Joint guidance on secure connectivity principles for operational technology – Canadian Centre for Cyber Security
Summary
The Canadian Centre for Cyber Security has co-published joint guidance with the UK’s NCSC and international partners (ASD/ACSC, BSI, NCSC-NL, NCSC-NZ, CISA and the FBI) outlining secure connectivity principles for operational technology (OT).
The guidance sets out desirable end-states organisations should aim for when designing OT connectivity. These are goals rather than minimum requirements and are intended to help system owners design, implement and manage secure OT connectivity for both new and legacy systems. The publication emphasises the real-world constraints OT operators face — for example, legacy equipment not built for modern connectivity — and the risk posed by opportunistic, capable threat actors targeting exposed OT connections.
System owners, particularly operators of essential services, are encouraged to use these principles as a framework to improve resilience and reduce attack surface. The joint publication from the partners provides the full details and implementation considerations.
Key Points
- This is a multi-national, authoritative guidance co-published by Canada, the UK, the US (CISA & FBI), Australia, Germany, the Netherlands and New Zealand.
- Guidance defines desirable end-states for secure OT connectivity — aspirational goals to guide design and management rather than prescriptive minima.
- Emphasises practical realities: legacy OT, operational constraints and the need for risk-based prioritisation.
- Targets system owners and operators of essential services who must balance availability with security.
- Encourages using the principles as a framework to design, implement and manage secure connectivity across new and existing OT estates.
- Directs readers to the full publication (NCSC) for implementation details and further technical guidance.
Why should I read this?
Put simply: if you run, support or secure OT — think utilities, transport, manufacturing, water treatment — this is worth five minutes. It’s a compact, jointly-backed set of principles from major national cyber agencies that tells you what good OT connectivity should look like and why it matters. The guidance doesn’t pretend every environment can reach every goal overnight, but it gives a clear target list to help you prioritise fixes and justify changes to operations teams and leadership.
Author note
Punchy take: this is important. A coordinated international stance on OT connectivity raises the bar for attackers and provides a practical roadmap for defenders. Essential-service operators should prioritise reviewing the guidance and mapping the end-states to their most critical assets.