Attack Surface Management
,
Governance & Risk Management
,
Operational Technology (OT)
Joint US, UK and Five Eyes Guidance Flags OT Exposure as National Risk
U.S. and allied cyber agencies warned Wednesday in guidance aimed at locking down operational technology systems that insecure connectivity remains one of the fastest and most reliable ways for cyberthreat actors to disrupt industrial environments.
See Also: AI Browsers: the New Trojan Horse?
The FBI and Cybersecurity and Infrastructure Security Agency published the guidance alongside the U.K. National Cyber Security Centre and cyber authorities across the Five Eyes and Europe, laying out eight “secure connectivity principles” designed to reduce the attack surface created as OT environments become more connected for remote access, monitoring and data analytics.
Operational technology networks – which have historically remained isolated and engineered for safety and uptime – have increasingly become exposed in recent years as organizations connect legacy systems to IT networks, cloud platforms and third-party service providers. The agencies warned that the rapid shift has expanded opportunities for state-backed and opportunistic actors to move from cyber intrusion to physical disruption.
“These challenges are compounded by the increasing use of third-party vendors, remote access solutions and supply chain integrations, all of which expand the potential attack surface,” the guidance reads. It also warns that industrial networks are increasingly scanned, indexed and probed for weaknesses as connectivity expands beyond traditional plant boundaries.
The cyber agencies urge organizations to treat connectivity decisions as risk-based business decisions, recommending that every new connection be justified through a formal business case that documents operational benefits, acceptable risk thresholds, introduced dependencies and senior accountability. One recommendation calls for limiting exposure at the OT boundary by defaulting to outbound-only connections initiated from inside the network, rather than allowing inbound access.
Where external access is unavoidable, the agencies recommend brokered connections through hardened gateways to prevent direct exposure of assets. The guidance also takes direct aim at legacy and unsupported devices, warning that obsolete controllers and gateways often lack modern authentication, encryption and logging capabilities and should be treated as untrusted.
Multiple high-profile cyber incidents have disrupted critical infrastructure operations due to insecure or poorly segmented connectivity in recent years, including ransomware attacks that forced temporary shutdowns of energy pipelines, food processing plants and manufacturing operations after threat actors gained initial access through IT networks or remote access services. CISA has previously urged OT and critical infrastructure operators to reduce OT connections to the public internet, change default passwords, secure remote access to OT networks and segment IT and OT networks. (see: OT Systems Exposed to Basic Hacks, CISA Warns ).
The guidance calls on operators to further centralize and standardize remote connectivity rather than relying on ad hoc VPNs or alternate access paths since fragmented architectures increase misconfigurations and reduce visibility. Centralized access points, they said, allow for consistent authentication, session monitoring and logging across vendors and other use cases.
The guidance also warns that flat OT networks allow a single compromised device or credential to cascade across systems. By restricting communication paths to only what is operationally necessary, the agencies said operators can better reduce opportunities for lateral movement.