Global cybersecurity agencies have released joint guidance, led by the U.K.’s National Cyber Security Centre (NCSC), providing owners and operators with a goal-oriented framework for designing secure connectivity into their environments. The guidance is intended to help asset owners respond to growing business demands and regulatory pressure to connect OT networks while managing the associated cyber risk.
The ‘Secure Connectivity Principles for Operational Technology’ document sets out eight core principles that organizations can use to design, secure, and manage connectivity into OT (operational technology) environments. These principles are particularly critical for operators of essential services, where insecure or poorly governed connectivity can have safety, reliability, and national security consequences. Taken together, the principles aim to reduce exposed and insecure connections and protect OT networks from both highly capable and opportunistic cyber threat actors, including those backed by nation states.
Produced by the NCSC, in partnership with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the Canadian Centre for Cyber Security (Cyber Centre), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Federal Bureau of Investigation (FBI), Germany’s Federal Office for Information Security (BSI), Netherlands’ National Cyber Security Centre (NCSC-NL), and New Zealand’s National Cyber Security Centre (NCSC-NZ), these principles are intended as goals rather than minimum requirements. System owners should use these principles as a framework to design, implement, and manage secure OT connectivity for new and existing OT systems. These principles are particularly critical for operators of essential services.
Integrators and device manufacturers are encouraged to make these principles easier for organizations to achieve through providing products that are secure by design, easy to implement, and maintain. Integrators and manufacturers should ensure they are providing documentation to allow organizations to assess connectivity risks.
The guidance begins by urging organizations to balance the risks and opportunities associated with connecting OT environments, recognizing that connectivity can deliver operational value while also introducing new cyber risks. It then emphasizes the need to limit the exposure of connectivity by reducing unnecessary access paths and tightly controlling how systems communicate.
Organizations are also encouraged to centralize and standardize network connections to improve visibility, consistency, and governance across OT environments. The guidance calls for the use of standardized and secure protocols to reduce complexity and minimize the likelihood of misconfigurations or weak security controls.
Strengthening the OT boundary is another core principle, aimed at preventing unauthorized access and containing threats before they reach critical systems. In the event of a compromise, the framework stresses the importance of limiting its impact through segmentation, containment, and resilience measures.
Finally, the guidance underscores the need to ensure that all connectivity is logged and continuously monitored, enabling timely detection and response. It concludes by recommending that organizations establish a clear isolation plan so systems can be safely disconnected if a cyber incident threatens operational integrity or safety.
“This guide underscores CISA’s unwavering commitment to working hand-in-hand with U.S. and international partners to provide timely, actionable cybersecurity guidance. By providing OT organizations with practical steps to design, secure, and manage connectivity in OT environments, we help defend critical infrastructure against malicious and state-sponsored cyber threats,” Nick Andersen, CISA’s executive assistant director for cybersecurity, said in a media statement. “Together with our partners, CISA also urges OT device manufacturers and integrators to embrace secure-by-design principles because building security in from the start is the most effective way to reduce risk and safeguard the nation’s vital systems.”
“As operational technology systems benefit from greater connectivity and attract more attention from adversaries, it is vital cyber security is treated as a foundational requirement that supports physical safety outcomes, uptime, and service continuity,” according to Ollie Whitehouse, NCSC’s chief technology officer. “Co-created with international partners and with extensive industry collaboration, the new NCSC guidance offers a clear, practical framework for designing and maintaining secure connectivity, reducing attack surface, and boosting resilience. We strongly recommend OT practitioners worldwide follow the eight key principles to help make confident, security-led decisions that will safeguard critical services and strengthen trust in connected systems.”
“Operational Technology systems quietly power the essential services Americans rely on every day, making their secure connectivity a matter of national importance,” said Brett Leatherman, FBI cyber assistant director. “This joint guide serves as a reminder that OT systems are uniquely vulnerable and increasingly targeted, which is why timely mitigation and shared defenses are critical to staying ahead of the threat.”
“By systematically applying these principles to all connections – whether new, revised, or existing – you can reduce your attack surface, improve incident response options, and maintain the trust and safety of your operations,” David G, security architect at NCSC, wrote in a blog post. “The stronger your connectivity design, the harder it becomes for adversaries to cause disruption – whether their target is your data, your process, or the critical services your OT supports. We encourage OT owners, operators, integrators, and vendors to put these principles into practice.”
