• CISA Releases Guide to Help Critical Infrastructure Users Adopt More Secure Communication WASHINGTON - The Cybersecurity and Infrastructure Security Agency (CISA) today released a new guide to help operational technology (OT) owners and operators implement secure communications and advise OT manufacturers on reducing barriers and improving usability. • The guide,Barriers to Secure OT Communications: Why Johnny Can’t Authenticate, was developed from interviews with control systems stakeholders, asset owners and operators across sectors including Water and Wastewater Systems, Transportation Systems, Chemical, Energy, and Food and Agriculture Sectors. • Many OT owners and operators continue to use insecure legacy industrial protocols that lack basic authentication and integrity checks. • With insecure communications, threat actors can impersonate a device or modify a message in transit to an OT device. • Secure versions of industrial protocols have been available for over two decades; however, a variety of barriers have prevented the control systems community from widely adopting these protocols which enable secure communication. • “Adopting secure communications in OT environments is a long-term effort with complexities, costs and risks.

Article Summaries:

  • CISA has issued a new guide, “Barriers to Secure OT Communications: Why Johnny Can’t Authenticate,” aimed at helping owners and operators of operational technology (OT) adopt secure communication protocols. The guide, based on interviews with stakeholders in water, transportation, chemical, energy, and food sectors, highlights why many OT environments still rely on legacy industrial protocols that lack authentication and integrity checks. It identifies key barriers-cost, complexity, latency, encryption inspection, and legacy interoperability-and offers actionable recommendations for asset owners, integrators, and manufacturers to overcome them. CISA urges the control‑systems community to review the guide and collaborate on implementing secure communications to mitigate threats such as man‑in‑the‑middle attacks.

Sources: