Blog – Waterfall Security Solutions

8 (and a Half) Questions for Your OT “Secure” Remote Access Vendors

Waterfall team — Wed, 01 Apr 2026 05:26:23 +0000

OT Insights Center8 (and a Half) Questions for Your OT “Secure” Remote Access Vendors

8 (and a Half) Questions for Your OT “Secure” Remote Access Vendors

Ask different questions, get different answers: What should you be asking your OT “secure” remote access (SRA) vendor?

Waterfall team

April 1, 2026

Terminology first. The word “secure” is in quotes, because cybersecurity (like safety) is a continuum, not a pair of discrete yes/no states. We can always be safer, or less safe. We can always be more secure, or less. The question “Are we secure?” is meaningless. The question “How secure are we?” has an answer. The question “How secure should we be?” is even more important. Anyone who uses “secure” as an adjective is selling something – “secure” communications (really: encrypted and/or authenticated), “secure” boot (really: cryptographically authenticated firmware), “secure” by design (really: better security by designing security in), and so on.

There is no such thing as “secure” remote access.

Want to learn more about OT remote access? Join our next webinar: “13 Ways To Break “Secure” OT Remote Access Systems”

Question 1: For SRA into OT systems, does your vendor provide IT-grade protection we HOPE can detect attacks in time, or do they provide hardware-enforced, engineering-grade protection?

What is IT-grade protection? Imagine a long suspension bridge has dangerous harmonic frequencies – people simply walking over the bridge risk setting up oscillations that build up, eventually to the point of tearing the bridge apart. See the 1940 Tacoma Narrows disaster for an example. Imagine that a bridge you cross every day on the way to work has this problem, and so is stabilized by hydraulic dampers – multiply redundant dampers, redundant power supplies and “secure” control systems. How happy would you be driving across that bridge every day if you knew the design engineer HOPED that, if there was a cyber attack on the control system, HOPED we could detect the attack before the bridge tore itself apart. How happy would you be knowing the design engineer HOPED that, if we detected the attack in time, HOPED we could scramble an incident response team fast enough to prevent disaster?

Hope is not what we expect of design engineers. we expect bridges to carry a specified load, in a specified operating environment, for a specified number of decades, with a large margin for error. Engineering-grade solutions, like over-pressure relief valves and unidirectional gateways, behave deterministically, no matter how sophisticated a cyber attack is launched at them.

Question 2: If someone phishes an SRA credential, can they exploit a vulnerability in the Multi-Factor Authentication (MFA) to get into the protected OT systems?

“Secure” Remote Access vendors boast about their MFA, but MFA is software. Yes, the little dongle on our keychain looks like hardware, but the “secure” SRA system we are logging into with the dongle is software. All software has defects, and some defects are security vulnerabilities. Some of those vulnerabilities are known to the SRA product developers, who are madly trying to develop patches / security updates for the vulnerabilities. Others are known only to our enemies, who are using these zero-day vulnerabilities against us without our knowledge. Our attackers phish our “secure” password, ignore our RSA dongle or cell phone authentication app, and exploit a zero-day in the “secure” system to break in with our credentials and work their will upon our OT networks. Is this possible in the “secure” system we are using or considering using?

Question 3: Is that SRA a H2M solution, or an M2M solution?

Terminology:

H2M = human-to-machine = sends keystroke & mouse movements in / receives screen images back out.
M2M = machine-to-machine = software talking to software – for example: an HMI running on our remote laptop, talking through a VPN to PLCs or OPC servers in the OT network, or a PLC programming tool on our remote laptop, talking through a VPN to update firmware in our safety-instrumented systems (SIS).

When “secure” remote access supports M2M, then any malware that might be present on our laptops can reach across the M2M/VPN and connecting to any vulnerable, out-of-date (eg: XP) OT systems in our OT network. Such systems are a bonanza to common malware that relies on exploiting known vulnerabilities.

Question 4: Can users override SRA encryption / certificate warnings?

Many “secure” OT solutions use industry standard Transport Layer Security (TLS) to protect their connections across the Internet. This is the same technology used by web browsers, M2M applications, and the vast majority of Internet and IT applications. TLS uses certificates. If an attacker intercepts our communications, they can substitute their certificates. Our software – eg: our web browsers – are supposed to diagnose the substitution. A lot of these applications, like many web browsers, caution their users when they see an unexpected certificate and ask if the user really wants to proceed. Most users answer, “yes of course – override the warning / force the connection to complete / finally I’m connected through this nonsense!” And they successfully use their MFA and other credentials to log into the “secure” remote access system in a way that lets the bad guys take over their session.

Question 5: Can you paste or file-transfer arbitrarily complex files into OT equipment remotely?

A lot of OT equipment is sensitive – it malfunctions if anti-virus is running on it, so we do not run AV on it. It costs a lot of money to re-certify for safety if anything changes, so we have not applied any security updates, nor upgrade the operating system. These systems are often found still running obsolete versions of Windows XP. What risk is there in downloading a PDF file to this device? Or a software update executable? Or a clever new OT tool we just found on the Internet that claims it can “clean the hard drive” on this very old, very vulnerable, very important OT system? If people can transfer files that can contain malware, sooner or later they will do so. Does our “secure” remote access permit this very dangerous operation?

Question 6: Is there a session timeout?

Many users find session timeouts to be really annoying. Users must log in repeatedly when they get distracted by other emergencies during OT SRA sessions. But what happens if there is no session timeout? We log in and finish a job in the evening on our home computer. We go to work the next day. Our kids log into the home computer to do their homework. They find our session still open, still connected. What harm could that cause? Or – we put no password on our cell phones, because constantly entering PINs is annoying. Now open a “secure” remote access session, set the phone down and forget it. A stranger picks it up. There is no PIN. The remote session is still active into our critical infrastructure operations. What harm could be done?

Question 7: Do you require deny-by-default on firewalls protecting OT networks?

Many “secure” remote access vendors claim we can install their software on the OT computer of your choice, and the software will connect straight out to the Internet through IT/OT and IT firewalls, without needing to do anything to reconfigure the firewalls. This design assumes that OT firewalls are configured like most IT firewalls are configured – they allow any outbound connection by default, disallowing only inbound connections and outbound connections to known-dangerous destinations.

Such configuration means the “secure” remote access solution counts on a firewall configuration that any well-meaning technician on the OT network can use to install their own rogue remote access solution, among other things. For example: open a persistent SSH connection to a home Linux computer that is able to forward connections back into OT systems or download a “free” remote access / support solution, connect it out to the cloud and at home, rendezvous with this solution from a home computer. Well-meaning technicians imagine that there is no need to “bother” IT or engineering with matters like this when anyone with the most modest of computer skills can download and install whatever “secure” remote access software they wish, using their XP admin credentials.

Question 8: Does your OT SRA need a firewall?

Most SRA vendors assume there is a firewall between the IT and OT networks, and their SRA software relies on establishing connections through this firewall. Firewalls, however, are vulnerable to many attacks. For examples, see Thirteen Ways to Break a Firewall. In contrast, hardware-enforced remote access (HERA), for example, is compatible with, but does not require a vulnerable firewall at the IT/OT interface.

Question 8 1/2: Does your SRA support MFA?

