Why secure OT protocols still struggle to catch on

Industrial control system networks continue to run on legacy communication protocols that were built for reliability and uptime, not authentication or data integrity. In many environments, malicious actors with access to the OT network can impersonate devices, issue unauthenticated commands, or modify messages in transit without detection.

A new guidance document from the Cybersecurity and Infrastructure Security Agency (CISA) explains why secure versions of common industrial protocols remain underused, even though they have existed since the early 2000s. The report focuses on the gap between what secure protocols can technically provide and what operators can realistically deploy and maintain across OT environments.

Joe Saunders, CEO of RunSafe Security, told Help Net Security that secure protocol availability has not translated into broad adoption. “Simply having ‘secure’ protocol options is not enough if those options remain too costly, complex, or fragile for operators to adopt at scale,” Saunders said. “We need protections that work within real-world constraints, because if security is too complex or disruptive, it simply won’t be implemented.”

CISA based its findings on interviews with OT asset owners and operators across the Water and Wastewater Systems, Transportation Systems, Chemical, Energy, and Food and Agriculture sectors.

The guidance describes three core weaknesses in legacy industrial protocols: lack of authentication, lack of integrity protections, and lack of confidentiality safeguards. Those weaknesses enable attackers who gain OT network access to impersonate devices, modify messages, or issue unauthorized commands.

Secure protocol options exist, but adoption lags

The report points out that secure protocol versions have been available since the early 2000s. Examples include DNP3 Secure Authentication, CIP Security, Modbus Security, and OPC Unified Architecture. Many OT systems still run protocol implementations designed decades ago, leaving communications based on implicit trust.

Security features that require complex workflows, extra licensing, or new infrastructure often lose out to simpler compensating controls. Operators interviewed said they want the benefits of authentication and integrity checks, particularly message signing, since it prevents spoofing and unauthorized command execution.

Signing and encryption are often treated as the same thing

One theme in the guidance is confusion over the difference between signing and encryption.

CISA defines signing as providing integrity and authentication, and encryption as providing confidentiality. Signing can be deployed without encrypting traffic. Encryption often includes signing by default, though operators still need to verify their systems enforce integrity checks.

Many operators assumed secure communication always means encrypting all traffic, which created concerns about monitoring and troubleshooting.

The guidance describes multiple deployment models, including signing-only deployments, signing all traffic while encrypting selected traffic, and encrypting everything.

Cost and complexity drive security decisions

Researchers identified cost as a primary barrier to adoption. Operators reported that upgrading a component to support secure communications can cost as much as the original component, with additional licensing fees in some cases. Costs also include hardware upgrades for cryptographic workloads, training staff, integrating certificate management, and supporting compliance requirements.

Operators frequently compared secure protocol deployment costs with segmentation and continuous monitoring tools, which they viewed as more predictable and easier to justify.

Aaron Warner, CEO of ProCircular, said the findings reflect a larger coordination problem across OT environments. “If CISA’s new OT guidance surfaced anything, it’s this: secure communications in industrial environments are an ongoing governance challenge,” Warner said. “Organizations must align engineering, IT security, and vendors around cost, change control, and uptime while taking a phased approach to modernization.”

Another cost-driven choice involves whether to replace OT components or “wrap” traffic. Wrapping keeps legacy protocols in place and adds a gateway to authenticate and secure traffic between network segments. Wrapping improves security but does not protect communications beyond the gateway’s coverage.

Availability fears remain a major blocker

CISA also found that availability concerns slow adoption, especially in environments with older infrastructure.

Operators raised concerns around three main issues: observability, latency and bandwidth, and overall confidence that secure protocols will not disrupt operations.

For latency, the report cites IEC 61850 requirements, including a 3 millisecond maximum end-to-end delay for certain protection messages. Operators worried that cryptographic signing could exceed those limits if devices lack sufficient processing power.

Encryption also raised bandwidth concerns, particularly for constrained field networks where adding overhead could require infrastructure upgrades.

Warner said those concerns often determine how far organizations are willing to push changes. “The biggest sticking points we see typically come down to cost, complexity, and confidence in making operational changes,” he said.

PKI remains one of the hardest problems

Public key infrastructure (PKI) emerged as a major operational challenge. Most operators interviewed described PKI deployment and maintenance as difficult, requiring third-party service providers or system integrator support.

The report also notes that secure communications often fall into a responsibility gap. Operators manage field devices, security teams manage PKI, and neither group always has full ownership of certificate lifecycle operations.

Researchers also highlight certificate expiration as a practical risk. Operators worried that expired certificates could cause critical safety messages to be dropped. Some considered approaches that avoid enforcing certificate expiration checks early in deployment, then tightening controls over time as confidence increases.

Recommendations focus on usability and phased deployment

CISA’s recommendations emphasize phased approaches and operational realism. Owners and operators are advised to sign OT communications broadly, apply encryption where needed for sensitive data such as passwords and key exchanges, and prioritize secure communication on remote access paths and firmware uploads.

Manufacturers are urged to include secure communication capabilities by default, support crypto-agility, publish bandwidth and performance testing data, and provide clearer upgrade paths for legacy systems.

Saunders said adoption will depend on whether vendors reduce friction for operators. “The path forward is making secure-by-design technologies easier to adopt at scale so resilience becomes the default,” he said.

Post-quantum cryptography transitions will increase pressure on OT environments to support crypto-agility and scalable key management during the lifespan of systems purchased in the 2020s.