The Cybersecurity and Infrastructure Security Agency (CISA) has issued new guidance to owners and operators of operational technology (OT) that is aimed at helping them reduce security costs and complexity.
CISA published the new guidance, entitled “Barriers to Secure OT Communications: Why Johnny Can’t Authenticate,” on Feb. 10.
“Many OT owners and operators continue to use insecure legacy industrial protocols that lack basic authentication and integrity checks,” CISA said, adding, “With insecure communications, threat actors can impersonate a device or modify a message in transit to an OT device.”
“Secure versions of industrial protocols have been available for over two decades; however, a variety of barriers have prevented the control systems community from widely adopting these protocols which enable secure communication,” the agency explained.
The guidance keys in on why secure communication remains elusive for some OT owners and operators. It provides actionable recommendations with a particular focus on cost and complexity issues, latency and bandwidth worries, inspection issues from encryption, and interoperability issues.
“There is a critical need for OT environments to use secure communication that protects against threats like actor-in-the-middle attacks and unauthorized updates,” stated Nick Andersen, CISA’s executive assistant director for cybersecurity.
The guide, which was developed with input from OT owners and operators in the water, wastewater, transportation, chemical, energy and agricultural sectors, “demonstrates CISA’s commitment to collaborate with industry and government partners to develop tangible outcomes that strengthen security and build trust,” Andersen said.
The latest guidance, the agency said, expands on similar OT advice CISA issued in January 2025.