The NSA’s New Smart Controller Requirements: A TXOne Guide

Background

In April 2025, the National Security Agency (NSA) released their report, Operational Technology Assurance Partnership (OTAP): Smart Controller Security within National Security Systems, to address the lack of formal testing and conformance standards for smart controllers. These are embedded devices in OT environments that automate physical processes and connect to networks. While they improve efficiency, they also increase the attack surface.

According to the report, no formal mechanism currently exists to verify that smart controllers used in National Security Systems (NSS) meet the minimum cybersecurity baseline—known as the moderate-moderate-moderate (M-M-M) baseline. This baseline, established by the NSA in 2023 through Binding Operational Directive (BOD) 2024-001, applies when a breach could cause moderate impact to confidentiality, integrity, or availability. To address this, the study set out to identify which security controls apply to smart controllers and where existing standards fall short.

Methodology

NSA analysts mapped all 470 countermeasures required for the M-M-M baseline to existing ISA/IEC 62443-4-2 requirements, which cover embedded devices, host components, network equipment, and software applications. Smart controllers fall under the embedded device category. Of those 470 OT-specific countermeasures, defined by NIST SP 800-82 Rev. 3 in combination with CNSSI 1253, 154 of them were found by the NSA to be relevant to OT smart controllers.

From there, the NSA evaluated whether each of those NIST countermeasures was satisfied by the mapped component requirements (CR), embedded device requirements (EDR), network device requirements (NDR), and requirement enhancements (RE). Countermeasures that didn’t fully meet said requirements were flagged as gaps that could prevent a smart controller from meeting the baseline. Based on the combined framework of CNSSI 1253, NIST SP 800-82 Rev. 3, and BOD 2024-001, the NSA created six new requirements, comprised of one new CR and 5 new REs to align NSS smart controllers with the M-M-M baseline.

Why the NSA Moved

To ground its findings, the NSA examined 2023–2024 CVE data from eight leading OT vendors. The findings revealed seven persistent threats across ICS environments:

1. Buffer Overflow

Too much trust in system memory
When a device accepts more data than a temporary memory space (the buffer) can hold, the overflow can spill into adjacent memory areas. Attackers exploit this not just to crash systems, but to sneak in malicious code that takes control.
____________________________________________________________________________________

2. Memory Corruption

Old data that doesn’t go away
Sometimes, devices try to use memory that should no longer be accessible—data that’s been freed or reassigned. That leftover data can be hijacked to destabilize the system or even execute rogue operations.
____________________________________________________________________________________

3. Input Validation Failure

Not questioning input
Many systems assume that user input is safe. But attackers exploit this blind trust by inserting unexpected characters or commands—triggering attacks like SQL injection, cross-site scripting (XSS), path traversal, and CSRF.
____________________________________________________________________________________

4. Cross-Site Scripting (XSS)

The illusion of safe interfaces
Fields that seem harmless—like a search bar or login form—can be used to inject scripts. When those scripts run in the user’s browser, attackers can steal data or take over sessions as if they were the legitimate user.
____________________________________________________________________________________

5. Path Traversal

Exposed file paths
By manipulating file path inputs (e.g., using ../), attackers can reach outside intended folders and access configuration files, credentials, or even system-level operations that were never meant to be exposed.
____________________________________________________________________________________

6. SQL Injection

Invisible misuse of access
When systems don’t sanitize input sent to databases, attackers can inject commands that give them full control over stored data—reading, modifying, or deleting it without ever authenticating.
____________________________________________________________________________________

7. Cross-Site Request Forgery (CSRF)

When trust is used against you
A user logged into a trusted site can be tricked into performing actions they never intended—like transferring funds or changing settings—just by clicking a malicious link elsewhere.
____________________________________________________________________________________

These risks aren’t abstract. A 2022 academic proof-of-concept (EVIL PLC) showed how attackers could exploit these flaws to seize control of PLCs, overwrite engineering software, and disable industrial systems. The potential consequences of these OT cybersecurity compromises vary, but at the top of the list is the impact it would have on national security, potentially facilitating an act of terrorism. The six new NSA requirements are a direct response—engineered to close the device-level gaps that enable this class of attack.

