Decoding the world of cybersecurity

NCSC puts CNI resilience into design

The NCSC’s operational technology guidance pushes critical infrastructure operators towards secure design, segmentation, monitoring, and specialist testing.

NCSC puts CNI resilience into design
Summary
  • The NCSC says OT penetration testers see secure design and segmentation as essential to critical infrastructure resilience.
  • The guidance warns that logging and monitoring only improve resilience when organisations collect useful data and act on it.
  • Specialist OT testing is treated as a resilience control because poor testing can miss weaknesses or create operational consequences.

The National Cyber Security Centre has set out practical lessons from penetration testers working around operational technology, with critical infrastructure operators urged to make systems harder to compromise through secure design, segmentation, monitoring, and specialist testing.

The guidance is built around a direct question put to industry testers: what can organisations do to make their job harder? Their answers centre on design discipline, separation between IT and OT, useful logging, tested response processes, and testing teams that understand industrial environments.

The NCSC says vulnerabilities are rarely absent, but remediation is easier when systems have been built with security as a core requirement rather than added later. That is especially important in operational technology, where assets may be long lived, downtime may be expensive, and patching can involve safety, availability, and production constraints that do not exist in ordinary enterprise IT.

The agency places particular emphasis on segmentation. OT systems should be clearly separated from business IT, but the guidance goes beyond a simple boundary. Organisations need to control what crosses between zones, define trust areas, minimise exposed connections, standardise access routes, and harden boundaries. Privileged access workstations are also presented as a way to reduce shortcuts around sensitive administration.

Many serious industrial incidents do not begin inside a control system. They begin with a foothold in enterprise IT, stolen credentials, poorly managed remote access, exposed services, or a supplier route. The critical point is whether that initial compromise can move laterally into process environments, engineering workstations, historian systems, or control networks.

The NCSC also links resilience to logging and monitoring. Good logging, meaningful alerts, and appropriate response can make a tester’s job harder, but only when organisations collect the right data and respond in the right way. Monitoring that is not investigated, understood, or exercised through incident response provides weak assurance.

The testing point is equally important. The NCSC recommends using assured CHECK providers and says OT systems should be tested by people with relevant operational technology experience. Poorly matched testing can miss environment-specific weaknesses and, in some settings, create unintended operational effects on the system being assessed.

Critical infrastructure cyber maturity is increasingly judged through evidence rather than awareness. Regulators, insurers, boards, and government departments expect operators to know their environments, understand dependencies, test assumptions, and maintain safe operations under stress. Segmentation diagrams, access reviews, incident exercises, and monitoring evidence are becoming part of resilience assurance.

Secure by design is not abstract when applied to energy, transport, water, manufacturing, healthcare, and telecoms. It affects capital projects, supplier selection, remote maintenance, network architecture, procurement language, and change control. Decisions made during design and commissioning can determine whether later security work is feasible or permanently constrained.

Older estates will not have a clean route. Many operators are managing legacy systems, unsupported components, flat networks, and vendor support models that were not built for current threat conditions. Even so, they can reduce lateral movement, improve detection, control privileged access, and exercise recovery without pretending OT can be treated like ordinary office technology.

The NCSC guidance does not name vulnerable operators or disclose incidents. Its value is in describing the weaknesses that testers repeatedly see across critical environments, and in turning resilience into something that can be designed, tested, and evidenced.

×