One Platform, Total OT Protection: Cato’s Response to CISA’s Mitigation Guidelines
When OT Devices Are Left Exposed
It started with a sudden alteration in chemical levels in the water treatment system. When a threat actor adjusted the level of sodium hydroxide to more than 100 times its normal amount, millions were at risk of being poisoned. Luckily, it was stopped in time.
This is not fiction. It is one of several real incidents already published in 2021. Since then, more incidents have been identified, targeting critical water facilities and other OT infrastructure. Such threats to OT critical infrastructure are real and already here.
As OT environments grow increasingly connected, the risks are no longer theoretical. According to CISA’s recently released Primary Mitigations to Reduce Cyber Threats to Operational Technology, threat actors exploit weak access controls, flat networks, and exposed internet-facing systems to compromise industrial assets.
To address these risks, CISA outlines five key mitigations:
- Remove OT connections to the public internet.
- Enforce secure remote access to OT networks.
- Segment OT and IT networks.
- Change default passwords immediately and use strong, unique passwords.
- Practice and maintain the ability to operate OT systems manually.
Supporting CISA’s recommendations, the National Institute of Standards and Technology (NIST) provides complementary guidance in SP 800-82. It advises segmenting OT from IT networks to reduce risk, highlights that IIoT systems often depend on internet connectivity (Section 2.3.8), and stresses the importance of perimeter protections to prevent direct exposure of OT devices. NIST also emphasizes securing remote access through strong authentication and continuous monitoring (Sections 6.2.10 and 5.2.5.4).
Using the Cato SASE Cloud Platform, organizations can act on these recommendations immediately through a single, converged solution that provides full visibility, secure remote access, deep segmentation, threat prevention, and control over outbound OT connections to reduce exposure to the public internet.
How We Can Help: Enabling CISA Mitigations Through Cato’s SASE Platform
In Table 1, we provide a brief summary of how Cato helps implement CISA’s primary OT security recommendations. In the sections that follow, we take a closer look at each key mitigation, with practical examples, explanations, and visuals that demonstrate how we support OT environments.
Table 1: Summary of How Cato Helps Mitigate CISA Recommendations
Visibility and Control Over OT Environments
Before diving into each mitigation, it’s important to understand how we help our customers manage OT risk governance across their organization. Our Device Dashboard includes Device Inventory summary widgets (Figure 1), Discovery Now widgets (Figure 2) and Security widgets (Figure 3). The Dashboard provides full visibility into device communications, network flows, access control events, and policy enforcement. Additionally, it enables monitoring of OT traffic patterns and supports the definition of geo-restricted communications, making it easier to limit device interactions by region or IP range.
Figure 1: Device Dashboard- Device Inventory Summary
Figure 2: Device Dashboard- Discover Now Widgets
Figure 3: Device Dashboard- Security Widgets
Now, let’s dive into each of the relevant mitigations where we can help and provide more technical insights.
Removing OT Connections to the Public Internet
In many cases, organizations aren’t even aware that their OT devices are accessible from the public internet. This exposure can result from open ports, insecure protocols like Modbus, DNP3, or BACnet, or misconfigured routing rules, all of which create valuable entry points for attackers.
With Cato, you can:
- Instantly block such industrial protocols at the Internet, WAN or LAN firewall level.
- Create application-specific rules to prevent outbound connections from sensitive devices.
- Monitor unauthorized attempts to reach external IPs and automate alerts.
Additionally, our default-deny and whitelist approach ensures that only explicitly. allowed. traffic is permitted, effectively closing doors before attackers can find them.
In Figure 4, we show an example of the Internet Firewall policy blocking OT protocols.
A granular firewall policy blocks outbound Modbus communication from OT segments to any external address and in figure 5 we show how with the LAN Firewall can allow OT protocols to travel from one VLAN to another.
Figure 4: Example of Internet Firewall Policy Blocking OT Protocols
Figure 5: Example of LAN Firewall Policy Allowing OT Protocols
Securing Access to OT Networks
In many OT environments, remote access is essential, but it’s often implemented without sufficient security. Examples include vendors connecting through unsecured 4G or 5G cellular routers, jump hosts, which serve as gateways between VPNs and OT networks, often adding complexity and risk, and IT teams sometimes deploying free remote management tools that may unknowingly contain trojans or become exploited for persistent access. These practices greatly increase the attack surface and expose critical systems to unauthorized access and potential malware infections.