The document identified that OT connectivity should be designed with operational resilience in mind and not compromise the safety, reliability, or availability of OT systems. This means understanding how systems behave under failure conditions and ensuring that critical functions are not overly reliant on fragile or non-resilient links.
The agencies noted that a risk management framework supports decision-makers by helping them identify, assess, and prioritize potential threats, leading to more informed choices and more resilient systems. It also promotes consistency and accountability by establishing structured processes for evaluating risk and applying mitigation measures across the organization.
Applying a comprehensive risk management process ensures that connectivity decisions are assessed against the organization’s defined risk appetite and the prevailing threat environment. It also ensures that cyber, safety, and physical risks are consistently considered together, rather than in isolation, when designing and approving connectivity into OT environments.
They also highlighted that it is ‘particularly important’ to manage supply chain risk when procuring new products. Ensuring that devices are secure by design and developed following a secure product development lifecycle. This helps reduce the risk of introducing vulnerabilities through third-party components or insecure design practices. Supply chain factors that may affect an organization’s ability to implement effective secure connectivity. These could include the ability to influence, contractual controls, component visibility, supplier trustworthiness, and track record.
The agencies called for all connections with the OT environment to be initiated as outbound connections from within the OT environment. This helps avoid exposing inbound ports on the OT network perimeter or between internal zones, which can increase security risk. Obsolete devices pose a known and increasing security risk, making them unsuitable for direct external connectivity beyond the OT network boundary.
To manage the risks associated with connectivity to obsolete or unsupported devices, organizations should rely on indirect access to external networks supported by strong compensating controls. These measures help reduce exposure while maintaining essential operational connectivity. A foundational control is network segmentation, which isolates the obsolete device from the wider OT environment using logical or physical separation. This approach limits lateral movement and reduces the potential impact of a compromise.
Trusted boundary controls should also be deployed between obsolete devices and external systems. These controls rely on up-to-date, security-hardened components that can mediate and inspect traffic before it reaches the device. Inbound port exposure should be eliminated wherever possible, and connectivity should be restricted to only what is operationally necessary. Finally, all interactions with obsolete devices should be comprehensively logged and monitored to detect anomalous or suspicious behavior and to support a timely response if an incident occurs.
The document recognized that the connectivity models of OT systems can be complicated, involving various stakeholders such as business systems, billing platforms, and external vendors responsible for ongoing maintenance. As organizations evolve, these connectivity models often become more complex, adapting to new business requirements or integrating modernized processes. This increasing complexity can significantly expand the organization’s attack surface, making it harder to monitor, control, and secure communications across the OT environment. Each additional connection, especially if implemented in an ad hoc or bespoke manner, introduces potential vulnerabilities that attackers can exploit.
Centralizing and standardizing connectivity helps address this challenge by consolidating access points and enforcing uniform security controls across the OT estate. A centralized architecture enables consistent monitoring, logging, and enforcement of security policies, making the management overhead of cybersecurity easier. Standardization ensures that all connections follow a repeatable and well-understood pattern, reducing the risk of misconfigurations and simplifying the deployment of protective measures such as encryption, authentication, and segmentation. To manage the attack surface, it is essential to ensure that OT remote connectivity is flexible, repeatable, and categorized.
The advisory also addressed that when evaluating industrial protocols within the OT environment, organizations should default to the latest secure versions of industrial protocols (e.g., DNP3 to DNP3-SAv5, CIP to CIP Security, Modbus to Modbus Security, OPC DA to OPC UA). They must ensure that protocols support cryptographic protections for authenticity and integrity, such as digital signatures; prefer protocols that support open standards and interoperability to facilitate vendor-agnostic solutions, and require a business case for the use of insecure protocols within the environment, making their use the exception rather than the norm.
Furthermore, where an organization has insecure industrial protocols in use, it should establish a roadmap for migration to secure industrial protocol variants. This will assist in making considerations to enable this in asset uplifts and system maintenance.
