The alphabet soup of federal agencies: the EPA, CISA, NSA, and FBI, alongside their international counterparts, just dropped a joint guidance document. The headline? “Foundations for OT Cybersecurity: Asset Inventory Guidance.” It is a 32-page plea for operators of critical infrastructure to figure out what exactly is plugged into their networks.
It sounds basic, doesn’t it? You cannot protect what you do not know you have. But in the world of operational technology, changing the world is hard, and most people are doing it wrong. Facilities run on legacy PLCs and HMIs that have been quietly humming along since the Chretien Shawinigan Handshake. Nobody wants to touch them because “if it isn’t broken, don’t fix it.”
But it is broken. The guidance document bluntly outlines how cyber actors are tearing through industrial networks. They explicitly call out four failure points that allow attackers to disrupt, destroy, or extort critical services: weak authentication mechanisms, insufficient network segmentation, insecure operational technology protocols, and insecure remote access points.
The taxonomy illusion: A submarine with no bulkheads
The EPA’s guidance heavily pushes the concept of an “operational technology taxonomy.” Essentially, this is a categorization system to organize and prioritize your assets based on their function and criticality. You map out your sensors, your controllers, and your supervisory systems. It is an excellent academic exercise.
But let’s use a metaphor. Imagine your network is a submarine. Creating an asset inventory and a taxonomy is like meticulously labelling every pipe, valve, and bunk bed on the sub. That is helpful for maintenance. But if your submarine has no internal bulkheads, if the entire vessel is just one big, open tube: a single leak sinks the whole ship. Labelling the valve doesn’t stop the water.
Most industrial environments operate exactly like this. They rely on “air gaps” that haven’t existed in a decade, or a single VPN gateway that acts as a drawbridge over a moat. Once a vendor or operator logs into that VPN (often using a shared, eight-character password), they are inside the submarine. If their laptop is compromised, the attacker can move laterally across the entire network, exploiting those insecure operational technology protocols the EPA warned us about.
Solving the EPA’s four horsemen of operational technology doom
If you read the guidance, it is clear that simply knowing your assets is Step One. Step Two is applying compensating security controls to defend them. Legacy equipment often lacks the intrinsic ability to defend itself. You cannot simply install an antivirus agent on a 15-year-old water pump controller.
Instead of relying on fragile network perimeters, you need to shift to an identity-aware, Zero Trust architecture. Here is how we directly address the specific vulnerabilities highlighted by the joint guidance:
- Defeating weak authentication: The days of shared passwords written on whiteboards must end. We must implement single sign-on tied to your existing corporate identity provider, enforced with strict multi-factor authentication. Every interaction must be tied to a verified human identity, not just an IP address.
- Fixing insufficient network segmentation: Traditional VLANs and firewall access control lists are too complex to manage at scale, leading to flat networks where lateral movement is trivial. As we detail in our Industrial Zero-Trust Micro-Segmentation whitepaper, true defence-in-depth requires per-endpoint micro-segmentation. We isolate the asset so it can only communicate outbound, entirely eliminating the east-west lateral traversal that attackers rely on.
- Securing insecure remote access points: Traditional VPNs grant broad network access, violating the principle of least privilege. We replace this with precise authorisation. A vendor should only have access to the specific HMI they are contracted to maintain, and perhaps only during specific hours, and only with read-only privileges. By acting as an identity-aware proxy, we ensure users only see the applications they are explicitly authorised to use.
- Neutralising insecure operational technology protocols: Protocols like VNC or Modbus are often unencrypted, leaving them vulnerable to interception and manipulation. We provide a compensating control by encapsulating this traffic within strong, modern encryption (HTTPS over WebSockets), securing the transit without requiring any changes to the underlying legacy hardware.
Stop labelling and start protecting
The EPA, CISA, and the FBI are absolutely correct: you need an asset inventory. You need a taxonomy to understand your risk surface. But do not confuse documentation with defence. Knowing that you have a vulnerable, unpatched PLC controlling your chemical dosing is only useful if you actually take steps to isolate and protect it.
The traditional IT playbook, firewalls and VPNs, is insufficient for operational technology. It is time to abandon the illusion of the perimeter and embrace an architecture where identity is the new boundary. If you are ready to stop treating your critical infrastructure like an open submarine and start implementing true zero-trust micro-segmentation, let’s talk. Your assets might be legacy, but your security doesn’t have to be.