What New Global OT Security Guidance Means for Industrial Environments

Historically, operational technology (OT) environments were built to be isolated and stable. Change was slow, and systems were designed to run the same way for years.

That’s changing.  

OT systems are now connected, remotely accessed, and tightly linked to software and data platforms. This shift has created real operational benefits. It has also removed many of the assumptions that once kept OT environments safe.

This is the context for the new Secure Connectivity Principles for Operational Technology (OT) guidance, developed by the UK National Cyber Security Centre with international partners.  

The guidance makes it clear that OT connectivity is now a major source of risk, and securing it requires strong design, not add-on controls.

OT environments must be built so that connectivity is intentional, limited, visible, and able to withstand attack. That means planning for compromise, designing for isolation, and limiting how far failures can spread.

Here’s a breakdown of the core principles in the guidance, why they matter for OT, and how Illumio aligns with those requirements.

Why this guidance exists now

OT systems are more connected than ever. Many still run on legacy devices that were never built to face modern threats.

Remote access, third-party support, cloud analytics, and IT links have expanded the attack surface. In many cases, this growth happened faster than teams could fully track or control it.

OT environments also have limits that IT doesn’t. Patching is slow or impossible. Reboots are risky. Hardware upgrades can take years. When systems fail, the impact can reach beyond downtime and affect safety.

This is why the guidance focuses on end goals instead of a checklist. It accepts that perfect security cannot be achieved all at once.

What organizations can control is design. By planning OT connectivity with intent, teams can stop compromise from turning into a wider failure.

That approach matches how attackers work today. They rely on lateral movement, persistence, and time  

8 core principles and what they mean in practice

The guidance breaks secure OT connectivity into eight core principles. Each one focuses on reducing risk without putting safety or availability at risk.

Together, these principles form a practical framework. They show how to design OT environments that can handle compromise and keep operations running.

1. Balance the risks and opportunities

Connectivity into OT should start with intent. Every connection should exist for a defined operational reason, deliver a clear business benefit, and have a named owner who accepts the risk.

In reality, many OT environments did not evolve this way. Connectivity often grew over time. Vendor access was added as a short-term fix. Engineering workstations gained multiple network connections. Data was shared because it was easy, not because it was reviewed.

This creates a common problem. Most organizations do not have a current view of how their OT systems really communicate.

Illumio helps close this gap by building a real-time map of OT communications. It is based on observed traffic, not network diagrams or assumptions.

Teams can see which PLCs (programmable logic controllers) communicate with which HMIs (human-machine interfaces), which servers start connections, and which flows are required for operations. They can also see traffic that exists simply because nothing ever blocked it.

This changes how risk decisions are made. Instead of debating design theory, teams work from evidence. They can decide which connections are needed, which should be restricted, and which can be removed.

2. Limit the exposure of your connectivity

Exposure is not just about internet access. It also depends on how reachable a system is from nearby networks and how many paths lead to it after an attacker gets in.

The guidance discourages inbound access into OT. It favors outbound-only connections, brokered access, and just-in-time connectivity to reduce exposure time.

These principles make sense. But many OT environments still rely on persistent access. Legacy systems and vendor tools often require it.

When exposure cannot be removed at the boundary, it must be limited inside the environment.

Illumio reduces the impact of exposed systems. If a remote access gateway, jump host, or vendor workstation is compromised, Illumio prevents that access from spreading across OT.

Policies define which systems can communicate, on which ports, and in which direction.

In practice, this means a compromised vendor session may reach one maintenance system. It cannot scan controllers, reach safety systems, or access unrelated production assets.

Exposure still exists. The damage it can cause is much smaller.

3. Centralize and standardize network connections

The guidance highlights a major OT challenge: connectivity sprawl.

Over time, organizations create many custom access paths. VPNs, firewall rules, and special network designs pile up. Teams avoid changing them because they fear breaking production.

This complexity increases risk. It also slows response during an incident.

The guidance calls for centralized and repeatable connectivity models that can be monitored and enforced in the same way.

Illumio supports this by separating security policy from network layout. Policies are based on what a system is and what it does, not where it sits on the network.