The agencies also detailed that industrial control protocols (Modbus, OPC DA, EtherNet/IP, etc.) should be restricted to isolated OT network segments. External connections for data exchange between OT and IT should be brokered through a DMZ and use secure, standardised protocols designed for interoperability (such as OPC UA over TLS, MQTT over TLS, HTTPS). Where operational data needs to be shared, replicate the OT historian to a historian instance in the DMZ via a unidirectional, secure transfer mechanism, ensuring no inbound connectivity from IT to OT. IT systems should query the DMZ historian via a secure HTTP-based API with strong authentication, rather than directly accessing OT systems.
Hardening the OT boundary requires reducing unnecessary exposure while enforcing strong, consistent access controls across all forms of connectivity. Systems should be configured to expose only the services and ports required for operation, limiting the attack surface and reducing opportunities for exploitation. External access to OT environments should be protected with phishing-resistant multi-factor authentication to prevent unauthorized control actions and protect sensitive information.
Default credentials should never be present on deployed devices, particularly those accessible from external or public networks. Strong password policies are essential to ensure secure credential generation, storage, and lifecycle management. Access controls should also be governed by the principle of least privilege so that both human-to-machine and machine-to-machine connections are limited to the minimum permissions required. User-based access should generate auditable, identity-specific records and be tightly integrated with joiner, mover, and leaver processes to ensure access is removed when roles change or personnel depart.
Where feasible, context-aware access controls should be applied to external connectivity decisions, taking into account factors such as device type, configuration, location, and behavioral patterns. Connectivity introduced or implemented by third parties should meet the organization’s defined security requirements and align with its OT architecture and risk expectations.
Limiting the direction of data flows is another critical control. Outbound-only or unidirectional connectivity reduces the influence of external systems on OT environments and helps preserve operational independence. In higher-risk environments, hardware-based controls may be required to provide stronger assurance. Cross-domain architectures can support tightly controlled bidirectional data flows across trust boundaries by combining layered security controls with hardware enforcement at critical points.
Data diodes can further enforce unidirectional communication through physical design, preventing accidental or malicious re-enablement of bidirectional traffic. However, data diodes alone provide directionality rather than comprehensive security and should not be treated as a complete cross-domain solution. Architectures that rely on software parsing of untrusted content or that attempt to simulate bidirectional communication through paired diodes introduce significant risk and are widely regarded as unsafe design patterns.
Modern OT networks should be designed with security controls that extend beyond the OT boundary and apply in multiple layers. This layered approach reduces the potential impact of insider threats, third-party access, and external compromise by preventing a single failure from cascading across the environment.
For OT connectivity, these defenses primarily address two interconnected risks – contamination and lateral movement. Contamination occurs when malicious code, compromised data, or insecure configurations are unintentionally or unlawfully introduced into trusted environments. Lateral movement refers to the techniques attackers use to expand access after an initial breach. This includes mapping internal systems, compromising additional assets, and escalating privileges, often using stolen credentials.
The agencies pointed out that organizations must make compromise detection easier by implementing comprehensive logging and monitoring throughout the OT environment. These logs will help the organization establish a baseline of ‘normal’ activity, allowing operators or detection systems to identify abnormalities faster. The end goal of logging should extend beyond data collection.
Effective logging begins with an understanding of how attackers may attempt to exploit systems by identifying weak points, and then designing monitoring and alerting to detect those behaviors. This approach helps determine which logs and packet captures are necessary to support meaningful monitoring and alerting rules.
Continuous monitoring of data flows within and between network segments is essential for validating segmentation policies and identifying early signs of compromise or control misconfiguration.
The advisory outlined that, in certain circumstances, it may be necessary to isolate OT environments from external influences. “This need can arise from various factors, including increased threats or confirmed compromises within connected systems. The isolation process for the system should be considering any potential impacts to wider business or any national interdependencies. This plan should be linked to and part of your wider business continuity plans. It should be regularly tested to ensure that the system works as intended, and does not impact your organisation’s services.”
It added that OT systems that provide critical functions should, where possible, be designed to facilitate isolation, allowing them to function independently of external dependencies. It is essential to incorporate isolation planning into the system design process to prevent any unintended consequences that may arise from isolation measures.
