Zero Trust for OT Networks: Why Your IT Security Model Will Not Work Here
Zero Trust has become the dominant security model in enterprise IT. The principle is straightforward: trust nothing by default, verify everything explicitly, and enforce least-privilege access at every connection. Major cloud providers, federal agencies, and Fortune 500 IT teams have spent the last five years building Zero Trust architectures. The tooling is mature. The playbooks are established.
Now that OT security has moved up the priority stack for industrial organizations, IT security leaders are being asked to extend Zero Trust into OT environments. The instinct is logical. The execution is not straightforward.
Zero Trust for OT is not the same exercise as Zero Trust for IT. The core principles apply, but the constraints of industrial control systems mean that every implementation decision requires a different answer than its IT equivalent. This post explains where those differences are, why they matter operationally, and how to build a Zero Trust program for OT that holds up in a real industrial environment.
|
64% of industrial organizations still lack adequate OT network monitoring , which is the foundational capability required before any Zero Trust control can be enforced. You cannot verify what you cannot see. The monitoring gap is the Zero Trust gap. Source: SANS 2024 ICS/OT Cybersecurity Report |
What Zero Trust Actually Means - And What It Does Not Mean
Zero Trust is an architecture philosophy, not a product. It was formalized by NIST in Special Publication 800-207 as a set of tenets for designing access control in environments where the traditional network perimeter cannot be trusted. The core tenets are:
- Every access request must be authenticated and authorized: No implicit trust based on network location. A device inside the firewall is not automatically trusted.
- Access is granted with least privilege: Users and systems receive only the access they need for a specific task, for a specific duration.
- All sessions are monitored and logged: Anomalous behavior can be detected, and access can be revoked dynamically.
- The environment is assumed to be already compromised: Security controls are designed to limit blast radius, not only to prevent initial access.
What Zero Trust is not: it is not a single platform; it is not achievable by deploying a single vendor's product suite; and it is not the same as network segmentation. Segmentation is a component of Zero Trust, but a segmented network where all internal traffic is implicitly trusted once inside the segment is not a Zero Trust architecture.
|
KEY |
The most dangerous misapplication of Zero Trust in OT is treating it as a firewall project. Zero Trust is an access control philosophy. It requires identity, visibility, and policy enforcement across every connection - not just a stronger perimeter. |
Why IT Zero Trust Principles Do Not Directly Transfer to OT Environments
Every Zero Trust principle that IT security teams apply daily runs into a specific operational constraint in OT. Understanding those constraints before designing your OT Zero Trust program is not a theoretical exercise - it is the difference between a security improvement and a production disruption.
|
Zero Trust Principle |
How It Works in IT |
Why It Is Different in OT |
|---|---|---|
|
Verify every user and device |
MFA, identity provider, certificate-based auth on laptops and servers |
PLCs and RTUs often lack authentication capabilities. Identity must be enforced at the network perimeter, not the device. |
|
Least-privilege access |
Role-based access control, just-in-time provisioning via an IAM platform |
Vendor and engineering access is often broad, persistent, and managed outside any formal IAM system. |
|
Assume breach |
Endpoint detection and response (EDR), SIEM, and lateral movement detection |
EDR agents cannot run on most OT devices. Network-level anomaly detection is the primary visibility tool. |
|
Micro-segmentation |
Software-defined networking, VLAN isolation between workloads |
OT segmentation must not disrupt real-time control traffic. Changes require maintenance windows and operational validation. |
|
Continuous verification |
Behavioral analytics, adaptive access policies, and real-time re-authentication |
Continuous re-authentication disrupts deterministic control loops. Verification must be session-based, not packet-by-packet. |
The column on the right is not a list of reasons why Zero Trust cannot work in OT. It is a list of reasons why the implementation approach must be different. Every constraint has a practical workaround, but those workarounds require OT-specific expertise to be designed correctly.
The most common failure mode when IT teams lead OT Zero Trust deployments without OT expertise is enforcing controls that interrupt real-time communication between controllers and field devices. A PLC polling a sensor every 100 milliseconds does not tolerate authentication latency. A safety system cannot have its network access revoked mid-process because a behavioral analytics engine flagged an anomaly. These are not edge cases. They are the baseline operating conditions of industrial control systems.
|
RISK |
The highest-risk Zero Trust deployment scenario in OT is applying IT micro-segmentation tools to OT networks without validating the impact on deterministic control traffic. The result is production downtime caused by the security team, not the attacker. |
The Three Places Where Zero Trust Delivers the Most Value in OT - Right Now
Rather than attempting a full Zero Trust architecture transformation across an entire industrial facility simultaneously, the most effective approach is to identify the highest-leverage control points and enforce Zero Trust there first. In OT environments, those points are consistent across industries.