We count this as only half a question, because all commercial-grade OT SRA supports MFA. The only SRA without MFA is the “roll your own” kind, where you are hard-pressed to find any vendor to ask these questions of in the first place. Internet-exposed, and even IT-exposed OT facilities should all support MFA and we must enable that MFA without fail.

Digging Deeper

To better understand why these questions are important, or to dig deeper into the simple attack scenarios that lie behind these questions, please join us in our April webinar 13 Ways To Break “Secure” OT Remote Access Systems – And questions you should be asking your OT SRA vendor about these attacks”.

About the author

Waterfall team

8 (and a Half) Questions for Your OT “Secure” Remote Access Vendors

April 1, 2026

Webinar: 13 Ways To Break “Secure” OT Remote Access Systems

March 29, 2026

Webinar: 2026 OT Cyber Threat Report

March 25, 2026

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post 8 (and a Half) Questions for Your OT “Secure” Remote Access Vendors appeared first on Waterfall Security Solutions.

80K Stryker Devices Wiped Following Iran-Attributed Attack

Andrew Ginter — Tue, 24 Mar 2026 17:21:31 +0000

OT Insights Center80K Stryker Devices Wiped Following Iran-Attributed Attack

80K Stryker Devices Wiped Following Iran-Attributed Attack

Stryker produces medical devices. An Iran-attributed attack erased 80,000 corporate and personal devices (cell phones? laptops?) as a result of an intrusion into the Microsoft cloud and an instruction from that cloud to erase / reset the devices.

Andrew Ginter

March 24, 2026

https://www.bleepingcomputer.com/news/security/stryker-attack-wiped-tens-of-thousands-of-devices-no-malware-needed/

Stryker’s product shipping has stopped for now, but it is not clear yet whether manufacturing was also impaired. This is the kind of attack I’ve worried about for years – bad guys who get into IT or industrial cloud systems can wind up with the ability to affect thousands of devices via their encrypted cloud connections, in what might otherwise be heavily-defended sites.

Given the data available today, we will probably count this incident in next year’s OT Cyber Threat Report – we count incidents in the public record in manufacturing, heavy industry, critical industrial infrastructure and large building automation systems (eg: data centers). This year’s report is about to release – you can request your copy here.

About the author

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 35,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.

80K Stryker Devices Wiped Following Iran-Attributed Attack

March 24, 2026

Cyber-Informed Engineering Recognized with Cyber Policy Award for Research Impact

March 18, 2026

Waterfall Security Solutions recognized by Gartner®

March 9, 2026

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post 80K Stryker Devices Wiped Following Iran-Attributed Attack appeared first on Waterfall Security Solutions.

Cyber-Informed Engineering Recognized with Cyber Policy Award for Research Impact

Waterfall team — Wed, 18 Mar 2026 14:02:45 +0000

OT Insights CenterCyber-Informed Engineering Recognized with Cyber Policy Award for Research Impact

Cyber-Informed Engineering Recognized with Cyber Policy Award for Research Impact

Waterfall team

March 18, 2026

The growing importance of Cyber-Informed Engineering (CIE) was recently recognized with a Cyber Policy Award for Research Impact from the Institute for Security and Technology.

The award honors a team whose work has helped advance CIE as a framework for addressing cyber risk in critical infrastructure. Among those honored were:

• Virginia Wright and Benjamin Lampe, leading the development of CIE at Idaho National Laboratory,

• Cheri Caddy of Savannah River National Laboratory who led the development of the CIE strategy and worked in the Whitehouse with the Department of Energy to secure funding for the CIE initiative,

• Andrew Ohrt of West Yost who led the deployment of CIE in the water sector and developed a number of publically-available resources to illustrate how to use CIE in critical infrastructures, and

• Our own Andrew Ginter, VP Industrial Security at Waterfall Security Solutions, who contributed industry perspectives to the CIE initiative, and whose book, speaking & podcast helped increase awareness of CIE in the OT security community at large.

The recognition of CIE highlights a broader shift in how cyber risk is being understood and managed in industrial environments.

What is Cyber Informed Engineering?

Cyber-Informed Engineering is “the big umbrella” – bringing together relevant parts of safety engineering, protection engineering, automation engineering, network engineering, and most of cyber security into a comprehensive body of knowledge for addressing cyber risks to physical operations. The body of knowledge looks at the problem of OT cybersecurity from the engineering perspective:

• Addressing high-consequence risks first, consistent with industrial engineering practices, and addressing high-frequency, low-impact irritants only secondarily,

• Encouraging modest design changes to physical processes to take entire sets of consequences and attack vectors off the table – avoiding / eliminating risk rather than merely mitigating the risk / reducing frequency of high-consequence events,

• Recognizing that the key objective in terms of preventing most truly unacceptable outcomes is preventing sabotage rather than espionage, and recommending strong oversight / control of online and offline communication channels that can transmit attack information into sensitive systems.

In short, CIE is positioned as “a coin with two sides.” One side is cybersecurity – teach engineering teams about cyber threats, about cybersecurity tools, and about the intrinsic limitations of such tools, so that these teams can evaluate residual risks. The other side is engineering – overpressure relief valves, manual fall-backs and other “unhackable” mitigations for all types of risk – including cyber risks. This engineering side of the coin has been under-represented in most OT security advice to date, and represents a big opportunity to dramatically improve OT security outcomes.

“CIE is the most important innovation in OT security in 20 years – bringing the engineering risk-management perspective and powerful engineering tools and approaches to bear on the problem of assuring safe, reliable and efficient physical operations, in an increasingly hostile cyber threat environment.”

Andrew Ginter, VP Industrial Security, Waterfall Security

Waterfall and Cyber Informed Engineering

At Waterfall Security Solutions, we believe in the principles of CIE. Just as the public expects bridges to carry a specified load, in a specified operating environment, for a specified number of decades, with a large margin for error, increasingly society demands that automation systems for physical operations carry a specified threat load, until at least the next opportunity to upgrade our defenses, with a large margin for error. And society generally expects that “carry a specified threat load” means to carry that load deterministically, with a very high degree of confidence.

This philosophy is very compatible with Waterfall’s own Unidirectional Gateways and hardware-enforced solutions. Our solutions are part of the Network Engineering body of knowledge – hardware-enforced / deterministic tools to prevent cyber attacks from pivoting through consequence boundaries: connections between networks with dramatically different worst-case consequences of compromise.

To learn more about Cyber-Informed Engineering and the work of Andrew Ginter, who was recognized with the Cyber Policy Award for Research Impact, you can request a copy of his book, Engineering-Grade OT Security: A Manager’s Guide.

About the author

Waterfall team

Consequential OT Breaches Dropped in 2025 – What Happened?

March 5, 2026

How to Apply the NCSC/CISA 2026 Guidance

March 1, 2026

Webinar: 2026 OT Cyber Threat Report

February 25, 2026

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Cyber-Informed Engineering Recognized with Cyber Policy Award for Research Impact appeared first on Waterfall Security Solutions.

Waterfall Security Solutions recognized by Gartner®

Waterfall team — Mon, 09 Mar 2026 10:07:27 +0000

OT Insights CenterWaterfall Security Solutions recognized by Gartner®

Waterfall Security Solutions recognized by Gartner®

Waterfall team

March 9, 2026

Waterfall Security, the leader in hardware-enforced OT security and remote access for cyber physical systems (“CPS”), is pleased to announce our inclusion in Gartner’s recent Market Guide for CPS Secure Remote Access report.

