How to Apply the NCSC/CISA 2026 Guidance

For the first time, joint guidance from the UK NCSC, co-signed by CISA, BSI, Australia’s ACSC and others, calls for centralizing risky connections into OT networks, simplifying instructions sent into OT so they can be inspected for safety, and even “browsing down” for engineering workstation access. Alongside these newer ideas, it reinforces more established advice, such as hardening OT boundaries with hardware-enforced protections like Unidirectional Gateways and Hardware-Enforced Remote Access.

The challenge is that the guidance is fairly abstract. The principles are clear, but how to apply them in real OT architectures is not always obvious.

What are the 8 core principles of the NCSC / CISA “Secure connectivity principles for Operational Technology (OT)” guidance, and how does Waterfall support their application?

1) Balance the risks and opportunities – Waterfall’s Unidirectional Gateways dramatically reduce cyber risks to connected OT networks. One-way hardware prevents attack information from reaching back into OT networks, significantly reducing risks for even obsolete, unpatchable targets.

2) Limit the exposure of your connectivity – Waterfall’s Secure Bypass product is a time-limited switch, controlling how often and how long vulnerable software components are exposed to external networks, Waterfall’s Unidirectional Gateways are intrinsically outbound connections – no inbound threat is possible to connected devices through the gateways.

3) Centralise and standardise network connections – Waterfall’s Unidirectional Gateways scale from the smallest DIN rail form factors to 10Gbps rack-mount devices supporting dozens of simultaneous connectors & replications, making both distributed and centralized deployment straightforward.

4) Use standardised and secure protocols – Waterfall’s Unidirectional Gateways support dozens of OT protocols and applications, both plain-text and encrypted versions. Better yet, even when using plain-text communications into IT networks, no session hijack or other plain-text attack can reach through the unidirectional hardware back into the OT network to put physical operations at risk.

5) Harden your OT boundary – The guidance recommends hardware-enforced unidirectionality and integrity filtering. Waterfall’s Unidirectional Gateways enforce unidirectionality in hardware. Waterfall’s Hardware-Enforced Remote Access (HERA) uses a hardware filter to ensure only HERA protocol information can enter the OT side of the HERA device.

6) Limit the impact of compromise – Waterfall Unidirectional Gateway and FLIP products are compatible with a wide variety of anti-virus systems, patch management systems, zero trust, and other systems that provide this second level of defense in defense-in-depth programs.

7) Ensure all connectivity is logged and monitored – Waterfall for IDS is hardware-enforced protection for SPAN port and mirror ports sending data to IT-resident OT intrusion detection system (IDS) sensors. Waterfall is partnered with all the most important OT IDS vendors.

8) Establish an isolation plan – Waterfall’s Unidirectional Gateways are used by TSA-compliant sites and other sites with isolation / islanding requirements. The gateways ensure critical data continues to move, even during “isolation” emergencies where firewalls are not permitted to connect OT with IT networks, or the Internet.

Waterfall’s Unidirectional Gateway, HERA remote access and other hardware-enforced products are dramatically stronger than software and are used routinely at the sensitive IT/OT trust/consequence boundary.