1. Remote Access - The Highest-Priority Zero Trust Control in OT
The single most common attack vector in OT incidents is remote access - VPN connections, vendor portals, and engineering remote desktop sessions that provide direct or near-direct access to OT networks from outside the facility. In most industrial organizations, this remote access is managed outside any formal identity or access governance program.
Zero Trust applied to OT remote access means: every remote session is brokered through a secure access gateway, every session is authenticated with MFA, access is scoped to specific assets for a specific time window, and every session is recorded. No persistent VPN connections. No standing access for vendors between maintenance visits.
This single control, enforcing Zero Trust at the remote access boundary, eliminates the most common entry point for ransomware and nation-state attacks on OT networks. It is achievable without touching field devices, and it does not require production downtime to implement.
2. The IT/OT Boundary - Stopping Lateral Movement Before It Reaches the Plant Floor
The Level 3/4 boundary in the Purdue Model is where IT networks connect to OT operational systems. In most facilities, this boundary is controlled by a firewall - but the firewall rules are often overly permissive, undocumented, or both. Zero Trust at this boundary means enforcing least-privilege conduit controls: only the specific data flows required for operations (historian replication, patch distribution, remote monitoring) are permitted, and every flow is explicitly documented and monitored.
This is the control that would have contained the Colonial Pipeline incident. The IT network compromise did not directly attack OT systems - the operator shut down the pipeline because they lacked confidence that the IT/OT boundary was secure enough to prevent propagation. A Zero Trust IT/OT boundary, with verified conduit controls and real-time monitoring, provides that confidence.
3. Engineering Workstation and HMI Access - The Overlooked Internal Threat Surface
Engineering workstations at Level 2 are among the highest-risk assets in any industrial facility. They have direct access to PLCs and controllers, they are often connected to both OT and IT networks simultaneously, and they are frequently used by contractors and third-party integrators who are no longer actively engaged with the facility. Zero Trust applied to HMI and engineering workstation access means: application whitelisting to prevent unauthorized software execution, role-based access control to specific controllers and process areas, and session monitoring for privileged operations.
Zero Trust and the Purdue Model: How to Layer Both Without Conflict
A question that comes up consistently in OT security assessments: if we are already following the Purdue Model, do we still need Zero Trust? The answer is yes - and the two frameworks are complementary rather than competing.
The Purdue Model defines your network architecture - the zones, the levels, the segmentation boundaries. Zero Trust defines the access-control philosophy that governs what may cross those boundaries and under what conditions. Purdue without Zero Trust gives you a segmented network in which devices within each segment are implicitly trusted. Zero Trust without Purdue gives you an access control program with no underlying architecture to enforce it against.
The practical combination: use Purdue segmentation to define your zones and physical network boundaries. Apply Zero Trust principles to every cross-zone communication - meaning every connection from IT to OT, every remote access session, every vendor connection, and every engineering workstation session requires explicit authentication, authorization, and logging. IEC 62443 Security Level 2 requirements provide the technical specification for what those controls must include.
A Phased Zero Trust Implementation Roadmap for OT Environments
A full Zero Trust architecture for an industrial facility is an 18-24 month program. Attempting to achieve it in a single project is neither realistic nor necessary. The following phased approach delivers measurable risk reduction at each phase while building toward a complete program.
|
Phase |
Focus Area |
Key Actions |
What It Delivers |
|---|---|---|---|
|
Phase 1(0-3 months) |
Visibility and asset inventory |
Deploy OT network monitoring. Document all assets, communications, and remote access pathways. |
Baseline of what is actually on the network - the prerequisite for every Zero Trust control. |
|
Phase 2(3-6 months) |
Remote access control |
Replace persistent VPN connections with a secure access gateway. Enforce MFA and session recording for all vendor and engineering access. |
Eliminates the most common Zero Trust failure point in OT - uncontrolled remote access. |
|
Phase 3(6-12 months) |
Zone enforcement and micro-segmentation |
Define formal OT security zones. Enforce firewall rules that match documented conduit architecture. Remove undocumented IT/OT connections. |
Lateral movement from a compromised IT endpoint cannot reach OT control systems. |
|
Phase 4(12-18 months) |
Identity and access governance |
Implement privileged access management for OT. Enforce role-based access to HMIs and engineering workstations. Audit Active Directory for OT-connected accounts. |
Every human and system connection to OT is accountable, time-limited, and auditable. |
Each phase is independently valuable. An organization that completes Phase 1 and Phase 2 - visibility and remote access control - has addressed the two most common attack vectors against OT environments. Phase 3 and Phase 4 build depth. The order matters: you cannot enforce access policies for assets you have not inventoried, and you cannot micro-segment traffic you do not understand.
