NIST has started the process of revising SP 800-82, Guide to Operational Technology (OT) Security, to address changes in threat landscape align with the relevant NIST guidance (e.g., Cybersecurity Framework (CSF) 2.0, NIST IR 8286 Rev. 1, NIST SP 800-53 Rev. 5.2.0) and OT cybersecurity standards and practices.

NIST has invited everyone to suggest improvements on the document’s effectiveness, relevance. The window for receiving comments closes on February 23, 2026. Comments can be submitted to sp800-82rev4@nist.gov with the subject “Comments on SP 800-82.”

In today’s blog we look at the SP 800-82 revisions and examine in depth the changes proposed and their implications.

Before we move forward, don’t forget to check out our previous blog post titled “A report on the McDonald’s India breach,” here.

Now lets get back to the post.

Background

The  SP 800-82 Revision 4 represents something more than an incremental update and we need to be clear about this. The new revision is an attempt at fundamentally altering our approach to operational technology security in an era where the threat landscape evolves faster than our patch cycles. The world of OT security has transformed significantly since the last major revision. We have witnessed ransomware gangs targeting water treatment facilities, threat actors recruiting insiders, nation-state actors embedding themselves inside electric grids, and supply chain compromises that make SolarWinds look like a dry run.

NIST has not just acknowledged these changes but has made an attempt to keep pace with it.

What are the key changes proposed?

Sector-specific guidance: Context matters

The proposed expansion to cover building automation systems, transit systems, and maritime operations is a welcome move. For as long as we can remember, OT security guidance treated a pharmaceutical manufacturing plant in the same manner as a power substation. This is when threat actors are working to build custom malware and expand their targeting efforts through victim-specific strategies and tactics.    

Consider maritime systems for instance. This sector alone presents a unique set of challenges from satellite communications, vessel-to-shore connectivity and international regulatory patchwork. Can you imagine operational environments where "just reboot it" isn't an option? 200 miles away from offshore, if you are thinking of rebooting anything, you are putting lives at risk. The fact that NIST is asking everyone to tell them which verticals to prioritize tells us a lot about how we are moving beyond one-size-fits-all approach to security and this is a great development for everyone across sectors involved in securing OT systems.

If you work in building automation, transit, or maritime, this is your chance to turn vocal and share inputs on what your operational reality looks like. So don’t forget to submit those comments and be specific with real world incidents wherever possible. For instance, tell them about that time your security update bricked the HVAC controller in a data center. You can even talk about how coordinated vulnerability disclosure timelines meant nothing when your vessel was in the middle of a 60-day voyage near Drake’s passage.

Emerging technologies: Acknowledging the Elephant(s) in the room

The document's proposed coverage of behavioral anomaly detection, digital twins, AI/ML, zero trust, cloud, 5G, and edge computing aligns more closely with new realities. These technologies promise revolutionary improvements in OT security visibility and response but also introduce entirely new attack surfaces.

Consider digital twins for instance. Creating a virtual replica of your physical process for testing and simulation sounds relevant and useful until you realize you have just created a perfect attack planning laboratory for adversaries who gain access to it. Decoy environments have to be conceptualized in a manner that takes into account all types of security risks and scenarios.   

Or take zero trust in OT environments on the other side. The concept is sound but implementing continuous verification in systems where a 50-millisecond delay can cause all types of physical damage requires finesse most IT-centric zero trust frameworks completely ignore.

Most OT environments are still struggling with basic levels of network segmentation (or even hygiene). Thus, all types of projects designed to improve OT security should take into account the unique threat surface that results from the interactions of technologies in addition to standalone risks.

Living Cyber Threat Intelligence

Moving threat sources, vulnerabilities, and incident information to dynamic web resources is in my opinion the most pragmatic move in the entire proposal. The current model, wherein OT cyber threat intelligence is frozen in time (the moment a document is published), creates a dangerous disconnect between guidance and reality.

