Overview
On May 6, 2025, the Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the FBI, Environmental Protection Agency (EPA), and Department of Energy (DOE), issued a joint fact sheet titled “Primary Mitigations to Reduce Cyber Threats to Operational Technology.” The document highlights priority actions that owners and operators of Operational Technology (OT) systems may wish to consider in light of persistent and evolving cyber threats targeting critical infrastructure.
What Is Operational Technology?
Operational Technology (OT) refers to the hardware and software used to control physical systems such as pumps, valves, turbines, and factory machinery. These systems are prevalent in sectors like energy, water and wastewater, manufacturing, transportation, chemicals, and other critical infrastructure environments.
Highlights from the CISA Guidance
The fact sheet identifies five primary mitigation strategies that may help reduce exposure to cyber threats in OT environments:
- Remove Public Internet Exposure
Direct internet exposure is considered one of the most significant vulnerabilities for OT systems. The guidance suggests identifying and removing unintended public-facing assets, especially those with weak or default security configurations.
- Change Default Passwords and Strengthen Authentication
Many OT systems are deployed with default credentials, which can be easily exploited. Entities may wish to change default passwords immediately and implement strong, unique passwords—particularly for remote or internet-accessible systems.
- Secure Remote Access Pathways
CISA emphasizes the risks associated with poorly configured remote access. The fact sheet encourages the use of private IP networks, VPNs with strong credentials, phishing-resistant multifactor authentication (MFA), and the principle of least privilege. It also recommends disabling dormant accounts and logging remote access activity.
- Segment IT and OT Networks
Separating IT and OT environments through network segmentation (e.g., via firewalls or demilitarized zones) may reduce lateral movement by threat actors. This approach could also help limit the impact of incidents that originate in the IT environment but target OT systems.
- Ensure Manual Operational Capabilities
The guidance highlights the importance of maintaining the ability to operate systems manually in the event of cyber disruption. This includes developing and testing contingency plans, retaining backup software and hardware, and ensuring personnel are trained to execute manual procedures if automation fails.
Context and Broader Frameworks
These recommendations align with CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs), developed jointly with the National Institute of Standards and Technology (NIST). The CPGs are intended as a baseline framework for voluntary adoption across sectors to improve overall cyber resilience.
Suggested Considerations for Organizations
Organizations in energy, water, transportation, manufacturing, and other sectors that rely on OT systems may find value in reviewing the guidance as part of their broader cyber risk management strategies and may wish to:
- Evaluate their current cybersecurity posture against the mitigations outlined in the CISA fact sheet.
- Discuss whether existing policies, incident response plans, and technical safeguards align with sector expectations and emerging threat trends.
- Coordinate with internal stakeholders (e.g., legal, IT, engineering) and external vendors to identify any needed changes or enhancements.
- Consider tabletop exercises or internal assessments to gauge readiness in responding to an OT-specific cyber event.