CISA’s new guidance on operational technology communications, published on 10 February 2026, sets out a problem most asset owners already understand: secure protocol variants exist, but adoption is uneven because the cost, complexity, and operational risk land on the operator long after the standards committee has finished its work. The document, titled Barriers to Secure OT Communication: Why Johnny Can’t Authenticate, draws on interviews with OT asset owners and operators across water and wastewater, transportation, chemical, energy, and food and agriculture.
Richard Groome, OT specialist at e2e-assure, argues that the debate is being warped by the assumption that legacy estates can be “fixed” with a simple security uplift. “CISA’s guidance rightly highlights the importance of secure, authenticated communications in OT but the reality for many operators is that retrofitting legacy systems simply isn’t always possible,” he said. “In some cases, hardware limitations, vendor constraints, or safety certification boundaries mean you cannot just ‘switch on’ encryption without unacceptable operational risk.”
CISA’s own research leans into the practical distinctions that separates message signing, which delivers integrity and authentication, from encryption, which delivers confidentiality. CISA is prioritising signing, and positioning encryption as selective and use-case driven, particularly where credentials, keys, and management traffic are involved. That matters because encryption can introduce latency, add bandwidth overhead on constrained field networks, and reduce inspection capability for defenders relying on traffic analysis.
However, there are some concerns related to availability constraints. Operators have expressed concerns around observability, latency and bandwidth, and confidence that “secure” protocol implementations will not disrupt operations, citing IEC 61850 requirements including a 3 ms maximum end-to-end delay for certain protection messages. Although secure protocol options have existed for more than 20 years — including DNP3 Secure Authentication, CIP Security, Modbus Security, and OPC UA — there are still many environments that default to implicit trust inside the OT network boundary.
Groome’s response is to treat secure-by-design comms as the destination, but assurance as the day job. “If you can’t fundamentally change the protocol, you must increase visibility, monitoring and assurance around it,” he said, adding that UK energy, water, and transport operators are increasingly being judged on evidence rather than architecture diagrams. “The conversation is shifting from ‘why haven’t you encrypted everything?’ to ‘how do you prove you understand and are managing the risk?’”
That proof quickly becomes operationally specific: segmentation that reflects process realities rather than VLAN neatness, remote access controls that assume supplier connectivity is permanent, behavioural monitoring to spot man-in-the-middle manipulation and unauthorised commands, and validation of configuration drift so that controls still exist on Friday evening when the audit pack is written.
CISA’s guidance also points to phased deployment, including signing OT communications broadly, encrypting where sensitive data and key exchange require it, and prioritising secure communication on remote access paths and firmware uploads, while urging manufacturers to reduce usability friction and publish performance testing data.
The reality is that secure comms is rarely blocked by algorithms; it is blocked by lifecycle ownership. PKI deployment and maintenance will inevitably pose major operational challenges, alongside responsibility gaps between OT teams and security teams, and the very real risk of certificate expiration disrupting critical messaging. But that is the point at which Groome’s perspective echoes the essence of basic engineering — measure what is happening, constrain what you can, and prove the control objectives are still being met.
