Do’s & Don’ts for IT/OT Cyber Resilience

Leveraging Key NCSC Guidance

Much of the work we undertake with critical national infrastructure (CNI) organisations aligns with best practices from the National Cyber Security Centre (NCSC). Below we summarise essential NCSC guidance, including best practices for Network Isolation, Device security, and Zero Trust model.

The Challenge

As securing OT (operational technology) systems hinges on creating robust isolation between OT and IT networks, it can be a challenge for organizations to securely support remote access. As NCSC guidance notes[1], if resources are accessible remotely, attackers will also exploit this access.

Standard users require seamless access to both internal services and external resources (like websites and email) from various locations, including corporate sites and home offices. In parallel, engineering staff, administrators, and even OT vendors need access to OT networks remotely, often requiring interaction with critical system components.

This diversity of access needs calls for stringent separation of roles, devices, and networks to ensure the most sensitive assets are safeguarded against vulnerabilities in exposed systems.

OT Exploit Example

A recent example OT exploit is provided by Team82‘s analysis of “IOCONTROL,”[2], a custom-built malware attributed to state-affiliated attackers targeting IoT and OT devices, including IP cameras, routers, PLCs and firewalls.

The malware compromised several hundred fuel management systems employing the MQTT protocol for secure communication with its C2 infrastructure, indicating its relevance to civilian critical infrastructure.

For cyber resilience, organizations should:

make system compromise and disruption challenging for attackers;
facilitate swift detection of compromise; and,
minimize impact.

Given an increase in attack sophistication that is often by state-aligned actors[3], CNI entities need to design their systems to be resilient to elevated cyber threat, while increasing liabilities driven by the evolving regulatory landscape, underscores the need for appropriate security protocols, with some of the key areas for consideration outlined below.

Trusted Networks

Organizations should consider internet-facing devices as low-trust entities. Allowing these to connect directly to operational systems creates a “browse-up” architecture, an NCSC-recognized “anti-pattern”. This approach, avoided where possible in government-classified systems, similarly puts CNI assets at significant risk.

NCSC advises against jump boxes or bastion hosts for remote access protection due to the added complexity that results, without proportional security improvements. For the more sophisticated attackers, you should expect that they and malicious software are capable of laterally moving through an intermediary host in the same way that you can.

Effective remote access setups allow logical separation by function. For instance, control networks typically do not need access to email or other corporate resources. The only really secure method to connect from a remote location is through a corporately managed, dedicated network with designated data flows from management devices to field sites via network controls hosted in corporate offices.

NCSC advocates for High Assurance Cross Domain (CDS) Gateways in high-threat, high-impact OT environments. CDS Gateways can be configured to only allow validated and authenticated traffic to cross network boundaries, providing a ‘white-list’ model that allows greater protection than commercial firewalls.

Trusted Devices

Remote access sessions should originate from devices managed by the organization. Given the persistent threat of spear-phishing and targeted attacks, separating corporate functions from engineering tasks is crucial. For high-risk scenarios, dedicated Privileged Access Workstations (PAWs) provide heightened protection.

While it is undeniably the most robust form of separation, for many organisations, issuing two laptops to support PAW deployment may be undesirable, requiring the consideration of other options, such as virtualised environments on a single laptop or lighter-weight controls such as network namespaces. Regardless of the approach used, it is important that common methods of compromise for enterprise IT cannot easily lead to compromise of OT systems.

The increase of the use of remote access has driven the need for multi-factor authentication (MFA), as the physical presence of an authenticating user cannot be guaranteed for remote users. MFA should be extended to third party access, and it is worth trying to understand how third parties access your environment. Encouraging or requiring the use of PAWs may be relevant, and NCSC’s advice on Zero Trust highlights the value of combining device identity and device health validation with user authentication as ‘signals’ to enable secure remote access.

Final Thoughts

Coherent management across IT and OT teams enhances cyber resilience. Effective organizations align on risk management strategies, applying them consistently across vulnerability management, configuration control, and asset control.

From our experience working with varied CNI organizations, we find that cyber resilience often reflects an organization’s mindset and culture. The highest-performing CNI environments adopt a mission-focused, risk-averse approach—a culture that can be nurtured across any organization. The NCSC’s guidance, grounded in world-class threat intelligence, can streamline efforts for all CNI operators aiming to bolster their cyber resilience.