Gartner points out that “traditional remote access methods, such as VPNs, jump boxes or emerging approaches such as IT remote privileged access management (RPAM) products, lack the granularity and contextual knowledge needed for production or mission-critical environments,” and recommends organizations “replace VPNs and proceed with caution with IT-centric tools”. In the representative vendors section, the report identifies Waterfall for its new HERA (Hardware-Enforced Remote Access) product as a Representative Vendor.

Hardware-Enforced Remote Access

How Does HERA’s “physics” work? The Waterfall HERA product is a pair of a-symmetric cooperating Unidirectional Security Gateways, each physically able to send information in only one direction. The outbound gateway sends encrypted screen images out of the OT network. The inbound gateway sends encrypted keystrokes, mouse and other HERA protocol information into the OT network. The inbound gateway contains a hardware filter that passes only HERA information – all IP packets are discarded. In addition, login/encryption credentials are stored securely in TPM hardware in the remote HERA client computer, as well as TPM hardware in the HERA hardware on the OT side of the HERA – this in addition to conventional software-based multi-factor authentication (MFA) mechanisms.

“We are pleased to be recognized in the Gartner Market Guide. Waterfall’s hardware-enforced solutions, including Unidirectional Gateways and HERA are designed to eliminate entire classes of network-borne attack vectors.”
Lior Frenkel, CEO

Modern OT Remote Access

Today’s industrial operations expect remote access products with modern features, including: zero-trust-style granular access, MFA, a guaranteed protocol break, just-in-time session control, and the ability to inspect and terminate existing sessions, especially in NERC CIP and other regulated environments. Waterfall’s HERA provides all of these industry-leading features, in addition to the unique hardware-enforced security measures.

OT remote access is increasingly common and is increasingly seen as a serious threat to the security of industrial operations. The latest advice from CISA, CCCS and other government authorities regarding OT remote access states that the risk of exploiting VPN and other software vulnerabilities can “become detrimental to business operations.” As a result, these authorities recommend that “business owners should consider hardware-enforced solutions.” The era of “physics-based” and hardware-enforced solutions is upon us.

To explore Waterfall’s HERA, download the Waterfall Guide: Rethinking Secure Remote Access for Industrial and OT Networks.

Gartner, Market Guide for CSP Secure Remote Access, Katell Thielemann, Wam Voster, Sumit Rajput, 3 February 2026.

GARTNER is a trademark of Gartner, Inc. and/or its affiliates. Gartner does not endorse any company, vendor, product or service depicted in its publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner publications consist of the opinions of Gartner’s business and technology insights organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this publication, including any warranties of merchantability or fitness for a particular purpose.

About the author

Waterfall team

2026 OT Cyber Threat Report

February 18, 2026

Groundbreaking OT Security Guidance

February 5, 2026

Applying the New NCSC / CISA Guidance

January 20, 2026

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Waterfall Security Solutions recognized by Gartner® appeared first on Waterfall Security Solutions.

Consequential OT Breaches Dropped in 2025 – What Happened?

Andrew Ginter — Thu, 05 Mar 2026 03:23:36 +0000

OT Insights CenterConsequential OT Breaches Dropped in 2025 – What Happened?

Consequential OT Breaches Dropped in 2025 – What Happened?

In 2025, 57 cyber attacks caused real-world damage in heavy industry, world-wide. This is a 25% drop from 2024, and the first drop in this statistic in six years. What happened?

Andrew Ginter

March 5, 2026

The OT Data Set

The data set in the Waterfall / ICS STRIVE 2026 OT Cyber Threat Report shows 57 OT attacks with physical consequences world-wide in the industries the report tracks. Most of these attacks were ransomware, and this has been the case since the turn of the decade. Nation-state and hacktivist attacks nearly doubled, but that increase was not enough to make up for the reduction in ransomware attacks. The question of “what happened?” is really “what happened to ransomware attacks?” A definitive answer is not possible – there are a lot of ransomware groups out there, each with different MODUS OPERANDI, motives and circumstances. Speculation is possible however, and there is secondary data available, so let’s speculate a bit.

The Ransomware Data

Ransomware attacks overall seem to have flat-lined or maybe even dropped a little in 2025. There is no such thing as a repository or reliable count of all ransomware world-wide, but there are some indications:

FBI data for ransomware incidents reported to them in 2025 is not yet available, but the 2018-2024 data set shows ransomware increasing overall, but having “ups and downs.” 2021 was an “up” year, 2022 was smaller, and then started increasing again.
The NCC Group tracks ransomware sites where the criminals list the organizations they claim to have victimized. These are criminals though, should we believe them? Reliable or not, the NCC data shows a spike in February, a sharp reduction through most of the rest of the year, with a bit of an uptick in the last two months, with only a small increase in overall claims since 2024.
The German BSI has access to legally-required (confidential) incident disclosures in Germany. Their data shows 2025 nearly flat over 2024.
The Microsoft Threat Report claims that ransomware attacks that reached the encryption stage increased only 7% in 2025 over 2024.

Reasons for this phenomenon are varied – the best speculation world-wide seems to include:

Recent law-enforcement activity took down a number of prominent ransomware C2’s, impairing attack capabilities,
Recent sanctions and arrests of ransomware criminals may have a deterrent effect on individuals not yet fully committed to a criminal lifestyle, and
Mid-2025 saw a major provider in the criminal ecosystem vanish, and other providers jostled and competed to fill the void.

What else might be going on?

Analysis

In the report, the authors look at other hypotheses as well:

Are fewer attacks being reported in public? The data suggests there might be a some this happening. Owners and operators may have become “gun-shy” about disclosing too much information and being sued if any of that information is later shown to be incorrect. Less disclosure is safer and disclosing the minimum the law requires seems to have become the norm.
Have cyber defenses become more capable? But some of the breaches still showed shockingly poor cyber hygiene. Others showed a high degree of sophistication, taking down what we would expect to be well-defended targets.

In addition, the number of zero-days exploited in the wild dropped only a little 2024-2025, and AI-automated attacks started being observed. In short, it seems likely that all of this is in play, with the result that we’ve observed.

Conclusion

None of the effects looked at in the report seem likely to hold attacks constant or declining for any material amount of time:

Law-enforcement actions have not eliminated profitable drug-running or other criminal enterprises, and seem unlikely to be able to eliminate ransomware.
Ransomware criminals have re-organized to recover from their losses, and seem poised to resume their “normal” attack patterns in 2026.
Public disclosures of “material” incidents are increasingly required in many jurisdictions, which should increase disclosure rates. Less than material incidents may no longer be disclosed. But if incidents overall increase in 2026, one would expect to see material incidents and disclosures increase as well. And – in a world interested in cyber attacks, it is increasingly difficult to hide the fact that a factory shut down and laid off the workforce due to a cyber attack.

In short, it is reasonable to believe that the cyber attacks with physical consequences will continue to rise in the years ahead. And it is worth studying the attacks and trends we observe today, because anything that has happened in the past is a credible threat in the years ahead.

Digging Deeper: The authors of the threat report discuss these and many other findings in a webinar that you can stream now.

About the author

Andrew Ginter

IT/OT Cyber Theory: Espionage vs. Sabotage

January 6, 2026

Ships Re-Routed, Ships Run Aground

January 6, 2026

New CISA, CCCS et al Alert | Advice on Pro-Russian Hacktivists Targeting

January 6, 2026

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Consequential OT Breaches Dropped in 2025 – What Happened? appeared first on Waterfall Security Solutions.

