Four federal agencies — the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Environmental Protection Agency (EPA) and Department of Energy (DOE) — have jointly issued a cybersecurity advisory urging critical infrastructure operators to take immediate action to reduce cyber threats targeting operational technology (OT) systems.
The new advisory outlines key mitigations to address persistent vulnerabilities in industrial control environments — particularly internet-exposed OT assets and the use of default passwords. The guidance follows a rising tide of cyber intrusions across sectors such as energy, water and manufacturing.
Unsecured Connections a Lingering Threat
Among the top recommendations is the removal of OT assets from public internet exposure. According to the advisory, threat actors frequently exploit open ports and unauthenticated systems using simple, widely available tools. While progress has been made, critical blind spots remain.
Sean Tufts, managing partner for critical infrastructure and operational technology at Optiv, notes that while the industry has made strides in auditing north-south traffic on firewalls, challenges persist.
“We’ve seen great improvement in finding these connections and cutting them,” Tufts says. “What is currently left is mission-critical applications like SAP. This is especially true in manufacturing, where workflow management has ‘digitally transformed’ faster than security could keep up.”
He emphasizes that correctly architecting and securing these business-critical connections is not a fast fix.
“Ensuring these connections are correctly configured and architected is a task measured in years, not days,” he adds.
Default Passwords Remain a Silent Risk
Another key mitigation calls for the immediate replacement of default passwords with strong, unique credentials — especially on internet-facing devices. The advisory warns that default credentials often remain unchanged, leaving systems wide open to exploitation.
Tufts points out that while enforcing password changes is relatively straightforward in enterprise IT environments, the same does not hold true in remote or rugged OT deployments.
“Changing a password on a corporate laptop is easy,” he says. “In critical infrastructure, this is much harder.”
He offers a real-world scenario to illustrate the challenge:
“An oil pump in the Bakken Basin is both isolated and remote. There are new devices being installed on this hardware every day. Our operators are trying to get better telemetry and must install new equipment to do so. Their job function has not highlighted the requirement to change the default password, so they don’t. Security and IAM teams are not informed, nor can they find these devices once installed. This legacy password can live undetected for years.”
Tufts warns that identifying and remediating these security gaps is far from simple.
“Finding these devices is not a quick project,” he concludes.
Additional Mitigation Steps
In addition to securing internet connections and enforcing strong authentication, the federal guidance outlines several more best practices:
- Secure Remote Access – Organizations should avoid public internet exposure when enabling remote access to OT systems. Use of VPNs, private IPs, and phishing-resistant multifactor authentication is strongly encouraged.
- Segment IT and OT Networks – Implementing network segmentation and demilitarized zones (DMZs) helps contain potential compromises and protect core operational systems.
- Maintain Manual Operations Capabilities – Operators should maintain the ability to restore services manually in case of cyber disruption, and routinely test business continuity and failover plans.
- Engage with Vendors and Integrators – Organizations are urged to work closely with third-party vendors and system integrators to identify and resolve misconfigurations that could introduce security vulnerabilities.
A Call for Long-Term Commitment
The joint advisory underscores that cybersecurity in OT environments is not a one-time initiative but a long-term operational priority. Agencies are urging asset owners and operators to act now — not only to address immediate threats but to invest in resilient architectures that can withstand ongoing and future risks.