Digital Industrial Operations have been under attack…
- Costa Rica: Government crippled. Ransom demand reported up to ~$20M. (KrebsOnSecurity; Wikipedia overview)
- Colonial Pipeline: 5,500 miles offline. Gas shortages across the U.S. East Coast. (U.S. DOE incident overview; CISA recap)
- Jaguar Land Rover: $2.5 billion loss. Upto 5000 businesses affected across the supply chain. (Reuters)
The common thread? Digital Industrial Operations (OT, ICS, CPS, IIoT, IoMD) environments were not breach ready.
The UK’s National Cyber Security Centre (NCSC), alongside partners from the US, Australia, Canada, Germany, and the Netherlands, just released new guidance on Secure Connectivity for Operational Technology. (NCSC guidance). And this isn’t just another compliance checklist that you would want gathering dust in your SharePoint; this is your survival playbook for when (not if) attackers come for your critical infrastructure.
You cannot prevent every breach. But you can ensure your critical business functions remain unaffected by being breach ready.
Shift the needle. Be proactive, and not reactive. Your stakeholders deserve that confidence.
The NCSC guidance opens with a stark reality. OT environments are more interconnected than ever, but most were never designed for modern connectivity or security requirements.
Legacy PLCs running 15-year-old firmware. SCADA systems accessible via default passwords. Safety-critical devices exposed to the internet because “we needed remote access for maintenance.”
The automotive industry alone faces potential cyberattack costs of up to $505 billion. (Upstream / PR Newswire)
The UK government had to back a £1.5 billion government-backed loan/guarantee just to keep the lights on. (Sky News)
And here is the kicker, most organizations are still approaching OT security with the same failed playbook they used for IT security. Build bigger walls. Deploy more prevention tools. Hope nothing gets through.
Spoiler alert: Something always gets through.
The NCSC’s 8 Principles: Your New Reality Check
The guidance lays out eight principles that every OT operator should implement. These are not just compliance checkboxes. They are a blueprint for survival when attackers are already inside the digital enterprise.
Let me break down what each principle really means for breach-ready enterprises:
Principle 1: Balance the Risks and Opportunities
Principle 2: Limit the Exposure of Your Connectivity
Harden your enterprise. Make your crown jewels invisible to attackers wandering your network. No inbound ports exposed. No standing access. Ghosted.
The guidance specifically calls out tools such as External Attack Surface Management (EASM) to identify exposed assets before attackers do. (Gartner definition)
But here’s the brutal truth: If Shodan can find your SCADA server, so can the ransomware gang that’s scanning for exposed OT devices right now.
Breach-ready enterprises implement microsegmentation as a foundation element to build zones and disconnectable conduits, so that even when (not if) attackers get in, they hit a wall at every step. Lateral movement becomes expensive, slow, and noisy, and is an easily detectable anomaly.
Principle 3: Centralise and Standardise Network Connections
Stop the Frankensteining. Every bespoke vendor access solution is another attack vector. Every “temporary” connection that became permanent is a ticking time bomb. Remote access into OT must follow Zero Trust principles. And centralized does not mean rigid. It means consistent security controls that offer panoptic governance across all remote access, all supplier connections, all IT-OT data flows. When you are breached, you need to know exactly which zones are affected and which conduits can be shut down immediately (in minutes, not days).
Principle 4: Use Standardised and Secure Protocols
That legacy Modbus TCP running cleartext between your SCADA and PLCs? Attackers can read it, modify it, and weaponize it.
Breach ready means you assume your network traffic is already being watched. Create bubbles using fine-grained microsegments and disconnectable conduits at first. Then encrypt everything that crosses trust boundaries. Validate everything with schemas. When attackers live on your network for weeks before you detect them, accessible attack surfaces are essentially giving them live commentary on how to sabotage your operations.
If you cannot shield that connection from unauthorised access, by reducing the attack surface and blast radius, moving to Modbus Security, DNP3-SAv5, or OPC UA with TLS would be a smarter choice.
Principle 5: Harden Your OT Boundary
Your OT boundary is where prevention actually matters. Not because you’ll stop every attack, but because you’ll make them work for it — and generate detection signals while they try.
The guidance is explicit: Your boundary devices cannot be obsolete. They need next-gen firewalls with Layer 7 inspection. They need regular updates. They need to be replaced before they hit end of support life (EOSL).
Why? Because when attackers compromise your IT network (and they will), your OT boundary determines how quickly they pivot into your production floor. Breach-ready enterprises assume breaches and augment the highest-risk boundaries with microsegmentation designed to prevent attack proliferation. Not because they are paranoid. Because they have done the math on what a safety system compromise costs versus what it costs to keep Digital Industrial Systems (OT/ICS/CPS/IIoT/IoMD) “unaffected” when unprecedented cyber threats manage to land an attack.
Principle 6: Limit the Impact of Compromise
This is the core principle. Plan for compromise. Contain the blast. Implement zero-trust microsegments, disconnectable conduits, clear separation of duties, and controlled vendor access. “Contamination” and “lateral movement” are not theoretical risks. They are the default outcomes when flat OT networks meet motivated attackers.
That infected engineering laptop? Contained in its segment. That compromised vendor account? Can only access the specific PLC they maintain. That exploited vulnerability in your HMI? Cannot pivot to your safety systems.
This kind of containment thinking is exactly what modern OT threat modeling is designed to address. The NCSC specifically calls out the ICS MITRE ATT&CK framework. (MITRE ATT&CK for ICS)
Use it. Map your kill chain. Identify where breaking the chain will disrupt the attack. Model cyber defences. Deploy microsegmentation there.