How to Apply the NCSC/CISA 2026 Guidance

Waterfall team — Sun, 01 Mar 2026 14:33:08 +0000

OT Insights CenterHow to Apply the NCSC/CISA 2026 Guidance

How to Apply the NCSC/CISA 2026 Guidance

Hardware-enforced OT Security solutions help industrial operators follow the latest multi-government OT security guidance.

Waterfall team

March 1, 2026

For the first time, joint guidance from the UK NCSC, co-signed by CISA, BSI, Australia’s ACSC and others, calls for centralizing risky connections into OT networks, simplifying instructions sent into OT so they can be inspected for safety, and even “browsing down” for engineering workstation access. Alongside these newer ideas, it reinforces more established advice, such as hardening OT boundaries with hardware-enforced protections like Unidirectional Gateways and Hardware-Enforced Remote Access.

The challenge is that the guidance is fairly abstract. The principles are clear, but how to apply them in real OT architectures is not always obvious.

What are the 8 core principles of the NCSC / CISA “Secure connectivity principles for Operational Technology (OT)” guidance, and how does Waterfall support their application?

1) Balance the risks and opportunities – Waterfall’s Unidirectional Gateways dramatically reduce cyber risks to connected OT networks. One-way hardware prevents attack information from reaching back into OT networks, significantly reducing risks for even obsolete, unpatchable targets.

2) Limit the exposure of your connectivity – Waterfall’s Secure Bypass product is a time-limited switch, controlling how often and how long vulnerable software components are exposed to external networks, Waterfall’s Unidirectional Gateways are intrinsically outbound connections – no inbound threat is possible to connected devices through the gateways.

3) Centralise and standardise network connections – Waterfall’s Unidirectional Gateways scale from the smallest DIN rail form factors to 10Gbps rack-mount devices supporting dozens of simultaneous connectors & replications, making both distributed and centralized deployment straightforward.

4) Use standardised and secure protocols – Waterfall’s Unidirectional Gateways support dozens of OT protocols and applications, both plain-text and encrypted versions. Better yet, even when using plain-text communications into IT networks, no session hijack or other plain-text attack can reach through the unidirectional hardware back into the OT network to put physical operations at risk.

5) Harden your OT boundary – The guidance recommends hardware-enforced unidirectionality and integrity filtering. Waterfall’s Unidirectional Gateways enforce unidirectionality in hardware. Waterfall’s Hardware-Enforced Remote Access (HERA) uses a hardware filter to ensure only HERA protocol information can enter the OT side of the HERA device.

6) Limit the impact of compromise – Waterfall Unidirectional Gateway and FLIP products are compatible with a wide variety of anti-virus systems, patch management systems, zero trust, and other systems that provide this second level of defense in defense-in-depth programs.

7) Ensure all connectivity is logged and monitored – Waterfall for IDS is hardware-enforced protection for SPAN port and mirror ports sending data to IT-resident OT intrusion detection system (IDS) sensors. Waterfall is partnered with all the most important OT IDS vendors.

8) Establish an isolation plan – Waterfall’s Unidirectional Gateways are used by TSA-compliant sites and other sites with isolation / islanding requirements. The gateways ensure critical data continues to move, even during “isolation” emergencies where firewalls are not permitted to connect OT with IT networks, or the Internet.

Waterfall’s Unidirectional Gateway, HERA remote access and other hardware-enforced products are dramatically stronger than software and are used routinely at the sensitive IT/OT trust/consequence boundary.

Schedule a meeting with a unidirectional architect for a free consultation today.

FAQ about the NCSC / CISA “Secure Connectivity Principles for Operational Technology (OT)” guidance

What are the key recommendations from the NCSC / CISA “Secure Connectivity Principles for Operational Technology (OT)” guidance?

Groundbreaking OT Security Guidance

Andrew Ginter — Thu, 05 Feb 2026 14:22:54 +0000

OT Insights CenterGroundbreaking OT Security Guidance

Groundbreaking OT Security Guidance

I’ve been working in OT security for decades and I don’t say this lightly: I’ve never seen guidance like this before. The UK NCSC, alongside CISA, the Canadian CCCS, and others, just released new guidance on securing OT connectivity that includes topics rarely (if ever) covered before.

Andrew Ginter

February 5, 2026

The UK National Cyber Security Centre (NCSC) in conjunction with many others, including CISA, CCCS, BSI, FBI, NCSC-NL and NCSC-NZ, has just issued new guidance: Secure connectivity principles for Operational Technology (OT). The guidance is designed for medium-sized through large industrial sites and includes many topics that are either unique in the industry – that I’ve never seen in guidance before – or are otherwise unusual or infrequent – and useful.

These topics include: keeping the most IT / Internet-exposed equipment the most patched, centralizing the most dangerous connections, abstracting any instructions that OT receives from IT or the Internet if we can, hardening IT/OT interfaces with cross-domain solutions, using unidirectional hardware and hardware-enforced remote access, microsegmenting east/west OT communications, paying special attention to “break glass” accounts and workstations, not permitting anything like a remote-access engineering workstation, and using unidirectional hardware to help with islanding / emergency isolation requirements.

The document is, however, 33 pages long, and much of the language is general and abstract – it can be hard to figure out what the real point is. Here is a condensed version, with simplified language and occasional examples. This introduction may not be as 100% accurate as the original, but I hope to give readers enough of a head start on the tricky bits to have a fighting chance of getting through the document.

Overview

Let’s begin – the NCSC document describes 8 principles – with my summaries & paraphrasing in italics.

Balance the risks and opportunities – a somewhat confusing mix of OT cyber risk, brownfield cautions, and supply chain advice – most readers have seen this stuff before.
Limiting the exposure of your connectivity – when we have to connect stuff to IT or worse to the Internet, keep it patched, scan regularly for Internet-exposed IP addresses and services, and be paranoid about wireless communications. None of the individual bits of advice are new, but some of the combinations are unusually useful.
Centralise and standardise network connections – minimise our external connectivity, and ideally route it all through a central facility for intrusion detection and active management – of rules, vulnerabilities, actionable intel, etc. This is practical advice that I have not seen before.
Use standardised and secure protocols – use encryption and authentication inside our ICS as much as is practical, and always encrypt and authenticate communications across IT, Internet and other external networks. Good advice, not terribly new.
Harden your OT boundary – lots of good advice for this important consequence boundary, including hardware-enforced unidirectional, hardware-enforced remote access and (unusual) cross-domain solutions. Good advice – some of it right out on the edge of state-of-the-practice.
Limit the impact of compromise – a surprisingly old discussion of types of firewall packet filtering that everyone really should know already, coupled with a newer discussion of options for microsegmentation to control “lateral movement” (pivoting attacks).
Ensure all connectivity is logged and monitored – the usual exhortation to monitor connectivity, especially remote access from IT networks and the Internet, with an interesting segue into “break glass” connectivity.
Establish an isolation plan – talks about different kinds of site and/or subsystem emergency isolation / islanding approaches, including a brand-new discussion of the business value of hardware-enforced unidirectional communications as part of the emergency islanding plan.

With that introduction, let’s dig into what’s new and what’s interesting.