This lets organizations standardize access without redesigning their infrastructure. Over time, one-off exceptions can be replaced with clear and reusable policies that are easier to test and maintain.

4. Use standardized and secure protocols

The guidance is realistic about protocols. Many OT systems still depend on legacy or insecure protocols. Replacing them all at once is rarely possible.

Instead, the guidance focuses on understanding protocol risk and using controls when upgrades are not possible.

Many security strategies fail here because they assume protocol upgrades must come first.

Illumio takes a different path. It assumes insecure protocols will remain. The focus is on where and how those protocols are allowed to run.

By limiting which systems can use a protocol and where that traffic can go, Illumio reduces abuse even when encryption or authentication is weak.

For example, Modbus traffic may be required between a controller and a device. Illumio ensures that only that path exists. The same traffic cannot be started elsewhere or used to move through the network.

The protocol remains while risk is contained.

5. Harden the OT boundary

OT boundaries matter because many internal devices cannot be patched or secured on their own.

Strong boundary controls are essential. But the guidance also makes an important point. Boundaries fail.

Misconfigurations happen, and vulnerabilities appear. Credentials get stolen. When a boundary is breached, internal controls decide what happens next.

Illumio treats internal OT traffic as untrusted by default. Even after traffic crosses a boundary, it must still follow segmentation rules to reach its destination.

There is no automatic trust just because traffic is inside the network.

This layered approach means a boundary breach doesn't turn into a full compromise. Internal controls limit how far an attacker can move.

6. Limit the impact of compromise

This principle is the strongest statement in the guidance. It directly calls out contamination and lateral movement as the main risks after access is gained.

Flat networks, shared credentials, and broad access allow attackers to move faster than defenders can respond.

Illumio is designed to stop that movement.

Microsegmentation limits communication to what is explicitly allowed. Systems cannot talk to each other by default.

A compromised engineering workstation cannot reach controllers. A compromised server cannot move into safety systems. Lateral movement is blocked.

This prevents escalation. In OT environments, where response options are limited by safety and uptime, stopping escalation is critical.

7. Ensure all connectivity is logged and monitored

Monitoring only works when teams know what normal looks like.

OT traffic is often predictable. But that only helps if teams can see east-west communication.

Illumio provides continuous visibility into real traffic patterns. This makes it easier to set baselines and spot changes.

It also adds context. When something unusual happens, teams can see what changed, which systems are involved, and whether policy was violated.

This shortens investigations and supports faster decisions during incidents.

8. Establish an isolation plan

The guidance treats isolation as part of design, not a last-minute reaction.

OT environments must be able to isolate systems or services without causing harm. Those actions must be planned and tested.

This only works when segmentation already exists.

Illumio supports targeted isolation. Teams can block specific paths, isolate compromised systems, or remove third-party access without shutting down entire sites.

Isolation becomes precise and reversible.

That precision helps organizations respond to incidents without turning them into operational emergencies.

Breach containment is the unifying OT security requirement

Taken together, the guidance points to the fact that OT security can no longer be built on prevention alone.  

Connectivity guarantees exposure, and legacy systems guarantee vulnerability. The only sustainable strategy is containment by design.

Breach containment isn’t about assuming failure but about engineering environments that continue to function safely when failure occurs.

Illumio aligns with the guidance because it treats segmentation, visibility, and enforcement as foundational controls, not advanced features.  

In OT environments, that foundation is what allows organizations to adopt connectivity safely, comply with evolving guidance, and respond to incidents without escalating impact.

Secure OT connectivity requires breach containment

Secure Connectivity Principles for OT makes it clear that connectivity has changed how risk shows up in operational environments.

Remote access, third-party support, and data sharing are now part of daily OT operations. Many of the systems involved were never built for this level of exposure.

The organizations that hold up under pressure plan for compromise. They limit trust by default. They control how systems talk to each other. And they design networks so one failure doesn’t turn into a site-wide or safety-related incident.

Breach containment doesn’t replace OT security controls. It ensures those controls still work when something goes wrong.

See how Illumio Insights helps you understand and contain risk across complex, connected environments. Try Insights free hoje.