All articles
#ot-security#ncsc#critical-infrastructure#ics#nis2

NCSC's new OT recommendations — what they mean for your organization

Alexander Norman

NCSC released new guidelines today for protecting operational technology. We summarize the most important measures and how they connect to practical security work.

The National Cybersecurity Centre (NCSC, Sweden) today published two new documents on protecting operational technology environments (OT) — systems that control physical processes in industry, energy, water and other critical infrastructure.

The message is clear: OT environments remain one of the most exposed parts of organizations' technology landscapes. The systems have long lifespans, use outdated protocols, and were never designed for the connectivity they now live in.

Why this is urgent

The attack surface for OT systems is growing rapidly. Digitalisation drives interconnection between IT and OT, but security doesn't keep up. NCSC specifically points out that:

  • Many organizations lack visibility into their OT environments — they don't know what exists or how it connects
  • Security updates are hard to perform on systems running 24/7
  • Outdated protocols (Modbus, DNP3, OPC DA) lack built-in authentication and encryption
  • Pro-Russian groups have been documented conducting destructive attacks on industrial facilities

The consequences of a successful attack can be society-critical — energy supply, water management, industrial processes.

The two new documents

NCSC has published:

  1. Operational technology – recommendations for decision-makers and organizations — strategic guidance for management teams and organizations
  2. In-depth advice and recommendations for protecting OT environments — technical detail level for those implementing protection

Both are available as PDF on NCSC's publications page.

The most important technical recommendations

1. Segment OT from IT

The most fundamental measure. The OT network must be physically or logically separated from the company's IT network. Specifically:

  • Separate network zones for control systems, safety systems and administration
  • Firewalls between zones — only necessary traffic allowed
  • 802.1X to identify and control connected devices
  • Document traffic flows and firewall rules — review regularly

2. Restrict remote access

Remote access to OT environments is one of the most common attack vectors. NCSC recommends:

  • VPN gateway as first layer
  • Bastion host / jump box as the only entry to the OT network
  • No direct access from internet to OT devices
  • Prevent lateral movement — if an HMI is compromised, the attacker should not be able to reach PLCs

3. Actively monitor OT traffic

You can't protect what you don't see. The recommendations emphasize:

  • Continuous monitoring of OT network traffic
  • Detection of anomalous communication patterns
  • Log all access attempts and configuration changes
  • PLCs and HMI systems are often inherently vulnerable — monitor them extra carefully

4. Update — but with a plan

OT systems can't be patched as easily as IT servers. But that doesn't mean updates should be ignored:

  • Prioritize updates based on risk — internet-exposed systems first
  • Test updates in a staging environment before production
  • Have a plan for systems that can't be updated (compensating controls, network isolation)

5. Application whitelisting

Application whitelisting is particularly effective in OT environments where the workload is predictable:

  • Only approved programs can run
  • Prevents malicious code from executing even if it gets in
  • Easier to implement in OT than IT (fewer changes to running programs)

6. Backup and recovery

  • Test regularly that backups can be restored
  • Ensure configurations for PLCs and HMI are stored offline
  • Have a clear incident response plan specific to OT scenarios

Connection to NIS2

These recommendations don't come in a vacuum. The NIS2 directive imposes expanded requirements on operators of critical infrastructure. Organizations conducting societally important activities must:

  • Conduct risk analyses specifically for OT environments
  • Implement technical and organizational protective measures
  • Report incidents to NCSC
  • Show that they actively work with security (not just have policies on paper)

NCSC's new publications give concrete guidance on how to fulfill these requirements in practice.

Relevant standards

The recommendations build on established frameworks:

  • IEC 62443 — international standard for industrial cybersecurity, the most relevant for OT
  • NIS2 directive — EU requirements for cybersecurity of critical infrastructure
  • ISO/IEC 27001 — complementary for organizational aspects

What you can do today

  1. Inventory — do you know which OT systems you have and how they're connected?
  2. Segment — are there firewalls between IT and OT? Or does everything run on the same network?
  3. Remote access — how do suppliers and personnel reach your control systems? TeamViewer directly to an HMI?
  4. Monitor — do you log OT traffic? Would you notice if a PLC got new firmware?
  5. Test — do you run penetration tests against the OT environment, or only IT?

How we can help

Pentesting.se offers security assessment of network infrastructure and can identify exposed OT systems, misconfigured segmentation, and insecure remote access solutions. Our discovery scan automatically finds devices and services that shouldn't be exposed.

Download NCSC's full recommendations: ncsc.se/sv/publikationer

Alexander Norman runs Adminor AB and Pentesting.se. We help Nordic companies protect their infrastructure — from web applications to network equipment and OT environments.

Want to see what your external attack surface actually looks like? Free health check, no credit card, two minutes.

More articlesRun health check