Keep Exposed Gear Patched

Lots of OT guidance talks about how important it is to patch systems. Lots talks about how hard it is to patch change-controlled or obsolete (or both) OT systems. Very few bits of guidance talk about how important it is to patch IT-exposed or Internet-exposed equipment. This document does – Section (2) says in rather abstract language, look – if we’ve had to connect something to the IT network or to the Internet – like a firewall, or a software service through a firewall – keep it patched. And if we cannot patch the connected device or software, then it should not be connected to the Internet. And if we cannot patch the underlying OS, that’s as bad as not being able to patch the application – get it off the Internet!

Centralize

I’ve never seen guidance tell us to centralize our most dangerous communications connections before. To a lot of practitioners this is second nature – if we do not have the people or skills at remote or unstaffed sites to keep communications infrastructure up to date, monitored, documented and maintained, then most of us already try to do it centrally where we do have the people. This is worth saying in guidance, and again, Section (3) is the first time I’ve seen this advice written down and endorsed by such a wide range of authorities.

Abstraction

Section (4) talks about encryption, authentication and – abstraction. The section does not use the word “abstraction” but does talk about “protocol validation.” For example, if a cloud-based AI is making complex optimization decisions and writing encrypted / authenticated Modbus into a bunch of OT PLCs, does a NGFW looking at that traffic have any hope of figuring out if the instructions to the PLCs are safe?

If instead, the AI sent an XML file into a Manufacturing Execution System (MES) in the OT network, and the XML file said to orient the to or orientation, rather than 23.2 degrees, or heat the drum to the 73% point in the allowed, safe operating temperature range rather than to 352 °C, verification of the safety of the communication would be as simple as checking the XML document to make sure it agrees with the XML schema.

Now, this is easier said than done – most of us are stuck with whatever communications protocol the application vendors give us, but the concept makes sense. And this is the first time I’ve seen a piece of multi-government guidance talk about the concept. If owners and operators start demanding this capability (citing the NCSC guidance) and using the capability to decide which external systems to purchase / connect to, vendors (hopefully) will eventually respond or lose business.

IT/OT Hardening

Section (5) starts with some introduction and then repeats the exhortation to keep our IT/OT firewalls patched. The section continues and eventually recommends hardware-based unidirectional security controls. This is not the first time we’ve seen that advice, but the unidirectional option is often missed – these people caught it.

And then the advice gets a little confusing. It talks about Cross Domain Solutions (CDS), which is a military term for (oversimplified) cleaning malware out of documents going into high-security / classified networks. In OT, an emerging use I’ve observed for this kind of CDS technology is to keep malware and other attack information out of communications that arrive in OT networks from IT, or worse from the Internet.

And then the advice gets more confusing. It starts talking about “data diodes” (hardware-enforced unidirectional communications), but the advice does not make a lot of sense unless we apply it to communications going into an OT network. This is not intuitive. Most unidirectional hardware is oriented to send stuff out of an OT network, not in. That said, I do see inbound unidirectional traffic in customer deployments increasingly frequently, and this is the first government guidance I’ve seen for sending stuff unidirectionally into an OT network.

Simplifying the advice, it says:

The simplest (inbound) hardware diodes only forward data, sometimes including attack data, into OT networks. These devices do not check for malicious content the way a CDS can.
Two diodes, one in and one out, where a communications protocol is split so that inbound packets go in through one diode and answers come out through the other is not useful – this is an “antipattern.”
The best inbound unidirectional hardware checks the validity of data passing into OT – checks the data in hardware, not in external software.
Pushing inbound data unidirectionally into a “unidirectional DMZ” (unidirectional hardware inbound one side, and a second unidirectional gateway outbound on the other side) with data validation (eg: a software CDS) done “in the middle” is a useful design.

All four are true. (1) and (2) basically say “caveat emptor.” There are diode hardware vendors out there making claims that are not defensible. (2) in particular confuses a lot of people. When I see Waterfall’s Unidirectional Gateways deployed to send information both into and out of an OT network, I never see nor recommend a round-trip protocol like the “anti-pattern” in (2). (2) is how command and control (C2) loops work.

Recommendations (3) and (4) are confusing as well – in my read (4) contradicts (3) – (4) says data validation should be done in the software CDS, while (3) says to do the validation in the unidirectional hardware. Don’t get me wrong, (4) is still a good idea, but (4) is not as powerful as (3)’s validation done in the unhackable hardware. In the past I’ve seen (4) discussed only in the context of classified networks, and even then only in the most abstract terms, because I have no security clearance. But in principle, yes, we can use the concept of a CDS between a pair of hardware-enforced gateways to push data into OT as well.

Point (3) is unusual in another respect – the requirement for hardware filtering / validation of data entering OT. I’ve only seen the hardware filtering recommendation once before – in the 2024 Modern Approaches to Network Access Security talking about hardware-enforced remote access (HERA).

Microsegmentation

Section (6) talks about lateral movement. Other documentation calls these pivoting attacks: using compromised equipment to attack other equipment in the same network, eventually reaching equipment that can push attack connections through firewalls into more critical networks. The IT buzzword to address this risk is “microsegmentation.” Section (6) is a good discussion of the role firewalls play in slowing down attack propagation inside OT networks. There is a nice discussion of using built-in host firewalls, but that discussion is missing a caveat that host firewalls are more practical higher in an OT architecture, closer to the IT network. Vendor support agreements and change control constraints make managing host firewalls harder when we get deeper into OT architectures.

And as mentioned earlier, the section has a surprisingly long discussion of the difference between routing, static firewall rules, stateful inspection and deep-packet inspection (DPI), a discussion that I’m pretty sure every OT practitioner can already recite backwards. The information is correct, but could have been much shorter, saying essentially “modern firewalls do the good stuff, and we should not pretend that what looks like firewall rules in switches and routers have much security value at all.”

What is surprisingly good is a very short section entitled “Browse Down.” I had to dig into some of their references, but what they’re saying is:

Give only a very small number of machines the ability to make far-reaching configuration and security changes – eg: minimize the number of engineering workstations, and
Lock down and secure those machines nine ways to Sunday – they are prime targets when intruders get into the systems.

Said negatively – do not allow Internet-exposed machines to carry out sensitive reconfiguration of our OT systems. For example – do not let any remote access laptop carry out these functions. I read the advice as saying, to the greatest extent feasible, “remote engineering workstations” should be an oxymoron. I agree completely – but have never heard anyone write this down before. Good job.

Break Glass Access

Section (7) has an interesting discussion of “break glass” access. Again, I had to look up what this was: accounts and especially remote access accounts that can be used to bypass normal security mechanisms in an emergency, such as when our password vault is compromised, or goes up in smoke. The term was easily find-able, so I’m guessing it’s widely used in IT. The concept makes sense – common wisdom in IT for “break glass” accounts is to secure them really thoroughly. “Break glass” accounts do not need to be convenient to use – these are emergency measures only.

The guidance recommends that if our IDS or logging ever sees anyone use a break-glass account, then those tools should issue the highest priority alarms they can to our security operations center (SOC). This makes sense. Use these powerful accounts in emergencies, not for routine remote access.