Industry-Specific Zero Trust Considerations for North American Operators
Manufacturing
In manufacturing environments, the remote access control phase typically reveals a significant number of undocumented vendor connections left open between maintenance visits. Establishing a formal secure access gateway and retiring persistent VPN access for third-party OEMs and integrators is the highest-value first step. Engineering workstation access governance is particularly important in facilities where contract engineers routinely connect personal laptops to OT networks.
Energy and Utilities
Electric utilities operating under NERC CIP already have Electronic Access Control requirements that map closely to Zero Trust remote access controls. The gap typically lies in access granularity: NERC CIP requires control of remote access to critical cyber assets, but Zero Trust enforces least-privilege and session recording at a level that most current NERC CIP implementations do not achieve. Moving from NERC CIP compliance to a Zero Trust posture at the IT/OT boundary is the most practical upgrade path for utility operators.
Oil and Gas
Pipeline and upstream operators face a specific Zero Trust challenge: geographically distributed assets that communicate via public networks. RTUs at remote wellheads or compressor stations cannot be placed behind a corporate-managed secure access gateway, as an HMI in a central control room can. Zero Trust for these environments requires encrypted communication tunnels, certificate-based device authentication at the RTU level when supported, and anomaly detection at the SCADA server to identify communication patterns that deviate from established baselines.
|
BOTTOM LINE |
Zero Trust for OT is achievable. It requires a different implementation approach than IT Zero Trust - one that accounts for legacy device constraints, deterministic communication requirements, and operational availability requirements. Start with visibility and remote access control. Build from there. Each phase reduces your exposure to attack vectors actively targeting North American industrial infrastructure in 2026. |
|
About Arista Cyber Arista Cyber designs and implements Zero Trust architectures for industrial environments across North America and Europe. Our OT security engagements are built around the operational realities of the facilities we protect - not IT security playbooks applied without regard to production constraints. |
Frequently Asked Questions - Zero Trust for OT and ICS
Can Zero Trust be applied to legacy OT devices that lack authentication capabilities?
Yes, but the Zero Trust control must be enforced at the network level rather than the device level. A PLC that predates modern authentication cannot be retrofitted with identity-based access control. Instead, Zero Trust is applied at the conduit: the firewall or network gateway controlling access to the zone where that PLC resides, which enforces authentication and least-privilege access on behalf of the device. The device itself does not need to change.
How does Zero Trust for OT relate to NERC CIP compliance?
NERC CIP establishes mandatory access control requirements for critical cyber assets in the North American bulk electric system. Zero Trust is a more comprehensive access-control philosophy that typically exceeds NERC CIP requirements in several areas, particularly session monitoring, just-in-time access provisioning, and lateral-movement detection. Organizations that implement a Zero Trust program for OT will generally be in a stronger position for NERC CIP compliance, as Zero Trust enforces the access-control intent behind CIP standards at a more granular level.
What is the biggest mistake industrial organizations make when starting a Zero Trust program for OT?
Starting with technology selection rather than asset visibility. Organizations that purchase a Zero Trust platform before completing an OT asset inventory and a network traffic baseline are enforcing policies based on an incomplete picture of their environment. Undocumented assets, unknown communication pathways, and informal vendor access channels will not be covered by whatever policy the platform enforces. The correct sequence is always: see everything first, then enforce policy.
How long does it take to implement Zero Trust remote access controls for OT?
Replacing persistent VPN access with a secure access gateway for OT remote access typically takes eight to twelve weeks for a single facility - including deployment, user onboarding, vendor communication, and validation testing. The timeline is longer if the organization has a large number of active vendor relationships to migrate to the new access model. This is the highest-value Zero Trust control and one of the most achievable in a short timeframe.
Share via
