What brokers should know
Operational Technology has long been a quiet cornerstone of the UK’s industrial economy. From manufacturing across food and drink, automotive and pharmaceuticals, to energy, utilities and transportation, OT systems keep essential services running. Systems that were once isolated are now connected to IT networks, suppliers, and cloud services. While this can bring efficiency and increased productivity, it also increases exposure to cyber risks faster than many organisations are prepared for.
The UK’s National Cyber Security Centre has recently published its Secure Connectivity Principles for OT. While the guidance is not mandatory, it is an important signal of how cyber risk in industrial environments is evolving and the standards organisations are expected to meet.
As a broker working with large industrial clients, this guidance gives you a valuable and modern framework to anchor conversations around OT cyber exposure and the potential consequences of insecure connectivity.
What the NCSC guidance is really about
The Secure Connectivity Principles are designed to help organisations make safer, risk-based decisions when connecting OT systems. They apply to any organisation operating OT, particularly in sectors where cyber incidents could cause physical damage, safety incidents or service disruption.
What is new is not the acknowledgement of risk, but the structure. The NCSC sets out eight principles that guide organisations towards a deliberately controlled and secure OT environment. The emphasis is on reducing unnecessary exposure, strengthening boundaries between IT and OT, and establishing monitoring that reflects real-world cyber threats, rather than theoretical risks. The eight principles are outlined as the following;
1. Balance the risks and opportunities
Before making any OT connectivity change, organisations should weigh the operational benefit against the cyber and safety risks. Every connection should have a clear, documented rationale for why it is needed. This includes thinking about older equipment that can’t be updated, and dependencies on external services, and what would happen if the connection failed or was misused.
2. Limit the exposure of your connectivity
Reduce unnecessary or poorly controlled connections to minimise the attack surface. Only essential connections should exist, and exposure time should be kept short wherever possible.
3. Centralise and standardise network connections
Where connectivity is required, access paths should be standardised so that consistent controls can be applied across all access points, making logging, monitoring, and incident response streamlined.
4. Use standardised and secure protocols
To protect important operational data, modern, secure communication protocols should be preferred over legacy ones that lack basic security features. If legacy protocols should remain, there must be an approved business need, and compensating controls must be applied.
5. Harden your OT boundary
The boundary between IT and OT should be defended with appropriate preventative controls, such as removing unused ports/services and implementing firewalls with the ability for deeper traffic inspection (Next-Gen Firewalls). This will reduce the chance of a compromise in one domain spreading to another. OT systems should also never be directly exposed to the internet as this could open the door to an easy intrusion.
6. Limit the impact of compromise
Accepting that breaches may happen, OT networks should be segmented and designed to prevent the propagation of malware or insecure configurations. Tested incident response and recovery plans should also be in place to ensure that any compromise can be contained effectively.
7. Ensure all connectivity is logged and monitored
Comprehensive logging and continuous monitoring are essential for detecting suspicious activity, supporting investigations, and informing response decisions.
8. Establish an isolation plan
Organisations should have plans to isolate critical systems or disconnect insecure connections quickly, if needed, preserving operational safety and continuity.
These principles are intended as desirable end goals, not minimum requirements. They can be applied to both new and existing OT systems to improve resilience against cyber threats while maintaining safe and reliable operations. For your clients, this guidance reinforces a key point. OT cyber risk is no longer just an IT issue. It is an operational, safety and resilience issue with real-world physical consequences.
Why this matters for industrial cyber risk
Heavy industry, utilities, manufacturing, rail and energy businesses have traditionally relied on physical isolation to protect OT. As remote access, third-party maintenance, data integration and automation increase, the traditional model of isolation is breaking down.
The NCSC guidance is clear - insecure OT connectivity can lead to physical damage, environmental harm and prolonged service outages. Those outcomes fall uncomfortably between traditional cyber and property insurance responses.
This is where many organisations find themselves exposed. A typical cyber policy will exclude physical damage to property, machinery or materials. At the same time, many “all risk” property policies exclude cyber-triggered losses altogether, or only offer limited cover for narrow scenarios. The result is a significant blind spot, exactly where cyber compromise meets physical impact.
Worried about industrial cyber risk?
Consider BCAP
Our BCAP product was designed with this challenge in mind. It offers clients the option of cyber-only cover or combined cyber and physical damage protection. The combined cover is particularly relevant for OT-heavy businesses where a cyber incident can lead directly to physical loss.
By bridging the gap between traditional cyber and property policies, BCAP reflects the reality highlighted by the NCSC guidance. Cyber events do not stop neatly at digital boundaries. In OT environments, they can damage equipment, disrupt production and interrupt essential services.
For you, this creates a more grounded and relevant discussion with clients. Rather than talking about cyber in abstract terms, you can link the NCSC’s secure connectivity principles directly to operational resilience, safety and financial loss.
Turning guidance into meaningful broker conversations
The NCSC’s Secure Connectivity Principles give you a credible, independent reference point. They help frame why OT cyber risk deserves attention now, and why relying on legacy separation or narrow policy wordings may no longer be enough.
By pairing that guidance with a combined cyber and physical damage solution, you can help clients move beyond awareness and into practical resilience. Rather than a compliance-based tick-box exercise, the aim is to build resilience that reflects how modern industrial systems truly operate.
For clients running critical infrastructure, this is no longer a future concern. It is a present risk, and one where informed brokers can add real value. If you want more information, speak to our cyber team today.