Islanding

Section (8) talks about isolation / islanding: disconnecting IT from OT in IT emergencies, such as a ransomware infection, so OT can continue working throughout the IT emergency. This advice is not unique – the US TSA continues to require emergency isolation for rail systems in TSA SD 1580-21-01E, for pipelines in TSA SD 2021-02F, and the Danes require it in their latest Executive Order 260 of 2025. What is unique is the connection to hardware-enforced unidirectional gateway technology. The advice suggests either:

Deploy a gateway as the sole connection outbound from OT to IT, which amounts to “permanent” islanding – no malware from IT can ever propagate back into OT through the gateway, or
Deploy an outbound gateway in parallel to a firewall at the IT/OT interface, so that when we power off that firewall for the duration of an IT / ransomware emergency, critical communications can still flow from OT to IT, or to the Internet – for partners, government regulators, etc.

While I’ve seen many of these kinds of unidirectional islanding deployments in the last several years, and I’m aware that regulators seem happy with those designs, this is the first time I’ve seen unidirectional hardware actually described and recommended in guidance in the context of an islanding / isolation discussion.

Conclusions

There are minor nits I could pick with the document: the guidance uses “secure” as an adjective (first law of OT security – nothing is “secure”), it talks about CIA / AIC / etc. as if information was the asset we are protecting (we in fact protect safe, reliable and efficient physical operations), and talks about “compensating controls” as if boundary protection were a secondary priority, rather than the first priority for preventing cyber-sabotage (see Bib’s 50 year old cybersecurity theory).

But there is no point in picking nits. While difficult to understand sometimes, this is a groundbreaking piece of guidance, covering useful topics that I’ve never seen covered before. Good job.

Digging Deeper

Click here for more information on Unidirectional Gateways.

Click here for more information on Hardware-Enforced Remote Access.

About the author

Andrew Ginter

Hardware Hacking – Essential OT Attack Knowledge – Episode 145

November 26, 2025

Top 10 OT Cyber Attacks of 2025

November 24, 2025

Cyber Threats to the Manufacturing Industry: Risks, Impact, and Protection Strategies

November 11, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Groundbreaking OT Security Guidance appeared first on Waterfall Security Solutions.

IT/OT Cyber Theory: Espionage vs. Sabotage

Andrew Ginter — Tue, 06 Jan 2026 14:35:13 +0000

OT Insights CenterIT/OT Cyber Theory: Espionage vs. Sabotage

IT/OT Cyber Theory: Espionage vs. Sabotage

Andrew Ginter

January 6, 2026

The second-generation of OT security advice started to emerge in 2012-2016. At the time, the difference between the second and first gen advice was a bit confusing. In hindsight, one important difference has become clear – the difference between preventing cyber-sabotage vs. cyber-espionage. We do not prevent sabotage the same way we prevent espionage. **50** year old cybersecurity theory (wow – we’ve been at this a long time) makes the difference clear. Bell / La Padula’s theory is how we prevent espionage, while Biba’s theory is how we prevent cyber-sabotage.

Let’s look at each of these theories and at how they define one of the fundamental differences between our approach to OT vs IT security.

First Gen Security Advice

First-gen OT security advice said, loosely:

Information is the asset we protect, so
Assure the confidentiality, integrity and availability (CIA) of the information assets.

And of course, we muttered at the time a bit about CIA vs AIC vs IAC as priorities, but we all agreed, however hard the concept seemed at the time, that information was the asset we were protecting. This was and is, back of the envelope, exactly what we still do on IT networks. After all, when engineering teams first started looking at cybersecurity, who were the experts we could call on for help? There were no OT security experts back then, and so we called on IT experts. It is therefore no surprise that first-gen OT security advice was close to indistinguishable from IT security advice.

The theory backing up preventing theft of information was defined by Bell and La Padula. The theory had its roots in timeshared computers – 50 years ago, large organizations had only small numbers of computers with hundreds of users each. And in some organizations, like the military, it was really important that we prevent low-classification users from reading high-classification national secrets. Bell / La Padula theory mandated that, to prevent espionage:

A “subject” or “actor” at a given security level must never be able to read information from a higher security / classification level, and
That actor must never be able to write information to any lower security level.

Rule (1) is obvious to most people encountering the theory for the first time. (2) often seems a little strange. To make sense of (2), imagine that malware has established a foothold in a classified user’s account. If the user can write sensitive classified information into less-sensitive areas of the computer, then so can the malware. In the worst case, the information may be steganographically encoded – such as spreading the information through the low-order bits of pixels in images. To prevent all information leakage, we must forbid any information flowing from high-security to low-security users and systems, because steganographic encoding is always possible, at least in theory.

Second-Gen OT Security

Second-gen advice said, loosely, that in most OT systems, information is not the most important asset we protect, but rather:

Safe, reliable and efficient physical operations are what we protect, and
All cyber-sabotage is (by definition) information, so to protect physical operations, we must control the flow of attack information into high-consequence automation systems and networks from lower-consequence networks.

At the time this advice came out, (a) made a lot of sense to a lot of engineering teams. They had never been comfortable with the idea that information was the asset they were trying to protect. (b) seemed a bit strange at first to a lot of people but made sense if you thought about it for a day or two. Nobody can deny that cyber-sabotage is information – the only way an automation system can change from a normal state to a compromised state is if attack information enters the system, somehow. Controlling the flow of information therefore makes sense – and if we think about first-gen OT security advice, such as the IEC 62443-1-1 standard, a good half of that first standard was focused on network segmentation – controlling the flow of attack information.

The theory backing up this second-gen perspective was defined by Biba, not Bell and La Padula. Biba’s theory also had its roots in timeshared computers for the military, but was focused on preventing sabotage, not preventing espionage. Eg: think the difference between preventing re-targeting of nuclear weapons, vs. preventing the theft of the knowledge of how to build those same weapons. Biba’s theory mandated that, to prevent cyber-sabotage:

A “subject” or “actor” at a given security level must never be able to read information from a lower security level, and
That actor must never be able to write information to any higher level.

Rule (2) is easier to understand for most people encountering the theory for the first time – a malicious actor must not be able to write malware into a higher security level (eg: to change the missiles’ targets). In Biba’s theory, (1) is the strange one. To make sense of it, imagine that malware has established a foothold in a less-secured, less-sensitive network, like the Internet. If a sensitive network pulls information from the Internet, we risk pulling malware, which if activated, can wreak havoc.

Second-gen advice therefore generally forbade any online transfer of information from less-secure networks into high-consequence safety-critical or equipment-critical networks.

Data Diodes + Unidirectional Gateways

Data Diodes were the military’s answer to Bell / La Padula and Biba. Unidirectional Gateways were OT security’s answer. The difference?

Data Diodes send information into confidential military networks and are physically unable to leak any national secrets back out.
Unidirectional Gateways send information out of OT networks into IT, and are physically unable to leak cyber-sabotage attacks back in.

There are secondary differences as well. For example, data diodes typically transmit a very limited number of data types into military networks through custom-engineered software, while unidirectional gateways replicate OPC, historian and many other kinds of servers out to IT networks using off-the-shelf software components.

And every rule has exceptions. Many manufacturing operations use trade secrets that they cannot afford to have stolen, for example. And most industrial operations need some very small, very select data to flow back into the system from time to time.

Both Bell / La Padula and Biba’s theories provided for these exceptions, and demanded that any data flow that violated the primary principles be minimal, simple, understandable, and deeply scrutinized to ensure that the primary objective (preventing espionage, or sabotage, respectively) was not compromised by these secondary objectives and data flows.

