Western Cyber Agencies Release Secure Connectivity Principles for Operational Technology
CISA, the UK NCSC, and multiple international partners released Secure Connectivity Principles for Operational Technology (OT) guidance aimed at reducing risk created by increased connectivity into industrial environments (e.g., industrial control systems, sensors, and other critical services). The guidance is positioned for operators of essential services facing business and regulatory pressure to enable remote monitoring and management, and it emphasizes that formerly air-gapped OT is now more exposed due to expanded remote access and IT/OT convergence.
The guidance highlights that insecure or exposed OT connectivity is being targeted by a broad range of adversaries, including ransomware groups, state-backed actors, and pro-Russia hacktivists conducting opportunistic attacks against global critical infrastructure. Recommended defensive themes include network segmentation, strong authentication, continuous monitoring, and minimizing remote access paths to prevent disruptive incidents with potential real-world safety and service-delivery impacts; CISA also solicited stakeholder feedback via a product survey. Separate opinion pieces discussing AI in critical infrastructure and power redundancy risks in OT, and an industry roundup of Chinese cybersecurity companies, do not provide additional reporting on this specific guidance release.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
Western cyber agencies publish OT secure connectivity guidance
CISA, the UK NCSC, the FBI, and international partners released joint principles for securely connecting operational technology environments, warning that increased OT connectivity is expanding exposure to ransomware, state-backed actors, and hacktivists. The guidance recommends measures such as network segmentation, strong authentication, monitoring, and minimizing remote access to reduce the risk of disruptive or physically harmful incidents.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
CISA, others issue guidance on industrial operational technology threats | SC Media
scworld.com
Open sourceGlobal Agencies Release New Guidance to Secure Industrial Networks - Infosecurity Magazine
infosecurity-magazine.com
Open sourceWestern cyber agencies warn about threats to industrial operational technology | The Record from Recorded Future News
therecord.media
Open sourceSecure Connectivity Principles for Operational Technology (OT) | CISA
cisa.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Infrastructure Cybersecurity Guidance and Architecture to Reduce Telecom and OT Attack Surfaces
A virtual briefing hosted by the Institute for Critical Infrastructure Technology (ICIT) argued that **telecom networks’ “crown jewels”**—including signaling pathways and subscriber identity/metadata—remain high-value targets, and that traditional perimeter defenses are insufficient against advanced adversaries. The session cited activity associated with China-linked threat actors **Salt Typhoon** and **Volt Typhoon** as illustrative of systemic telecom weaknesses, and promoted *privacy-first mobile-carrier* design choices (e.g., minimizing exposed identifiers and reducing the long-term value of compromised data) as concrete controls to reduce attack surface and limit blast radius. Separately, the U.K. **National Cyber Security Centre (NCSC)**, working with **CISA**, the **FBI**, and other international partners, released guidance titled **“Secure Connectivity Principles for Operational Technology”** aimed at reducing exposed and insecure connectivity in OT environments, including nuclear-sector contexts. The guidance outlines **eight foundational principles** intended to help organizations protect OT networks from highly capable and opportunistic actors, including **nation-state** threats, against a backdrop of accelerating IT/OT convergence and increasing rates of OT/ICS-impacting incidents reported across critical infrastructure.
Mar 21, 2026
Rising Risk of State-Linked Attacks on Power Grids and Operational Technology
Reporting highlighted growing concern that **state-affiliated and state-linked actors** are positioning for disruptive attacks against **operational technology (OT)** and critical infrastructure, with activity that may be difficult for operators to detect. A Codific analysis described five common pathways seen in disruptive grid-focused intrusions—often beginning with **human error or exposed perimeter services**, then escalating through **credential theft**, **remote access exploitation** (e.g., VPNs/gateways), **ransomware**, and misuse of **legitimate industrial commands** that can delay operations and complicate detection and recovery; it also warned that attacks on virtualized environments can hinder restoration efforts and that cascading impacts could be severe (e.g., Lloyd’s “Business Blackout” scenario estimating losses up to **$1T**). Recommended mitigations emphasized proven controls such as **phishing-resistant MFA** and **IT/OT segmentation**, rather than novel defenses. Separate commentary and media content also pointed to OT becoming a frontline in geopolitical escalation, including claims of a coordinated campaign tied to Iran-linked hacktivist activity targeting OT devices such as **Unitronics PLCs** used in water and industrial facilities, alongside psychological operations and SMS spoofing. Other items in the set were leadership/career/podcast-style content without specific incident or vulnerability detail and do not materially add to the OT/power-grid threat reporting.
Mar 21, 2026
Rising OT Threat From Credential Abuse and 'Living-off-the-Plant' Techniques
Security reporting and expert commentary warn that **operational technology (OT)** environments remain highly exposed due to fragile access controls and that attacker capability is trending toward more dangerous, process-aware operations. Lessons drawn from the 2015 **Ukraine power grid** disruption emphasize that remote connectivity, vendor access, and broad VPN permissions can become the “soft underbelly” of critical infrastructure, with recurring real-world examples of disruption tied to **misused remote access and stolen credentials** (including the **Colonial Pipeline** shutdown following a compromised password). The core takeaway is that OT systems are no longer “too specialized” to be targeted, and that common enterprise intrusion paths—credential compromise and remote access abuse—continue to translate into operational impact when they bridge into industrial environments. Separately, OT-focused threat analysis highlights early signs that attackers are gaining the “process comprehension” historically missing from many intrusions into industrial systems. A forthcoming RSA Conference 2026 presentation is expected to demonstrate **“living-off-the-plant”** techniques—analogous to living-off-the-land in IT—where adversaries leverage native industrial tooling and legitimate functions inside plants to blend in and potentially manipulate physical processes. The reporting argues that “security by obscurity” (attackers’ unfamiliarity with bespoke/legacy OT) has limited the severity of many incidents so far, but that this advantage is eroding as adversaries become more comfortable operating within industrial environments, increasing the risk of more consequential OT attacks.
Mar 21, 2026