The recent CISA advisory, "Adapting Zero Trust Principles to Operational Technology," released yesterday, marks a pivotal shift in how we defend Industrial Control Systems (ICS) from emergent attacks. With rise in risks to key systems, lack of deep visibility into the asset behaviors, presence of unpatched vulnerabilities, insider threats and compliance challenges, the to-do list of CISOs is growing each day.      

The latest guidance from CISA supports OT owners and operators in addressing the unique challenges of transitioning to a true Zero Trust architecture while taking into account technology gaps linked to legacy infrastructure, functional and operational constraints, and safety requirements. It focuses on establishing comprehensive asset visibility, proactively addressing supply chain risks, and implementing robust identity and access management. The guidance stresses on the importance of putting in place layered security measures including network segmentation, secure communication protocols, and proactive vulnerability management.

In today’s blog, I have made an attempt to synthesize this essential guidance into a definitive resource for leadership and engineering teams.

Before we move forward don’t forget to check out our last blog post on Privileged Access Management in OT environments here.

An essential shift: From perimeters to policies

The 2026 CISA advisory clarifies that Zero Trust (ZT) is not a single product but a data-centric security model. In OT, this means moving away from "implicit trust" based on being inside a physical plant network and moving toward "explicit verification" for every process-level interaction.

Advisory highlights

 Zero Trust in OT ≠ lift-and-shift from IT

o   The advisory emphasizes that OT environments require adaptation, not replication of IT Zero Trust.

o   Safety, availability, and deterministic operations override confidentiality-first IT models.

o   The result is risk-informed, operationally safe Zero Trust and not aggressive enforcement.

“Never trust, always verify” is still applicable, but..

o   The core principle remains intact: no implicit trust for users, devices, or systems However, enforcement must consider:

• Legacy PLCs and HMIs

• Non-patchable assets

• Intermittent connectivity 

o   Leads to compensating controls vs direct enforcement

Asset visibility is the foundation (critical gap in OT)

o   You cannot implement Zero Trust without complete asset inventory:

o   Devices, firmware, protocols, data flows

o   OT environments typically lack this baseline → biggest barrier to adoption

o   Aligns with broader Zero Trust guidance: visibility precedes enforcement (AppGate)

Strong emphasis on network segmentation (micro-segmentation for OT)

o   Flat OT networks are a major risk

o   Key recommendation:

o   Zone-based segmentation (ISA/IEC 62443 aligned)

o   Gradual move toward micro-segmentation / least-privilege communication paths

o   Objective: contain lateral movement and reduce blast radius

Identity is hard in OT and must expand beyond users

·       OT requires identity for:

o   Machines (PLCs, RTUs)

o   Applications

o   Service accounts

·       Not just human IAM but device IAM

·       Continuous authentication is ideal, but often replaced with:

o   Network-level controls

o   Device profiling

Prioritize of least privilege

·       Principle: only allow required communication and access

·       Reality:

o   Many OT systems require broad trust relationships

·       Approach:

o   Start with critical assets (“crown jewels”)

o   Apply least privilege incrementally

Zero Trust in OT is a phased journey (not a big-bang program)

·       The guide stresses incremental adoption:

·       Aligns with CISA maturity thinking:

Continuous monitoring & anomaly detection are essential controls

·       Because enforcement is limited in OT:

o   Detection becomes as important as prevention

·       Focus areas:

o   East-west traffic monitoring

o   Protocol-aware anomaly detection

·       This is where OT NDR platforms become critical

Legacy systems require “compensating Zero Trust controls”

·       Many OT assets:

o   Cannot support MFA, agents, or encryption

·       Therefore:

o   Use external enforcement layers

• Jump hosts / bastions

• Industrial firewalls

• Secure remote access gateways

·       Think: Zero Trust enforced around assets, not within

Governance, safety, and engineering alignment are non-negotiable

·       OT Zero Trust is not just cybersecurity:

o   Requires engineering, operations and safety teams

·       Any control must:

o   Avoid downtime

o   Preserve deterministic behavior

·       Strong push toward cross-functional governance models

The strategic takeaway

This guidance essentially reframes Zero Trust in an OT context to imply a risk-managed containment and visibility strategy and not a strict identity enforcement model.

For someone building OT SOC / services, the implications are amply clear:

·  Lead with asset visibility + detection engineering

·   Position segmentation as risk reduction, not compliance

·  Sell Zero Trust as operational resilience, not just security

The five pillars adapted for OT

CISA’s Zero Trust Maturity Model (ZTMM) 2.0 serves as the skeleton, but the 2026 OT-specific guidance adds critical "operational safety" layers:

• Identity: Moving beyond usernames to Non-Person Entities (NPEs). Every PLC, sensor, and gateway must have a cryptographically verifiable identity.

• Devices: Continuous posture assessment. If an engineering workstation (EWS) shows a patch mismatch or unexpected software, its access to the safety controller is revoked instantly.

• Networks: Transitioning from simple VLANs to micro-segmentation. We are now isolating specific "conduits" between functional zones (e.g., separating the HMI from the SIS).

• Applications/Workloads: Securing the "East-West" traffic. This involves protecting the proprietary industrial protocols (like Modbus/TCP or CIP) from unauthorized command injection.

• Data: The most critical pillar. Protecting the "integrity" of sensor data is now prioritized over "confidentiality" to prevent physical process manipulation.

The fine points: OT-specific hurdles

Implementing ZT in a refinery or power plant isn't like doing it in a branch office. The advisory highlights three "silent killers" of OT ZT projects:

1. Protocol Fragility: Many legacy OT protocols do not support encryption or modern authentication. CISA recommends Zero Trust Proxies or Unidirectional Gateways to "wrap" legacy traffic in a secure identity-aware tunnel.

2. Safety vs. Security Conflict: Traditional ZT might "block by default" if an MFA prompt fails. In OT, blocking a safety-critical command can lead to an explosion. The guidance introduces "Fail-to-Open" policies for specific emergency safety functions.

3. The "Push-Only" Requirement: The 2026 guide heavily emphasizes a push-only architecture. Data should move from High-Trust (OT) to Low-Trust (IT/Cloud) via hardware-enforced one-way links to eliminate unsolicited inbound paths.

The CISO’s action plan (90-day roadmap)

Measuring success: OT Zero Trust KPIs

To report progress to the Board, move away from "number of blocked attacks" and toward resilience metrics:

• Reduction in Attack Surface: Percentage of OT assets that no longer have a direct "unsolicited inbound" path from the IT network. (Target: >85%).

• Mean Time to Contain (MTTC): If an asset is compromised, how long does the ZT policy take to isolate that specific micro-segment? (Target: <5 minutes).

• Identity Coverage: Percentage of OT-to-OT communications that are authenticated via NPE identities rather than implicit IP-based trust.

• Process Uptime During Security Updates: Measuring if ZT policy changes caused any unintended downtime. (Target: 0 unplanned outages).

Final thought for the board

Zero Trust in OT is no longer an "advanced" state; in 2026, it is the baseline for insurability. By removing implicit trust, we aren't just stopping hackers—we are ensuring that a single compromised laptop in the corporate office cannot cause a physical catastrophic failure in the plant.

For more, Consult the fresh regulatory playbooks at shieldworkz.com/regulatory-playbooks for pre-mapped compliance templates that align this CISA guidance with NERC CIP and IEC 62443.

Additional resources      

2026 OT Cybersecurity Threat Landscape Analysis Report here 
A downloadable report on the Stryker cyber incident here      
Remediation Guides here    
IEC 62443 and NIS2 Compliance Checklist here 
OT Security Best Practices and Risk Assessment Guidance here