The joint report addresses cybersecurity challenges for legacy infrastructure and physical safety requirements in facility and industrial systems.
The Cybersecurity and Infrastructure Security Agency, the Department of War, and the Department of Energy released a joint guide on adapting zero trust principles to operational technology (OT).
The document, developed with support from the Federal Bureau of Investigation and the Department of State, provides strategies for applying security frameworks to systems that interact with the physical environment, such as building automation, physical access control, and industrial systems.
Applying zero trust to OT requires specific considerations because these systems are often constrained by safety requirements and legacy technology with long lifespans, according to the agencies. The guide notes that the “blanket application” of traditional information technology (IT) capabilities to OT is neither reasonable nor feasible.
“Successful implementation requires a holistic approach, adaptation of [zero trust] principles to the specific characteristics of each OT environment, and strong collaboration between IT, OT, and cybersecurity teams,” says the report.
Addressing Unique Constraints
The agencies identified several factors that distinguish OT from IT, including high availability requirements and the presence of legacy insecure systems. Many older OT components rely on proprietary protocols that cannot be actively scanned without risking downtime.
To address these challenges, the guide suggests “establishing comprehensive asset visibility” through passive monitoring. This allows organizations to understand their systems and communications without disrupting critical processes.
The guide also emphasizes the importance of governance and procurement. Strategic procurement can facilitate a transition away from legacy infrastructure by selecting newer components that support security logging and secure communication protocols.
Layered Security and Access Management
Network segmentation remains a primary defense for OT environments. The guide recommends treating segmentation as a dynamic, enforceable policy rather than a one-time architectural decision. Microsegmentation can further isolate specific assets, such as separating control systems from safety systems.
For remote access, the agencies recommend using dedicated, hardened jump hosts within a demilitarized zone. These hosts should require multifactor authentication and undergo continuous monitoring.
Identity, credential, and access management (ICAM) must also be tailored to operator workflows. The guide cautions against directly connecting IT and OT ICAM systems, suggesting instead that organizations maintain network isolation to reduce cross-domain risk.
Incident Response and Recovery
Because zero trust assumes a breach has already occurred, the guide highlights the need for tailored incident response and recovery plans. Change management in these environments must follow “rigorously governed procedures” rooted in safety and engineering checks.
Recovery efforts should prioritize backups of operating system configurations, application software, and engineering logic. The agencies recommend that organizations maintain up-to-date standby systems that can be deployed as hot swaps during outages.
“By applying [zero trust] to OT, organizations can significantly enhance the security and resilience of their OT environments, from industrial control systems to facility automation,” says the report.
ID 239529186 © Luisfilipemoreira | Dreamstime.com