It should be noted that compliance with ISA-62443-4-2 and the NSA’s new requirements hinges on two factors: the device must have the technical capability in its hardware or software to support the policy’s requirements, and the organization must have a well-written policy that requires and applies these capabilities. If a policy mandates encryption, but the device is incapable of implementing it, it’s ineffective. Conversely, if a policy doesn’t require encryption, that feature might stay disabled even if the device supports it.

What the New Requirements Actually Require

The NSA’s six new requirements for smart controllers aren’t meant to be optional enhancements—they’re targeted fixes for long-standing vulnerabilities at the device level. Each requirement addresses specific gaps identified through CVE data and conformance testing analysis. However, as noted above, the NSA’s new requirements are rooted in a conjunction of technical capability and policy. For many organizations, those technical capabilities may be out of reach. Below, we walk through each new rule and suggest solutions where possible.

1. CR 2.2 NSS RE(1): Disabling of Wireless Capabilities

Requirement: Components with wireless capabilities must support physical disablement and default-disabled state in software. If the device is capable of connecting wirelessly to a network, there must be the ability to physically turn off the wireless connection or the wireless connection must be disabled by default within the software.

Suggested Solutions:

• EdgeIPS/EdgeFire: As noted in the NSA advisory, to fulfill this requirement, “organizations may prefer to utilize components that do not have built in wireless capabilities”. Edge is an inline-based solution, meaning that it is placed between OT assets and the rest of the network. This was specifically designed to be used within organizations that are mostly closed off to the Internet and wireless connections to minimize disruptions to operations. If Edge is utilized, compliance is assured by its architecture.

• Benefit: Eliminates wireless attack vectors (e.g., MitM, IP spoofing) without needing configurable disablement; satisfies requirement by exclusion. More specifically, this reduces the risk of threat actors directly manipulating physical processes within the OT environment by gaining wireless access to sensors and final elements.

____________________________________________________________________________________

2. CR 2.2 NSS RE(2): Disabling of SSID Broadcast

Requirement: Wireless access points must have SSID broadcast disabled by default. If SSID broadcast is enabled, the SSID (as in, the network name) is being advertised by the wireless access point. This makes the network visible and detectable to nearby devices, including those of potential threat actors who may attempt to gain access.

____________________________________________________________________________________

3. CR 2.5 NSS RE(1): Use of Pattern-Hiding Displays Upon Session Lock

Requirement: Display-connected smart controllers must obscure screen contents during session lock (e.g., blank screen, clock) so that sensitive information isn’t on display for those in close proximity to view.

____________________________________________________________________________________

4. NSS CR(1): Restricted Use of Removable Media Devices

Requirement: Restrict the use of any unauthorized USB, SD cards, laptops, flash drives, external hard drives, etc., that may connect to the smart controller via logical or physical means. These devices can bypass traditional network security controls and—intentionally or inadvertently—introduce malware into OT environments. Malware, such as ransomware and viruses targeting industrial systems, can exploit vulnerabilities and spread rapidly, resulting in disruptions to operations, data breaches, or even physical harm.

Suggested Solutions:

• Portable Inspector: The Portable Inspector (PI) provides storage secured by AES-256 encryption that can safekeep scanned files. It can function in air-gapped environments, needing no internet access to detect malware.

• Safe Port: A physical terminal used at entry points to OT environments for centralized media vetting. This touchscreen device directly addresses the cyber hygiene of all removable media devices. It can quickly sanitize removable media devices from external and untrusted storage media sources, and “provides customizable file inspection rules and access permissions to enforce organizational security policies”, ensuring that no malware enters the OT environment.

