The new guidance, detailed in a report titled Barriers to Secure OT Communication, outlines strategies for improving security across the design, deployment, and operational phases of OT environments. CISA acknowledges that many legacy protocols will remain in use until organizations can replace them with modern components. The agency emphasizes that securing these hybrid networks is a long-term effort that requires close collaboration between all stakeholders, including system integrators and service providers.
CISA’s research revealed widespread confusion among operators about the technical requirements of secure communication, particularly the distinction between signing and encryption. The guidance clarifies that signing ensures data integrity and authentication, while encryption provides confidentiality. According to the agency, signing should be prioritized and can be implemented without encryption, whereas encryption must be properly validated to be effective.
The primary motivations for operators to adopt secure communications are to ensure data integrity and prevent threats such as:
- Actor-in-the-middle attacks
- Unauthorized commands sent to equipment
- Malicious firmware updates
- Data inspection by adversaries on a compromised network
However, significant barriers hinder adoption. Operators reported that the complexity and expense of implementing and managing Public Key Infrastructure (PKI) often required third-party support. These burdens, weighed against other security priorities, frequently led organizations to choose more easily justifiable solutions like network segmentation or bolt-on security tools.
The guidance was developed in response to the inherent weaknesses of legacy Operational Technology protocols, which often lack modern protections against data alteration, device impersonation, and unauthorized access. These vulnerabilities expose critical infrastructure to a wide range of cyber threats. CISA aims to provide practical solutions that operators can implement now, rather than waiting for complete system overhauls, to mitigate the most pressing risks.
The guidance is advisory and does not specify a mandatory timeline for implementation across critical infrastructure sectors. Details regarding potential federal funding to assist organizations in adopting these security measures or any future compliance or reporting requirements remain unaddressed in the current release.
The agency is encouraging a collaborative effort to drive sustainable improvements in OT security. CISA calls on OT manufacturers to develop more usable, secure-by-design capabilities. For operators, the focus will be on strategically applying enhanced security to high-risk areas to enable practices like micro-segmentation, reduce spoofing risks, and simplify complex security workflows. The long-term objective is to build a more resilient and defensible industrial control system ecosystem.
Based on the CISA guidance, owners and operators of OT systems should consider the following actions:
- Prioritize Signing: Implement data signing to ensure integrity and authentication, even if full encryption is not immediately feasible.
- Distinguish Data Flows: Differentiate between encrypting sensitive network management functions, which is critical, and encrypting operational data, which can introduce latency and limit network inspection.
- Conduct Risk-Based Assessments: Identify the highest-risk areas within the OT environment and strategically apply secure communication solutions there first.
- Collaborate with Vendors: Engage with OT manufacturers and service providers to demand and implement solutions that simplify security management and support crypto-agility.
- Review the Full Guidance: Download and review the complete “Barriers to Secure OT Communication” report to understand the research findings and detailed recommendations.
Follow us on Bluesky , LinkedIn , and X to Get Instant Updates
