US and UK Agencies Publish New Cybersecurity Guidance for Critical Infrastructure Environments
The National Institute of Standards and Technology (NIST) published a draft Transit Cybersecurity Framework Community Profile intended to improve cybersecurity practices in transportation systems that require continuous operations and connectivity. The voluntary draft, developed by NIST’s National Cybersecurity Center of Excellence (NCCoE), is open for public comment through February 23, 2026, and positions transportation as a critical-infrastructure area needing more tailored cybersecurity guidance.
Separately, CISA and the UK’s NCSC released joint guidance titled Secure Connectivity Principles for Operational Technology (OT) environments, aimed at helping asset owners balance business-driven connectivity (remote access, data integration, cloud connectivity) with security risk. The guidance outlines eight high-level principles (e.g., limiting exposure, centralizing and standardizing access, using secure protocols, hardening boundaries) intended to be broadly applicable across critical-infrastructure sectors. An additional Help Net Security interview with Fermilab’s CISO discusses general cybersecurity challenges in open scientific research environments, but it does not materially relate to the NIST transit framework draft or the CISA/NCSC OT connectivity guidance.
Timeline
Feb 23, 2026
NIST opens public comment period for transit cybersecurity draft
NIST invited public comment on the draft transit cybersecurity profile through February 23, 2026. The review process was intended to gather feedback from transit agencies, suppliers, vendors, and other stakeholders before finalizing the guidance.
Jan 29, 2026
NIST releases draft Transit Cybersecurity Framework Community Profile
In late January 2026, NIST's National Cybersecurity Center of Excellence published a draft "Transit Cybersecurity Framework Community Profile" to help transit agencies align with NIST CSF 2.0 while addressing sector-specific constraints. The voluntary draft focused on protecting safety- and continuity-critical transit functions amid growing digitization, legacy infrastructure, and rising cyber risk.
Jan 14, 2026
CISA and NCSC-UK publish OT secure connectivity principles
On January 14, 2026, CISA and the UK National Cyber Security Centre jointly released "Secure Connectivity Principles for Operational Technology (OT)" guidance for critical infrastructure operators. The document set out eight risk-based principles to help organizations expand OT connectivity, remote access, and cloud integration without weakening security.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
Related Stories
Critical Infrastructure Cybersecurity Guidance and Architecture to Reduce Telecom and OT Attack Surfaces
A virtual briefing hosted by the Institute for Critical Infrastructure Technology (ICIT) argued that **telecom networks’ “crown jewels”**—including signaling pathways and subscriber identity/metadata—remain high-value targets, and that traditional perimeter defenses are insufficient against advanced adversaries. The session cited activity associated with China-linked threat actors **Salt Typhoon** and **Volt Typhoon** as illustrative of systemic telecom weaknesses, and promoted *privacy-first mobile-carrier* design choices (e.g., minimizing exposed identifiers and reducing the long-term value of compromised data) as concrete controls to reduce attack surface and limit blast radius. Separately, the U.K. **National Cyber Security Centre (NCSC)**, working with **CISA**, the **FBI**, and other international partners, released guidance titled **“Secure Connectivity Principles for Operational Technology”** aimed at reducing exposed and insecure connectivity in OT environments, including nuclear-sector contexts. The guidance outlines **eight foundational principles** intended to help organizations protect OT networks from highly capable and opportunistic actors, including **nation-state** threats, against a backdrop of accelerating IT/OT convergence and increasing rates of OT/ICS-impacting incidents reported across critical infrastructure.
1 months ago
Western Cyber Agencies Release Secure Connectivity Principles for Operational Technology
CISA, the UK **NCSC**, and multiple international partners released **Secure Connectivity Principles for Operational Technology (OT)** guidance aimed at reducing risk created by increased connectivity into industrial environments (e.g., industrial control systems, sensors, and other critical services). The guidance is positioned for operators of essential services facing business and regulatory pressure to enable remote monitoring and management, and it emphasizes that formerly *air-gapped* OT is now more exposed due to expanded remote access and IT/OT convergence. The guidance highlights that insecure or exposed OT connectivity is being targeted by a broad range of adversaries, including **ransomware groups**, **state-backed actors**, and **pro-Russia hacktivists** conducting opportunistic attacks against global critical infrastructure. Recommended defensive themes include **network segmentation**, **strong authentication**, continuous monitoring, and minimizing remote access paths to prevent disruptive incidents with potential real-world safety and service-delivery impacts; CISA also solicited stakeholder feedback via a product survey. Separate opinion pieces discussing AI in critical infrastructure and power redundancy risks in OT, and an industry roundup of Chinese cybersecurity companies, do not provide additional reporting on this specific guidance release.
1 months ago
Industry Pushes NIST to Add More Actionable Detail in SP 800-82 OT Security Rewrite
U.S. **operational technology (OT)** security specialists urged **NIST** to make its forthcoming update to *Special Publication 800-82* significantly more practical and granular, arguing that OT owners and operators need actionable guidance rather than high-level frameworks. The feedback was provided as NIST begins its **fourth revision** of SP 800-82 and solicits private-sector input, reflecting growing maturity and urgency in OT cybersecurity governance. Vendors and practitioners emphasized that OT environments require different approaches than conventional IT, particularly for **vulnerability management**, where standard IT practices may be ineffective or counterproductive in industrial settings. Commenters also called for more **sector-specific guidance** for emerging OT verticals such as **smart building management** and **distributed energy systems** (including **EV charging networks**), and broadly supported NIST’s proposal to move several SP 800-82 appendices online—covering OT security organizations, tools and threats, and catalogs of vulnerabilities and incidents—to keep reference material more current.
1 months ago