom’s National Cyber Security Centre (NCSC-UK), Federal Bureau of Investigation (FBI) and international partners released Secure Connectivity Principles for Operational Technology. This joint guidance, led by NCSC-UK, helps organizations mitigate exposed and insecure connectivity and protect networks from highly capable and opportunistic cyber threat actors, including nation state-sponsored actors.
Operational technology (OT) network environments are increasingly interconnected, delivering benefits like real-time analytics, remote monitoring and predictive maintenance. However, this connectivity also heightens the risk to cyber intrusions that could cause physical harm, environmental damage, or disrupt essential services. This guide offers owners and operators a framework with clear goals for designing secure connectivity into their environments.
“This guide underscore’s CISA’s unwavering commitment to working hand-in-hand with U.S. and international partners to provide timely, actionable cybersecurity guidance. By providing OT organizations with practical steps to design, secure, and manage connectivity in OT environments, we help defend critical infrastructure against malicious and state-sponsored cyber threats,” said CISA Executive Assistant Director for Cybersecurity Nick Andersen. “Together with our partners, CISA also urges OT device manufacturers and integrators to embrace secure-by-design principles because building security in from the start is the most effective way to reduce risk and safeguard the nation’s vital systems.”
“As operational technology systems benefit from greater connectivity and attract more attention from adversaries, it is vital cyber security is treated as a foundational requirement that supports physical safety outcomes, uptime and service continuity,” said NCSC Chief Technology Officer Ollie Whitehouse. “Co-created with international partners and with extensive industry collaboration, the new NCSC guidance offers a clear, practical framework for designing and maintaining secure connectivity, reducing attack surface and boosting resilience. We strongly recommend OT practitioners worldwide follow the eight key principles to help make confident, security-led decisions that will safeguard critical services and strengthen trust in connected systems.”
“Operational Technology systems quietly power the essential services Americans rely on every day, making their secure connectivity a matter of national importance,” said FBI Cyber Assistant Director Brett Leatherman. “This joint guide serves as a reminder that OT systems are uniquely vulnerable and increasingly targeted, which is why timely mitigation and shared defenses are critical to staying ahead of the threat.”
With our U.S. and international partners, CISA strongly encourages organizations to review this joint guide, assess their OT connectivity and implement the recommended mitigations to strengthen critical infrastructure defenses against these opportunistic threats.
This guide reinforces CISA’s collaboration in action with both international and domestic partners to advance cybersecurity for OT and industrial control systems. In addition to NCSC-UK and FBI, this joint guide was developed in collaboration with
- Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
- Canadian Centre for Cyber Security (Cyber Centre)
- German Federal Office for Information Security (BSI)
- Netherlands National Cyber Security Centre (NCSC-NL)
- New Zealand National Cyber Security Centre (NCSC-NZ)
For more information, please visit Industrial Control Systems CISA.gov.
###
About CISA
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.
Visit CISA.gov for more information and follow us on X, Facebook, LinkedIn, Instagram.