Industry Pushes NIST to Add More Actionable Detail in SP 800-82 OT Security Rewrite
U.S. operational technology (OT) security specialists urged NIST to make its forthcoming update to Special Publication 800-82 significantly more practical and granular, arguing that OT owners and operators need actionable guidance rather than high-level frameworks. The feedback was provided as NIST begins its fourth revision of SP 800-82 and solicits private-sector input, reflecting growing maturity and urgency in OT cybersecurity governance.
Vendors and practitioners emphasized that OT environments require different approaches than conventional IT, particularly for vulnerability management, where standard IT practices may be ineffective or counterproductive in industrial settings. Commenters also called for more sector-specific guidance for emerging OT verticals such as smart building management and distributed energy systems (including EV charging networks), and broadly supported NIST’s proposal to move several SP 800-82 appendices online—covering OT security organizations, tools and threats, and catalogs of vulnerabilities and incidents—to keep reference material more current.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Industry calls for standards harmonization and safer OT scanning guidance
Industry groups including the Operational Technology Cybersecurity Coalition urged NIST to better align SP 800-82 with standards such as ISA/IEC 62443 to reduce compliance friction across jurisdictions. Commenters also asked for clearer OT network scanning guidance, favoring passive assessment as a baseline and a phased, risk-based approach to any active scanning.
Stakeholders back dynamic online appendices for SP 800-82
Multiple commenters supported NIST's proposal to move key SP 800-82 appendices on organizations, tools, and threats, vulnerabilities and incidents online as dynamic resources. Armis further advocated for machine-readable, API-updated content to keep the material current.
OT security vendors urge NIST to make SP 800-82 more practical
By early March 2026, OT security specialists including Dragos, Claroty and Armis publicly urged NIST to make the revised guidance more granular and actionable. They argued that IT-centric security practices can be ineffective or even harmful in industrial environments and called for clearer direction on vulnerability management, disclosure quality and safe assessment methods.
NIST begins fourth revision of OT security guide SP 800-82
NIST undertook a fourth revision of Special Publication 800-82, its operational technology security guidance. The update process prompted industry review of how the guidance should better address real-world OT environments.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Western Cyber Agencies Release Secure Connectivity Principles for Operational Technology
CISA, the UK **NCSC**, and multiple international partners released **Secure Connectivity Principles for Operational Technology (OT)** guidance aimed at reducing risk created by increased connectivity into industrial environments (e.g., industrial control systems, sensors, and other critical services). The guidance is positioned for operators of essential services facing business and regulatory pressure to enable remote monitoring and management, and it emphasizes that formerly *air-gapped* OT is now more exposed due to expanded remote access and IT/OT convergence. The guidance highlights that insecure or exposed OT connectivity is being targeted by a broad range of adversaries, including **ransomware groups**, **state-backed actors**, and **pro-Russia hacktivists** conducting opportunistic attacks against global critical infrastructure. Recommended defensive themes include **network segmentation**, **strong authentication**, continuous monitoring, and minimizing remote access paths to prevent disruptive incidents with potential real-world safety and service-delivery impacts; CISA also solicited stakeholder feedback via a product survey. Separate opinion pieces discussing AI in critical infrastructure and power redundancy risks in OT, and an industry roundup of Chinese cybersecurity companies, do not provide additional reporting on this specific guidance release.
Mar 21, 2026
OT Security Pushes Beyond CVSS for Risk Assessment
Operational technology security practitioners are increasingly arguing that **CVSS** is not an adequate way to measure risk in industrial environments, even after the release of **CVSS 4.0**. The reporting says OT defenders view traditional vulnerability severity scoring as poorly suited to environments where safety, uptime, physical process impact, and sector interdependencies matter more than the characteristics of an individual software flaw. Experts cited in the coverage say OT risk assessment needs to focus on **cascading consequences**, cross-sector dependencies, and consequence management rather than trying to refine a vulnerability-centric scoring model. The articles describe a broader shift in OT security thinking: instead of treating CVSS as a universal standard, organizations operating critical infrastructure are being urged to adopt methodologies that better reflect real-world operational impact and the administrative realities of industrial systems.
Mar 21, 2026
New OT Security Frameworks Emphasize Incident Impact Scoring and Edge-Based Defense
ICS/OT security practitioners introduced a new framework for communicating the real-world severity of operational technology incidents: the **Operational Technology Incident (OTI) Impact Score**, a “Richter Scale”-inspired scoring system intended to quickly convey business and physical consequences of OT cyber events. The model, created by Digital Bond’s Dale Peterson and slated for release at the *S4x26* conference, is positioned as a way to reduce both overhyped and underreported OT incident narratives and to help executives, governments, insurers, and responders align resources (including ICS and physical response teams) to the actual impact. Separately, Palo Alto Networks Unit 42 described joint research with the **Siemens Cybersecurity Lab** and **Idaho National Laboratory** arguing that disruptive OT incidents are often not “OT-native” but instead begin with upstream **IT compromises** and progress over time toward industrial environments. The research advocates shifting detection and response “left” to the **network edge** between IT and OT, using earlier visibility and predictive threat behavior to turn dwell time into a defensive advantage; detailed findings were published in a companion whitepaper, *Intelligence-Driven Active Defense: Securing Operational Technology Environments*.
Mar 21, 2026