Resilience

Third-gen OT security advice, FTR, is still emerging and is focused on resilience. The theoretical framework behind resilience is more engineering practice than mathematics, but we are working on it. The most thorough, most widely-used resilience framework today is Idaho National Laboratory’s (INL’s) Cyber-Informed Engineering (CIE). CIE is positioned as “the big umbrella.” CIE encompasses cyber-relevant parts of safety engineering, protection engineering, automation engineering, and network engineering, as well as most of the cybersecurity discipline, including all of Bell / La Padula and Biba’s theories.

Using This Knowledge

An important difference between IT and OT networks is the difference between preventing espionage and preventing sabotage. First-gen advice seemed a hard fit for OT, in part because that advice tried to apply the language and concepts of preventing espionage to the task of preventing sabotage. In hindsight, second-gen advice corrected this, though neither generation of advice used the words “espionage” nor “sabotage,” nor did they reference 50-year-old theory.

Today our terminology is maturing, and OT security’s connections to the theoretical foundations of cybersecurity are becoming clearer. Clarifying this understanding and terminology helps a lot when trying to get our engineering and enterprise security teams to work together. If we are to cooperate effectively, we need to understand foundational differences between the assets and networks we protect, and we need a terminology to express those differences as we design our joint security programs.

Digging Deeper

This is one of the topics that will be covered in Waterfall’s Jan 28 webinar Bringing Engineering on Board and Resetting IT Expectations. Please to register.

About the author

Andrew Ginter

Top Oil and Gas Security Challenges and Best Practices for Protection

November 11, 2025

Data Diode vs Firewall: Understanding the Key Differences in OT Security

November 4, 2025

Security by Design- The New Imperative for Rail Systems

November 4, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post IT/OT Cyber Theory: Espionage vs. Sabotage appeared first on Waterfall Security Solutions.

Ships Re-Routed, Ships Run Aground

Andrew Ginter — Tue, 06 Jan 2026 09:38:29 +0000

OT Insights CenterShips Re-Routed, Ships Run Aground

Ships Re-Routed, Ships Run Aground

Andrew Ginter

January 6, 2026

“Everyone” has heard of the 5-week shutdown of Jaguar Land Rover by a cyber attack. That attack is the obvious headline for Waterfall’s up-coming webinar “Top 10 OT Cyber Attacks of 2025” that I’m currently researching. But – is this attack the most interesting of 2025?

Here are a couple other incidents for consideration:

Container ship MSC Antonia runs aground due to GPS spoofing
Bulker Meghna Princess carrying 25,000 tons of fertilizer runs aground due to GPS spoofing (occurred in Dec 2024, but was disclosed only in Mar 2025),
15-year old teen hacks maritime route of oil tanker and other vessels

While details of the investigations into these events have not been published, on the surface the three incidents seem evidence of the importance of evaluating residual risk when we design automation and cybersecurity systems.

GPS Spoofing

A bit of background first: GPS Spoofing (as opposed to simpler GPS jamming) is when false geolocation signals are transmitted, either directionally to affect a specific target, or broadcast in a region to affect indiscriminately all nearby receivers. GPS satellite signals are comparatively weak, and it does not take a very powerful transmitter to overwhelm legitimate signals. GPS spoofing has become fairly common in kinetic conflict areas such as the Middle East (the Red Sea in particular), the North/South Korean border, the Black Sea and Baltic Sea, Northern Europe, and anywhere near Ukraine and western Russia. All of which means that anyone who cares about where they are in these and other regions really cannot rely exclusively on GPS.

Rerouting Tankers

The original report of the teenager’s hack of ship routes included graphics with the appearance of an Electronic Chart Display and Information System (ECDIS), which is a shipboard system that regulators allow as a substitute for paper charts. ECDIS display the position and heading of vessels automatically, pulling information from the ship’s GPS, other location systems, as well as Automatic Identification System (AIS) broadcasts from nearby ships detailing those ships’ location, speed, heading and other navigational data. Some (all?) these ECDIS can also steer ships by auto-pilot, once a route is entered. While the news report’s ECDIS-looking graphic was entitled “Maritime traffic in the Mediterranean” and subsequent reports claimed the teenager in fact hacked into one or more ECDIS, these reports may not be accurate. It seems more plausible, to me at least, that the individual hacked into a shore-side system that managed route planning for multiple ships, rather than hacked into multiple ships at sea and modified their shipboard systems to bring about the diversions.

Assessing Residual Risks & Consequences

Managing cyber risk to physical operations involves more than blindly deploying a bunch of OT security controls, dusting our hands off, and walking away. It’s easy to say “Hah! They should have had two factor!” or some such, but 2FA isn’t going to help with GPS spoofing is it?

Once we’ve deployed an automation or security system, we need to evaluate residual risk – what’s left over? The right way to do this is not just to produce a list of missing patches in our PLC’s. The right way is to look at a representative spectrum of credible attacks – attacks that are reasonable to believe may be leveled against us, the system, or someone much like us or the system, within our planning horizon. Evaluate these credible attacks against our defensive posture and determine what are credible consequences – what consequences are reasonable to expect when a credible attack hits us? And when those consequences are unacceptable (eg: ship runs aground, oil tanker is diverted into environmentally sensitive waters), we need to change something.

For example, given the prevalence of GPS spoofing in many regions, and the prevalence of GPS jammers in many more, it seems reasonable to me that anyone (operating a ship, an aircraft, or a locomotive) who needs to know their precise position or even the precise time needs multiple, independent sources of that information. And we need alarms to sound when those independent sources disagree materially, and we need manual or other fall-back procedures when we detect such disagreement.

Another example – given the importance of a big vessel’s route, it seems reasonable that when the route changes for any reason, the captain should be notified of the change, and the change logged in an indelible / WORM ship’s log. It also seems reasonable that captains or acting captains are trained to examine unexpected route changes to make sure they make sense – not just because of potential attacks, but because of potential errors and omissions of shipboard or on-shore personnel. Note: I’m not an expert on shipboard systems – for all I know all this happens already and is how the teenager’s hack was detected? One can hope.

Reasonable Responses to Credible Threats

When we make decisions about other people’s safety, we have ethical and often legal obligations to make reasonable decisions. For that matter, when we make decisions about other people’s money, especially large amounts of it, we have similar obligations. OT security is more than OT putting our head in the sand and saying “Ship route planning is an IT system.” It is more than IT putting their head in the sand and saying “Not running aground is the captain’s responsibility.” Every business has an obligation to make reasonable design, training and other decisions about the safety of the public and workers, and reasonable decisions about the large amounts of money invested in physical processes like large ships.

More generally, we study attacks to understand what is reasonable to defend against. And we study breaches and defensive failures to try to understand whether our own management processes would really have prevented analogous breaches and failures.

About the author

Andrew Ginter

Cybersecurity Risk Assessment for Public Transport OT Environments: A Practical Guide

October 30, 2025

Managing Risk with Digital Twins – What Do We Do Next? – Episode 144

October 20, 2025

IT & OT Relationship Management

October 20, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Ships Re-Routed, Ships Run Aground appeared first on Waterfall Security Solutions.