In the real world, we need that cyber threat intelligence integrated into our reference frameworks immediately and not in the next three-year revision cycle. The OT threat landscape evolves in days and weeks and not years. But this also brings another challenge to the surface. How will NIST maintain the authority and rigor of these dynamic resources? The value of SP 800-82 has always been its thoroughness, clear articulation and reliability. Trading timeliness for decreased quality would be a devastating miscalculation.

The OT overlay now gets Its own little address

Separating the OT overlay from the main document recognizes an important reality. In today’s complex OT world, organizations need flexible, modular guidance they can mix and match based on their specific circumstances, risk exposure and priorities. An overlay that maps OT-specific considerations to NIST's broader cybersecurity framework deserves room to breathe and evolve independently.

This modularity also makes updates way more manageable. When the Cybersecurity Framework releases version 3.0 (and we all know it will), the overlay can be updated without requiring a complete SP 800-82 overhaul.

Ruthless prioritization

NIST's willingness to consider to remove outdated material is welcome as well. Too many security frameworks become archaeological digs that eclipse good current guidance and add layers of irrelevant material that make the standards more bulky.  

So what should go? Any prescriptive technical controls that assume network architectures from 2010. Any discussion of security technologies that treats wireless as exotic and unusual. Any assessment methodology that doesn't account for cloud-connected OT devices, new operational realities or remote access requirements that became permanent post-pandemic.

You need to understand the subtext

Reading between the lines, this revision signals NIST's recognition that OT security has arrived at an inflection point.  

The proposed alignment with CSF 2.0, NIST IR 8286 Rev. 1, and SP 800-53 Rev. 5.2.0 isn't just bureaucratic housekeeping. It is an acknowledgment that OT risk has to be integrated into enterprise risk management. Your SCADA network isn't a special snowflake that exists outside your organization's risk framework. It is a critical component that must be assessed, managed, and governed with the same rigor as your financial systems.

So what can you do?

If you are an OT security practitioner: Read the current SP 800-82 Rev. 3 with a fresh pair of eyes. Identify what works, what doesn't, and what's missing. Submit your feedback well before February 23, 2026. Be specific. Include real-world scenarios. NIST wants to hear from people doing the actual work, not just AI-powered consultants recycling generic best practices.

If you are an OT security vendor (like us): This revision will influence procurement requirements, compliance frameworks, and customer expectations for the next decade. Understanding where NIST is headed gives you a roadmap for product development and positioning. In case you want to sit down over some coffee with us to discuss the new draft, you are more than welcome.

If you're a CISO or risk officer: Start thinking about how the integration of OT into enterprise cybersecurity frameworks will affect your governance structures, staffing models, and resource allocation. The days of treating OT as someone else's problem are officially over. This will give you a headstart in understanding how you can start the process of compliance with the new set of standards.

Some of the questions we should ask

Will this revision finally bridge the gap between theoretical security and operational feasibility? Will it provide actionable guidance for organizations that can't afford dedicated OT security teams? Will it acknowledge the economic realities that prevent wholesale replacement of decades-old equipment?

The success of SP 800-82 Rev. 4 won't be measured by its comprehensiveness or its alignment with other frameworks. It will be measured by whether a water utility engineer in a small town can use it to make better security decisions, whether a manufacturing plant can implement its guidance without shutting down production, and whether it helps organizations defend against real threats rather than theoretical ones.

Final thoughts

This pre-draft call for comments represents a rare opportunity to influence guidance that will shape OT security for years to come. NIST is genuinely asking for input, not just performing regulatory theater. The OT security community has spent years complaining that frameworks don't understand our unique challenges. This our chance to fix that.

The deadline to share your comments is February 23, 2026 so add this date to your calendars. Use the time wisely to think about and share relevant inputs. Be specific. Share your war stories from the trenches. Explain why certain approaches work or don't work in your environment. This is how we move from security theater to security reality.

When a framework assumes that you can just patch and reboot a process controller running a chemical plant, we all know how that ends. Let us make sure the next version of SP 800-82 reflects the world we actually work in, not the one someone imagines from behind a purple desk.

Sign up for our NIST SP 800 compliance service here.

Access our regulatory playbooks here.

Get our OT security policy template pack here.