To help critical infrastructure organizations strengthen their cybersecurity stances, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and several foreign counterparts have provided a set of principles to guide internet connectivity for operational technology environments.

The Secure connectivity principles for operational technology (OT) document was published Jan. 14 with contributions from CISA, the FBI, the Australian Signals Directorate, Germany’s Federal Office for Information Security, the Canadian Centre for Cyber Security and Communications Security Establishment, and the National Cyber Security Centres of the U.K. and New Zealand. The U.K. NCSC hosted the document on its website.

OT assets — which interact with the physical environment or manage devices that do so, according to the National Institute of Standards and Technology — have traditionally been separated from internet-connected systems for security reasons, but in today’s industrial landscape are increasingly integrated with information technology networks to increase business efficiencies.

Such integration can create security risks for reasons including “dependence on legacy technologies that were never designed for modern connectivity or security requirements,” along with the use of third-party tools, remote access and supply chain integrations that “expand the potential attack surface,” the agencies wrote. The risks of cyber intrusion are “elevated” in an OT environment because the consequences can include disruption of essential services, environmental impact and physical harm to employees and customers.

Experts have warned that OT networks are increasingly vulnerable to attack. Cybersecurity firm Dragos identified multiple new adversary groups in its annual Year in Review report, at least one of which demonstrated the capability to meaningfully attack industrial control systems. (See Dragos: Attacks on ICS Increased in 2024.)

In a later case study, the firm reported that the China-connected hacking group Voltzite had infiltrated a U.S. electric utility’s computer system in 2023. (See Dragos Outlines Voltzite Electric Utility Breach.)

8 Principles

The new document organizes its guidance into eight principles, to be used “as a framework to design, implement and manage secure OT connectivity.” Agencies encourage device manufacturers and integrators to make the principles easy to achieve through equipment design and documentation.

The first principle is balancing risks and opportunities when identifying where and how connectivity is permitted within OT systems. Entities should develop a business case that supports decision-making and documents the purpose of the connectivity, potential impacts of a compromise to the connectivity, senior risk owners and any dependencies that may be introduced by the connection. Organizations must also exercise control and oversight of their supply chains; agencies recommended previous publications to help with this, including CISA’s Secure by Demand guidance.

Principle 2 is limiting the exposure of the connectivity; exposure means “where an asset sits within the wider system architecture and how accessible it is to external or adjacent networks,” according to the document. An organization’s attack surface broadens as more assets are exposed at the network edge. An effective exposure management approach involves evaluating an asset’s placement in the network, the type of connectivity it involves and the strength of cybersecurity controls.

Mitigation measures can include reducing the time of exposure and removing inbound port exposure so that connections to the OT environment can only be initiated from within the network. Entities must also manage the risks posed by obsolete technology, by replacing the relevant devices when possible and shoring up defenses around equipment that cannot be replaced yet.

The third principle is centralizing and standardizing network connections, which can be difficult to manage as the presence of third-party equipment on the system grows. This is also a factor in principle 4, which calls on entities to use standardized, secure protocols for communication so that data flows can be readily monitored for trouble signs.

Hardening the OT boundary is principle 5, with network segmentation and segregation providing “a robust first layer of defense [and being] even more effective when combined with native security capabilities within OT systems.”

“Because many OT systems are difficult to update or replace, the boundary becomes the primary defense against external threats,” the agencies wrote. “Organizations should therefore invest in modern, modular and easily replaceable boundary assets. … These assets offer greater flexibility for patching, upgrading and reconfiguring security controls. Importantly, they can be maintained without disrupting core OT operations.”

Principle 6 involves limiting the impact of compromise with “controls that extend beyond the OT boundary.” With effective controls such as network segmentation, organizations can limit the effects of contamination and inhibit intruders’ ability to move laterally within a system, a capability demonstrated recently by the China-linked Volt Typhoon group.

The next principle calls for logging and monitoring all connectivity, which the document called an organization’s “last line of defense.” Monitoring connectivity helps defenders identify abnormal activity that can indicate compromise.

Finally, organizations should create a plan to isolate their OT environments completely from external influences, which comprises principle 8. Strategies can vary based on the nature of the network. Site isolation, which involves removing all external network connections, is applicable for sites built on a flat network or with restricted security measures, while more robust security architectures may allow for specific services and network routes to be isolated with others left unaffected.