New CISA, CCCS et al Alert | Advice on Pro-Russian Hacktivists Targeting

Andrew Ginter — Tue, 06 Jan 2026 08:49:25 +0000

OT Insights CenterNew CISA, CCCS et al Alert | Advice on Pro-Russian Hacktivists Targeting

New CISA, CCCS et al Alert | Advice on Pro-Russian Hacktivists Targeting

Andrew Ginter

January 6, 2026

The most recent CISA, CCCS et al alert / advice on pro-Russian hacktivists targeting critical infrastructures is a lot of good work, with one or two exceptions. The alert documents poorly resourced hacktivists connecting with ICS gear over the Internet and hacking it. That gear tends to control critical infrastructures in the smallest, poorest and weakest of critical infrastructure installations – infrastructures most in need of simple, clear advice.

To its credit, the guide documents threats and tactics, and provides advice to both owners / operators and device manufacturers. However, the guide misses the mark in the section “OT Device Manufacturers.” I find this language very misleading:

“Although critical infrastructure organizations can take steps to mitigate risks, it is ultimately the responsibility of OT device manufacturers to build products that are secure by design.”

And,

“By using secure by design tactics, software manufacturers can make their product lines secure “out of the box” without requiring customers to spend additional resources making configuration changes, purchasing tiered security software and logs, monitoring, and making routine updates.”

When I read these words, the message I get is “If device manufacturers would only do their job better, then critical infrastructure owners and operators could ignore security and go forth to connect as much of their control systems as they wish to the Internet.”

This is of course nonsense.

We can configure “secure” products into hopelessly insecure systems, just as we routinely (with a bit of care) configure “insecure” ICS products into “secure” systems. That manufacturers should “take ownership of security outcomes” does not mean they can or should ever take sole ownership of such outcomes. A sentence or two to this effect would help readers better understand the relative responsibilities of manufacturers vs. owners & operators.

By analogy, automobile manufacturers can build all the seat belts, turn signals and rear-view mirrors they want into their vehicles, owners and operators still need to be taught to use these features to improve their driving safety. More specifically, owners and operators of the smallest, poorest and most vulnerable critical infrastructures need to hear that it is never reasonable for them to deploy safety-critical nor reliability-critical HMIs on the Internet, no matter what “secure” by design features have been built into these products.

And again, while I commend these organizations for doing the work of putting out the alert / guidance, a second feedback is that their advice to owners and operators missed the mark. It is not that the advice is wrong – it the wrong audience. The advice is appropriate for larger “medium-sized” infrastructures with a larger workforce, some of whom are knowledgeable in basic computer and cybersecurity concepts. The hacktivist attacks we’re talking about are targeting the smallest, poorest and least well-defended of critical infrastructures globally. These are organizations that uniformly suffer from STP Syndrome – Same Three People.

There is nobody no staff in these organizations who will understand the carefully phrased, completely general and abstract language of the guide’s 8 major recommendations and 17 sub-recommendations. These smallest organizations need the simplest advice possible. Eg:

Don’t connect any of your OT systems on the Internet. Ever.
Don’t enable remote access into any of your OT systems. Ever.
Auto-update all of your ICS firewalls, and religiously replace these devices every 3 years, because let’s face it, some time after that the manufacturer is going to stop providing updates, and when they do, you’re not going to notice are you?
Lock the doors to rooms containing your OT gear, and change the locks annually to control who has access to the space, because again, let’s face it, you’re going to lose track of who has those keys aren’t you?
Make sure you have backups and spare equipment to restore those backups into when your main equipment breaks, or when that gear is hacked irrecoverably.
Buy insurance from a reliable provider who can send someone who knows what they’re doing to your site when you have an emergency, to clean up the mess and restore your systems.

Again – I commend these organizations for making the effort. Securing the smallest, least-capable critical infrastructures is a hard problem to solve. This document is much better than nothing but would benefit from clearer and stronger guidance targeting owners and operators of the smallest critical infrastructure control systems, not just manufacturers of the control devices in those systems.

About the author

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post New CISA, CCCS et al Alert | Advice on Pro-Russian Hacktivists Targeting appeared first on Waterfall Security Solutions.

Blog – Waterfall Security Solutions

8 (and a Half) Questions for Your OT “Secure” Remote Access Vendors

8 (and a Half) Questions for Your OT “Secure” Remote Access Vendors

Ask different questions, get different answers: What should you be asking your OT “secure” remote access (SRA) vendor?

Waterfall team

Question 1: For SRA into OT systems, does your vendor provide IT-grade protection we HOPE can detect attacks in time, or do they provide hardware-enforced, engineering-grade protection?

Question 2: If someone phishes an SRA credential, can they exploit a vulnerability in the Multi-Factor Authentication (MFA) to get into the protected OT systems?

Question 3: Is that SRA a H2M solution, or an M2M solution?

Question 4: Can users override SRA encryption / certificate warnings?

Question 5: Can you paste or file-transfer arbitrarily complex files into OT equipment remotely?

Question 6: Is there a session timeout?

Question 7: Do you require deny-by-default on firewalls protecting OT networks?

Question 8: Does your OT SRA need a firewall?

Question 8 1/2: Does your SRA support MFA?

Digging Deeper

About the author

Waterfall team

Share

Trending posts

Stay up to date

Tags

80K Stryker Devices Wiped Following Iran-Attributed Attack

80K Stryker Devices Wiped Following Iran-Attributed Attack

Stryker produces medical devices. An Iran-attributed attack erased 80,000 corporate and personal devices (cell phones? laptops?) as a result of an intrusion into the Microsoft cloud and an instruction from that cloud to erase / reset the devices.

Andrew Ginter

About the author

Andrew Ginter

Share

Trending posts

Stay up to date

Tags

Cyber-Informed Engineering Recognized with Cyber Policy Award for Research Impact

Cyber-Informed Engineering Recognized with Cyber Policy Award for Research Impact

Waterfall team

What is Cyber Informed Engineering?

Waterfall and Cyber Informed Engineering

About the author

Waterfall team

Share

Trending posts

Stay up to date

Tags

Waterfall Security Solutions recognized by Gartner®

Waterfall Security Solutions recognized by Gartner®

Waterfall team

Hardware-Enforced Remote Access

Modern OT Remote Access

About the author

Waterfall team

Share

Trending posts

Stay up to date

Tags

Consequential OT Breaches Dropped in 2025 – What Happened?

Consequential OT Breaches Dropped in 2025 – What Happened?

In 2025, 57 cyber attacks caused real-world damage in heavy industry, world-wide. This is a 25% drop from 2024, and the first drop in this statistic in six years. What happened?

Andrew Ginter

The OT Data Set

The Ransomware Data

Analysis

Conclusion

About the author

Andrew Ginter

Share

Trending posts

Stay up to date

Tags

How to Apply the NCSC/CISA 2026 Guidance

How to Apply the NCSC/CISA 2026 Guidance

Hardware-enforced OT Security solutions help industrial operators follow the latest multi-government OT security guidance.

Waterfall team

FAQ about the NCSC / CISA “Secure Connectivity Principles for Operational Technology (OT)” guidance

Groundbreaking OT Security Guidance

Groundbreaking OT Security Guidance

I’ve been working in OT security for decades and I don’t say this lightly: I’ve never seen guidance like this before. The UK NCSC, alongside CISA, the Canadian CCCS, and others, just released new guidance on securing OT connectivity that includes topics rarely (if ever) covered before.

Andrew Ginter

Overview

Keep Exposed Gear Patched

Centralize

Abstraction