Joint guidance on secure connectivity principles for operational technology – Canadian Centre for Cyber Security

Summary

The Canadian Centre for Cyber Security has teamed up with the UK National Cyber Security Centre and international partners (ASD/ACSC, BSI, NCSC-NL, NCSC-NZ, CISA and the FBI) to publish joint guidance on secure connectivity principles for operational technology (OT). The guidance sets out desirable end-states — goals rather than minimum requirements — for designing and managing OT connectivity, and is intended as a framework for system owners to apply to both new and legacy OT environments. It emphasises the particular importance of these principles for operators of essential services and addresses common operational constraints such as legacy systems and fragile upgrade paths, while noting that opportunistic and capable threat actors actively target exposed OT connectivity.

Key Points

This is a multinational, joint guidance effort led by the Canadian Centre for Cyber Security and the UK NCSC, with input from major partners including ASD/ACSC, BSI, NCSC-NL, NCSC-NZ, CISA and the FBI.
The guidance defines desirable end-states for secure OT connectivity — intended as aspirational goals rather than prescriptive minimums.
System owners should use these principles as a design and management framework for both new and existing OT systems.
Emphasis on critical services: the principles are especially relevant for operators of essential infrastructure where OT security failures have major consequences.
Guidance recognises operational constraints such as legacy technologies that were not built for modern connectivity and security, and recommends pragmatic approaches to mitigate risk.
Threat context: opportunistic and sophisticated adversaries target poorly secured OT connectivity, increasing the urgency of adopting these principles.
The joint publication links to further detail and implementation guidance hosted by the UK NCSC.

Why should I read this?

Short version: if you look after, design, procure or secure OT — especially for essential services — this guidance is worth a quick read. It’s a practical, internationally aligned set of goals you can use as a checklist when wrestling with legacy kit, tricky maintenance windows and real-world constraints. We’ve skimmed the detail so you don’t have to — but don’t skip the full guidance if you run OT.

Context and relevance

OT environments underpin critical infrastructure — energy, transport, water, manufacturing — and are increasingly connected, which raises exposure to cyber threats. This joint guidance reflects a consensus approach to reducing connectivity risks across borders and sectors. It aligns with broader trends in cyber resilience: hardening legacy systems, adopting secure connectivity patterns, and prioritising essential services. Organisations should map these end-state goals to their risk registers, procurement decisions and operational change programmes. The guidance also sits alongside related Canadian materials on post-quantum cryptography preparedness.