Let us go back to the JLR incident. The attackers reportedly caused a major shutdown that affected an estimated 5000 businesses. Proper microsegmentation would have limited that to tens. Maybe dozens or a few hundred. Not five thousand.
Principle 7: Ensure All Connectivity is Logged and Monitored
What breach ready means: Logging without detection is just expensive storage. The guidance calls out specific OT scenarios: unauthorized activity during maintenance windows, anomalies in typically static processes, and break-glass account usage. We need to get ahead of the attacker. Deploy AI-engineered decoys that can extract the entire MITRE kill chain from a seemingly innocuous scan, even if the attacker is an insider.
The document references building SOCs specifically for OT. The IT SOC is likely very good at detecting phishing attempts. But they remain blind to Modbus commands that appear legitimate but actually reconfigure setpoints on your industrial processes.
Breach ready means OT-aware monitoring that understands industrial protocols, aligns with your operational baselines, understands security patterns, and alerts when a SCADA server starts doing things it has never done before.
Principle 8: Establish an Isolation Plan
The nuclear option must be pre-planned, pre-tested, and sufficiently exercised to be executable at machine speed.
When Costa Rica got hit, they had to make desperate real-time decisions about what to disconnect. When Colonial Pipeline went down, the isolation plan was “shut it all down and hope for the best.”
Breach-ready enterprises have clear breach containment strategies ready to surgically disconnect compromised segments to keep the critical OT systems “unaffected”.
You test these plans. Quarterly. With operations teams. With executive buy-in. Because when you are in the middle of an active breach, you need muscle memory, not committee meetings.
The Compliance Trap (And How to Avoid It)
Here is where most of us get into a trap. We read the NCSC guidance. We tick the boxes. We tell the board, “We are compliant!” Then we get breached. And compliance meant nothing.
Because compliance measures what you have implemented. Breach readiness measures what survives when you are compromised. Checkbox compliance is the floor, not the ceiling. Remember that these principles are “intended as goals rather than minimum requirements.”
Compliance thinking:
- ☑ “We implemented network segmentation”
- ☑ “We deployed a firewall”
- ☑ “We have logging enabled”
Breach ready thinking:
- ☑ “Our microsegmentation policies are reviewed monthly to reduce the attack paths, through conduits that can be disconnected immediately, using artificial intelligence.”
- ☑ “Our boundary controls, and inter-microsegmentation boundaries are updated, non-obsolete, and use zero-trust approaches to contain attacks to non-critical areas while our digital business operates unaffected.”
- ☑ “Our OT decoys feed MITRE attack kill chains for every scan that reaches them to an OT-aware SOC that can deny attackers, even before they can begin an attack.”
- ☑ “Our leadership has a clear view and access to the approved maximum acceptable material impact and the minimum viable digital business”.
See the difference? One is a checklist. The other is a survival strategy.
Being Breach Ready is Gaining Hindsight as Foresight
Here is the breach ready question: “How fast can you detect an attacker already inside your OT network?” Days? You are cooked. Hours? Better, but still bad. Minutes? Now we are talking.
When attackers breach your suppliers, breach-ready microsegmentation ensures they cannot pivot to the shop floor, and they are contained to the specific devices they are authorized to access. This is Principle 6 in action.
The question is not whether you can afford to be breach ready. It is whether you can afford NOT to be.
If you are a CISO or CTO reading this, here is the executive summary for your board:
“The NCSC, alongside US, Australian, Canadian, German, and Dutch cybersecurity agencies, just released mandatory guidance for owners and operators of essential services and critical infrastructure. Compliance is not optional it is required for operating critical infrastructure.
But compliance alone will not protect us when we are breached. We need to be breach-ready and architected to ensure our critical business functions remain unaffected even when attackers penetrate our defenses.
The question is not IF we will be breached. It is WHEN. And whether we survive the onslaught.
I am requesting approval to implement a three-phase breach-ready architecture over the next 12 months, prioritizing our most critical systems first. The investment is measured and balances to the cost of NOT doing this, based on recent industry breaches, is measured in hundreds of expenses plus operational disruption, regulatory penalties, and potential safety incidents.
Would you approve us to be breach ready?”
The Uncomfortable Truth
Costa Rica’s government had cybersecurity policies. Colonial Pipeline had security controls. JLR had compliance programs.
None of them were breach ready.
Here is what I want you to understand: The NCSC guidance is excellent. Comprehensive. Well-researched. Based on real incidents. But it is also incomplete in one critical way. It tells you WHAT to do. It does not tell you how to survive WHEN you are breached.
That is where breach readiness comes in. That is where microsegmentation, identity controls, deception, and OT-aware SOCs transform compliance checkboxes into survival mechanisms.
Your Action Plan (Starting today):
- Download the NCSC guidance of 33 pages. Read it. Understand it. (NCSC guidance)
- Conduct a breach readiness and impact assessment for OT environments ASAP — What existing vulnerabilities, configuration gaps, and unmonitored open access affect the OT systems that absolutely cannot be compromised without a catastrophic impact?
- Map your current architecture against the 8 principles — Where are the gaps?
- Prioritize based on risk, not ease — The hardest changes might be the most critical.
- Build the business case — Use JLR, Colonial Pipeline, and Costa Rica as cautionary tales of what happens when you are NOT breach ready.
- Start with microsegmentation — Protect your crown jewels first, then expand.
- Exercise your breach containment plan — Can you actually disconnect OT in an emergency? Have you tried? What would the leaders do? What would the managers do? What would the suppliers do? Who would take action and how fast?
- Measure breach readiness, not just compliance — How fast can you disconnect? How effectively can you contain?
The only question you should be asking… Are we breach ready yet?
Should you want to get started on your breach readiness journey, talk to us.
