CISA that organisation that was created from the retired ICS-CERT and US-CERT came out with “Primary Mitigations to Reduce Cyber Threats to Operational Technology.[1]”  In total there are 5 recommended mitigations that are quite peculiar if one remembers it has been 15 years since the announcement of the STUXNET operation. Let us look at each recommendation and try to understand why they may seem strange today.

1. Remove OT connections to the public Internet. A good recommendation but May 2025 is quite late to warn us. This advice was made clear in October of 2014 with the publication of the Project SHINE study by Bob Radvanovsky and Jake Brodsky[2]. To provide something new to think about CISA could have addressed the trend for putting OT services in the cloud. They could have included a recommendation not to do that. That way the mitigation would be more current.
2. Change default passwords immediately and use strong, unique passwords. When I read this the phrase “elementary my dear Watson” came to me. No more comment.
3. Secure remote access to OT networks. This is a mitigation that is easier said than done. I remember asking operators of C.I. if they use jump boxes and other implementations of remote access. I noticed some hesitation and loss of eye contact while hearing the answer to my question. CISA should consider including developing more in house capability as a mitigation for reducing the need and reducing the occurrence of using remote access. Remember how the operators of that petrochemical plant in the Middle East searched for an investigator from outside their company to help them determine the cause of two unplanned shutdowns within months of each other.[3]
4. Segment IT and OT networks. This is good advice, but CISA may not have a monopoly on practical experience in practical implementation. As usual when you read something helpful it is something else to implement the advice. CISA could have added references to organisations that provide more actionable guidance such as is found in ISA/IEC 62443 Industrial Automation and Control System cybersecurity standard. There is a large section on the employment of zones and conduits that can inform the work on segmenting IT and OT networks[4].
5. Practice and maintain the ability to operate OT systems manually. There is a need for a reality check here. Going to manual (sending technicians out to the substations to close the opened breakers) is what the Ukrainian power company did after losing view and control of over 30 substations on December 23, 2015. However, it should be considered that many asset owners do not have the personnel available to operate a large system manually. This is one of the downsides of the labour savings provided by the application of technology. Today, for example you do not need to send people to travel down the power or pipeline everyday to check things. Can be done remotely with a drone or with telemetry. The people who used to do that manually are not there anymore. I once asked an operator if they had the option to run their operation remotely. The answer was yes, but only for a short period of time. I still remember the security officer of a large port facility who boasted that the installation of video cameras had significantly reduced the number of security guards needed to patrol the facility. I wondered what would happen to the ports security if the video camera system went down as it did for the Haifa Tunnel in Isreal which closed the tunnel for days[5].

What mitigation is missing one may ask? This document also needs to stress the importance of system design supported by consequence-based risk analysis. That should be the most “primary” of all the recommendations.

Interesting that CISA recommends government sources, especially from CISA, for guidance. Why the emphasis only on Government expertise and listing guides geared only to the water industry? Probably had to mention water because of high profile incidents involving water like Oldsmar[6] and more recent ones on PLC’s used in the water sector[7].

This is a disappointing list of mitigations which call out for the issuing of a version 2. Some words of advice to the authors at CISA. Instead of relying on “in house” government expertise, CISA should augment their efforts by collaborating with those who work closer to the actual physical processes going on in OT and ICS. For example, standards organisations like ISA, IEC, IEEE and other organisations that represent operators of “critical infrastructure entities.”   Some defenders assert that CISA does have access to such expertise. My reply is to show me an example of where this expertise appears. Not very evident in these CISA recommendations.

‍

Source: http://scadamag.infracritical.com/index.php/2025/05/13/cisa-cyber-hygiene-guidance-for-ot/