We eliminate these remote access risks by implementing a Zero Trust model in our global platform for users, applications, and hosts in and outside of enterprise locations. Traffic never touches the public internet; instead, it’s routed through Cato’s secure cloud backbone. Access is tightly controlled through:
- Multi-factor authentication and identity enforcement.
- Authentication Tokens that validate user identity in real time.
- Device Posture validation, checking over 10 security controls including anti-malware, disk encryption, patching status, and more.
- Granular, context-aware policies that ensure users only access systems needed for their specific role, location and task.
Our clientless access option simplifies vendor or technician connectivity without compromising security. Every session is monitored, all activity is inspected, and threats are blocked inline by our built-in IPS and anti-malware engines, which detect suspicious behavior or malicious payloads, even within encrypted traffic. If a device or user falls out of compliance, access is immediately revoked, with detailed alerts and logs available for audit and response, including automatic story creation in our XDR platform to document the threat and provide remediation guidance.
Remote users connect through the Cato SASE Cloud Platform with enforced identity verification, posture checks, and least-privilege access, all monitored and protected in real time.
In Figure 6, we present a high-level overview of how we perform device discovery and classification across remote sites. In Figure 7, we illustrate our secure remote access and device access control architecture within a distributed network.
Figure 6: Device Discovery, and Classification
Figure 7: Secure Remote Access and Device Access Control – Distributed Network
IoT/OT security that works as hard as your devices | Get the White Paper
Segment IT and OT Networks
Shared blast radius refers to the risk that a single compromised system can impact large portions of the network, which is a common issue in flat architectures. Many organizations still lack proper segmentation between IT and OT environments and, unfortunately, face these risks. This makes it easier for threat actors to move laterally and access critical systems after breaching a single point. With the Cato SASE Cloud Platform, you can enforce segmentation across multiple layers:
- Between sites with the WAN Firewall and policy-based routing.
- Within sites using the LAN Firewall to separate device groups or VLANs.
- Across user roles and services with identity-driven security policies.
Additional benefits include:
- Behavioral monitoring of communication between segments.
- Alerting on unauthorized traffic patterns.
- Site-specific security configurations for edge locations.
- Autonomous policies for FwaaS (new capability).
In Figure 8 we show how IT/OT Segmentation and device access control look like in a centralized network.
Figure 8: IT/OT Segmentation and Device Access Control – Centralized Network
While implementing CISA’s recommended mitigations is essential, it’s equally important to detect and respond quickly to any threat actor that may bypass these defenses. That’s why, in addition to prevention, we ensure prompt detection and response through Cato’s XDR platform.
In Figure 9, we show an automated story example generated by Cato’s XDR platform, detailing an OT-related threat, its context, and recommended remediation steps. We recently added enhanced XDR story creation capabilities based on anomaly detection in two key scenarios:
- First Communication Over a New Traffic Direction by an IoT/OT Device: Identifies the first observed instance of an IoT/OT-classified device initiating communication over a previously unused traffic direction (inbound or outbound). This may indicate a misconfiguration, unauthorized access, or a device compromise.
- First-Time Communication Between an IoT/OT Device and a High-Risk Country: Detects the first observed communication between an IoT/OT-classified device and a country considered high-risk based on threat intelligence or organizational policy. Such activity may point to unauthorized access, device compromise, or policy violations.
Figure 9: XDR Story Associated with OT Threat Detection
Conclusion: Putting CISA’s OT Mitigations into Action
CISA’s guidance highlights the importance of isolating OT systems from the public internet, securing remote access, and segmenting IT and OT networks. The Cato SASE Cloud Platform provides the tools needed to implement these controls, including identity-based access, continuous device posture validation, and network segmentation policies. As OT and IT systems become increasingly interconnected, applying these measures consistently is critical for reducing exposure and improving overall security posture.
The post One Platform, Total OT Protection: Cato’s Response to CISA’s Mitigation Guidelines appeared first on Cato Networks.
