The Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC-UK) have jointly released comprehensive guidance on Secure Connectivity Principles for Operational Technology (OT) environments.
Published on January 14, 2026, this framework addresses mounting pressures on asset owners to balance network connectivity requirements with critical security needs.
As industrial and essential service operators face increasing demands for remote access, data integration, and cloud connectivity, the risk of cyberattacks on operational technology networks continues to escalate.
The new guidance provides a structured approach to managing these competing demands without compromising security posture.
This collaborative initiative between CISA and NCSC-UK represents a significant step toward standardizing OT connectivity security across critical infrastructure sectors.
Eight Guiding Principles for Secure OT Connectivity
The framework establishes eight principles designed to guide asset owners in designing, implementing, and managing secure connectivity into OT environments.
These principles serve as foundational security controls applicable across all critical infrastructure sectors, including energy, water systems, transportation, and healthcare.
| Principle | Core Goal |
|---|---|
| 1. Balance risks and opportunities | Document business cases assessing requirements, benefits, impacts, and obsolete product risks. |
| 2. Limit exposure | Use outbound-only connections, just-in-time access, and exposure management for admin interfaces.f |
| 3. Centralize and standardize | Consolidate access points for uniform controls; categorize flows as flexible, repeatable. |
| 4. Use secure protocols | Adopt crypto-agile standards like OPC UA; validate schemas at boundaries. |
| 5. Harden boundaries | Apply micro-segmentation, separation of duties, and DMZs to contain lateral movement. |
| 6. Limit compromise impact | Apply micro-segmentation, separation of duties, DMZs to contain lateral movement. |
| 7. Log and monitor all connectivity | Baseline normal activity for anomaly detection; integrate with SOC for break-glass alerts. |
| 8. Establish isolation plans | Develop site-specific strategies with hardware-enforced flows for critical data. |
Rather than imposing rigid technical specifications, the principles provide flexible guidance adaptable to diverse operational contexts and legacy system constraints.
The guidance holds particular significance for operators of essential services, who face regulatory scrutiny and operational demands for enhanced connectivity.
By following these principles, organizations can establish a defensible security architecture that addresses both business requirements and compliance obligations.
The framework supports a risk-based approach, enabling operators to assess threats while maintaining necessary operational functionality.
CISA and NCSC-UK recommend that critical infrastructure asset owners review the complete guidance documentation and conduct security assessments on line with the eight principles.
Organizations should prioritize evaluating existing OT network architectures against the framework and develop implementation roadmaps aligned with their operational contexts.
The complete Secure Connectivity Principles for Operational Technology guidance is available through NCSC-UK’s operational technology collection and linked through CISA’s cybersecurity best practices portal.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