• Stellar: As noted in our white paper, Securing Digital Manufacturing: The Essence of ISA/IEC 62443 Implementation, Stellar “possesses lockdown capabilities, supporting operational lockdowns, USB device lockdowns, data lockdowns, and configuration lockdowns to ensure endpoint operational integrity”. By enforcing lockdowns and permission-based file access, it can isolate and neutralize endpoints that have malware.

• Benefit: Safe Port stops threats before they enter the environment, completely fulfilling the NSA requirement. Portable Inspector can be carried around and used when needed to scan devices, without installation or internet connection needed. Stellar limits what removable media can access, and, if an endpoint is compromised, Stellar can quickly contain it, partially aligning with the requirement. This approach highly reduces the risk of malware infiltration and mitigates potential damage should a device be compromised.

____________________________________________________________________________________

5. CR 4.1 NSS RE(1): Use of Cryptography to Protect Confidentiality

Requirement: Encrypt data in transit across all interfaces (internal and external), including wired and wireless communication channels, using all protocols such as routable protocols (e.g., TCP/IP) and serial communication (e.g., Modbus RTU). Regardless of the transmission method (e.g., cable or wireless), encryption must be supported. Data at rest must also be protected with encryption to prevent unauthorized access; this includes data stored on physical media, awaiting retrieval or use.

Suggested Solutions:

• EdgeIPS/EdgeFire: In an ideal world, all traffic would be encrypted—as envisioned by the NSA. But in reality, much OT traffic remains unencrypted, oftentimes due to legacy systems or because of protocol constraints. EdgeIPS devices are placed between OT assets and the rest of the network. Defending assets at the network level, EdgeIPS can inspect, segment, and block malicious/unauthorized communication, safeguarding data even if it is unencrypted.

• Portable Inspector: After scanning all the files on an asset, the PI offers the option of encrypting the files when they are stored in the PI’s removable storage.

• Benefit: EdgeIPS can safeguard data in transit (information in transit) even if it is unencrypted. Portable Inspector uses encryption to safeguard data at rest (information at rest).

____________________________________________________________________________________

6. CR 4.3 NSS RE(1): Use of Approved Cryptographic Security Measures

Requirement: Use only NSA-approved cryptographic standards, such as those found in the Commercial National Security Algorithm (CNSA) suite and Federal Information Processing Standards (FIPS) 140-2 or newer to protect data in transit and at rest. Systems also need to develop and demonstrate cryptographic agility, which is the ability to transition to stronger algorithms as standards evolve. Deprecated algorithms (e.g., SSL, 3DES, SSH 1.0) must not be used.

Suggested Solutions:

• Portable Inspector: As stated earlier, this device uses AES-256 hardware encryption, a FIPS-approved algorithm to secure file transfer and scanning in sensitive or air-gapped environments

• Benefit: This solution complies with NSA cryptographic mandates, providing ample protection for both data integrity and confidentiality.

____________________________________________________________________________________

While some organizations may be equipped to adopt the NSA’s new requirements, most are not. The cybersecurity threat landscape has evolved faster than many environments can adapt to. Implementing new technical mandates takes resources and sometimes significant infrastructure upgrades. Above all, it takes time. But time is running out, and waiting isn’t a safe option either. So, in the meantime, TXOne’s solutions offer practical mitigation: EdgeIPS/EdgeFire for network-layer hardening, Stellar for endpoint lockdown, Portable Inspector for secure storage, and Safe Port for centralized entry-point sanitization.

Conclusion

Taken together, these six NSA-mandated requirements signal a shift in how smart controllers and OT components are evaluated—not just by policy, but by whether the devices themselves can technically enforce those policies. But, while the NSA points to a clear path forward, not all organizations are in a position to take it right away. This guide breaks down what is required, and where TXOne can offer a parallel path—one that provides immediate risk reduction and mitigation strategies built for the realities of operational continuity.