Adapting Zero Trust Principles to Operational Technology
Zero trust (ZT) offers a modern, adaptive approach to cybersecurity by eliminating implicit trust and continuously validating access based on identity, context, and risk. ZT principles assume a breach has already occurred and are designed to limit threat actor movement and potential damage. For operational technology (OT), applying ZT requires careful consideration because OT systems interact with the physical environment and are constrained by availability and safety requirements, as well as legacy technology with long lifespans.
The blanket application of traditional information technology (IT)-focused ZT capabilities to OT is neither reasonable nor feasible and requires continuous collaboration between OT engineers, IT architects, and cybersecurity professionals. This collaboration should include clear communication channels, joint development of policies and controls, and a shared understanding of both mission objectives and technical limitations.
Evolving Threat Landscape and the Need for Zero Trust
With advancements in technology and networking, OT systems that were traditionally isolated or manually controlled are becoming increasingly interconnected, digitally monitored, and remotely operated. This growing convergence between IT and OT expands the attack surface, introduces new attack vectors and magnifies cybersecurity risks.
Improperly secured pathways create opportunities for threat actors to gain access to IT and OT networks. Once inside the IT network, threat actors, such as those conducting activity tracked publicly as Volt. Typhoon, can escalate and maintain access by exfiltrating Active Directory credentials. Once compromised, shared domains or credentials between IT and OT environments are one way for threat actors to move laterally into the OT network. Other threat actors have compromised trusted third-party vendor software updates, exploited supply chain weaknesses, and taken advantage of insecure and unrestricted remote access granted to vendors and operators to gain network access. Threat actors have also adopted living off the land (LOTL) techniques in IT networks while prepositioning to move to OT networks. If on the OT network, threat actors could then use OT-specific capabilities (see PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure for more information).
Threat actors increasingly demonstrate offensive capabilities against OT systems, using cyber-enabled means with the aim of compromising, manipulating, degrading, and disrupting the critical physical processes these systems control. Historical examples of this capability include malware packages designed and tailored for use in targeting OT and critical infrastructure systems, such as CrashOverride, Havex, BlackEnergy 2 and 3, Trisis, and Incontroller.
LOTL techniques—the abuse of native tools and processes on systems—obscure malicious behavior, making detection by traditional security tools more difficult. Security is further complicated by the decades-long lifecycle of OT equipment, with older components potentially lacking any security support. Cyber incidents in OT environments can cause operators to lose visibility or control of critical systems, potentially leading to catastrophic outcomes. This is because OT systems directly control physical processes—unlike IT systems, where impacts are often limited to data or service availability. As these environments evolve, traditional perimeter-based defenses and implicit trust models are no longer sufficient. Applying ZT principles can help close those gaps but only when adapted to fit OT’s operational realities.
Unique Constraints for Zero Trust in OT
Successfully applying ZT principles to OT requires careful consideration because OT systems interact with the physical environment, and there are inherent differences in system design, architecture, and unique mission-critical priorities. These differences typically emerge via constraints on availability, legacy systems, and different team structures.
Availability Requirements: Unlike IT systems, OT systems involve layers of sensors, actuators, logic solvers, and user interfaces that operate in real time to deliver physical products, services, or resources—often running continuously. These systems are engineered for high availability, reliability, and safety, making them less tolerant of disruptions or reconfiguration. Maintaining these availability requirements alongside decades-long lifecycles can be challenging while supporting more agile security approaches.
Legacy Insecure Systems: The historical lack of security on legacy OT devices alongside their long lifecycle has resulted in inherent vulnerabilities, which threat actors increasingly exploit. Many legacy OT systems rely on proprietary, insecure protocols that can neither be actively scanned nor undergo routine penetration testing without risking critical uptime. Near-constant availability requirements limit opportunities for routine patching, security testing, system upgrades, and maintenance. While these environments often include built-in redundancies and failover capabilities, their design for continuous operation poses significant challenges to traditional cybersecurity practices.
Limited Logging: Logging and forensics capabilities are often minimal, limiting the effectiveness of traditional threat detection and response methods. Capturing OT-specific data sources (e.g., discrete event logs, engineering files, database queries, network, and process data) is essential for identifying threat actor activity and detecting anomalies before damage occurs.
OT/IT Collaboration: Implementing ZT in OT environments requires cross-functional teams that can thoughtfully navigate the tradeoffs between security, availability, and operational constraints. Tailoring successful ZT solutions to the unique characteristics of OT environments requires continuous collaboration between OT engineers, IT architects, and cybersecurity professionals. This collaboration should include clear communication channels, joint development of policies and controls, and a shared understanding of mission objectives and technical limitations.
READ MORE
Share Your Thoughts on this Article via our LinkedIn Thread!
