US and UK Agencies Publish New Cybersecurity Guidance for Critical Infrastructure Environments
The National Institute of Standards and Technology (NIST) published a draft Transit Cybersecurity Framework Community Profile intended to improve cybersecurity practices in transportation systems that require continuous operations and connectivity. The voluntary draft, developed by NIST’s National Cybersecurity Center of Excellence (NCCoE), is open for public comment through February 23, 2026, and positions transportation as a critical-infrastructure area needing more tailored cybersecurity guidance.
Separately, CISA and the UK’s NCSC released joint guidance titled Secure Connectivity Principles for Operational Technology (OT) environments, aimed at helping asset owners balance business-driven connectivity (remote access, data integration, cloud connectivity) with security risk. The guidance outlines eight high-level principles (e.g., limiting exposure, centralizing and standardizing access, using secure protocols, hardening boundaries) intended to be broadly applicable across critical-infrastructure sectors. An additional Help Net Security interview with Fermilab’s CISO discusses general cybersecurity challenges in open scientific research environments, but it does not materially relate to the NIST transit framework draft or the CISA/NCSC OT connectivity guidance.
Sources
Related Stories
Critical Infrastructure Cybersecurity Guidance and Architecture to Reduce Telecom and OT Attack Surfaces
A virtual briefing hosted by the Institute for Critical Infrastructure Technology (ICIT) argued that **telecom networks’ “crown jewels”**—including signaling pathways and subscriber identity/metadata—remain high-value targets, and that traditional perimeter defenses are insufficient against advanced adversaries. The session cited activity associated with China-linked threat actors **Salt Typhoon** and **Volt Typhoon** as illustrative of systemic telecom weaknesses, and promoted *privacy-first mobile-carrier* design choices (e.g., minimizing exposed identifiers and reducing the long-term value of compromised data) as concrete controls to reduce attack surface and limit blast radius. Separately, the U.K. **National Cyber Security Centre (NCSC)**, working with **CISA**, the **FBI**, and other international partners, released guidance titled **“Secure Connectivity Principles for Operational Technology”** aimed at reducing exposed and insecure connectivity in OT environments, including nuclear-sector contexts. The guidance outlines **eight foundational principles** intended to help organizations protect OT networks from highly capable and opportunistic actors, including **nation-state** threats, against a backdrop of accelerating IT/OT convergence and increasing rates of OT/ICS-impacting incidents reported across critical infrastructure.
1 months ago
Western Cyber Agencies Release Secure Connectivity Principles for Operational Technology
CISA, the UK **NCSC**, and multiple international partners released **Secure Connectivity Principles for Operational Technology (OT)** guidance aimed at reducing risk created by increased connectivity into industrial environments (e.g., industrial control systems, sensors, and other critical services). The guidance is positioned for operators of essential services facing business and regulatory pressure to enable remote monitoring and management, and it emphasizes that formerly *air-gapped* OT is now more exposed due to expanded remote access and IT/OT convergence. The guidance highlights that insecure or exposed OT connectivity is being targeted by a broad range of adversaries, including **ransomware groups**, **state-backed actors**, and **pro-Russia hacktivists** conducting opportunistic attacks against global critical infrastructure. Recommended defensive themes include **network segmentation**, **strong authentication**, continuous monitoring, and minimizing remote access paths to prevent disruptive incidents with potential real-world safety and service-delivery impacts; CISA also solicited stakeholder feedback via a product survey. Separate opinion pieces discussing AI in critical infrastructure and power redundancy risks in OT, and an industry roundup of Chinese cybersecurity companies, do not provide additional reporting on this specific guidance release.
2 months ago
Industry Pushes NIST to Add More Actionable Detail in SP 800-82 OT Security Rewrite
U.S. **operational technology (OT)** security specialists urged **NIST** to make its forthcoming update to *Special Publication 800-82* significantly more practical and granular, arguing that OT owners and operators need actionable guidance rather than high-level frameworks. The feedback was provided as NIST begins its **fourth revision** of SP 800-82 and solicits private-sector input, reflecting growing maturity and urgency in OT cybersecurity governance. Vendors and practitioners emphasized that OT environments require different approaches than conventional IT, particularly for **vulnerability management**, where standard IT practices may be ineffective or counterproductive in industrial settings. Commenters also called for more **sector-specific guidance** for emerging OT verticals such as **smart building management** and **distributed energy systems** (including **EV charging networks**), and broadly supported NIST’s proposal to move several SP 800-82 appendices online—covering OT security organizations, tools and threats, and catalogs of vulnerabilities and incidents—to keep reference material more current.
1 weeks ago