Zero Trust has taken off in IT environments and become a mainstream driver of cybersecurity improvement. Federal agencies were mandated to meet specific Zero Trust maturity goals by fiscal year 2024. According to the U.S. Office of Management and Budget, over 80% of federal civilian agencies reported significant progress in implementing Zero Trust architectures across their IT enterprises. In the private sector, Gartner projected that by 2026, 60% of enterprises would have adopted Zero Trust as their primary security model, up from just 10% in 2019.
What's striking about Zero Trust's success in IT is that it didn't require radical new technology. Most implementations relied on better orchestration of existing controls: network segmentation, firewalls, multi-factor authentication, identity and access management, continuous monitoring, and policy enforcement. Zero Trust didn't invent these tools, but it organized them around a new philosophy: never trust, always verify. The result was a measurable lift in cybersecurity posture across industries.
But when organizations tried to extend Zero Trust into operational technology environments such as the industrial control systems, SCADA networks, and critical infrastructure that keep power flowing, water clean, and factories running, they hit a wall. This new guidance released by CISA and others was designed to help break through that barrier.
The OT Struggle: Concepts and Implementation
OT organizations have struggled with Zero Trust on two fronts: defining core concepts within an OT context and implementing controls that work in IT but fail in industrial environments.
Defining breach in OT, for example, isn't straightforward. In IT, a breach typically means unauthorized access to data. In OT, breach can mean an adversary gaining control of a programmable logic controller that regulates chemical reactions, water pressure, or electrical load balancing. The consequences aren't measured in records stolen; they're measured in explosions, blackouts, or contaminated water supplies.
Similarly, "assume breach" is a cornerstone of IT Zero Trust, but in OT, assuming breach can drive responses that are operationally catastrophic. Isolating a compromised asset in IT might mean cutting off a file server. In OT, it might mean shutting down a safety-instrumented system during an active industrial process or evacuating a facility or city.
Then there's implementation. Common cybersecurity controls such as authentication, encryption, firewalls, logging, etc. often can't be deployed in OT environments the way they are in IT. Legacy devices don't support modern authentication protocols. Encrypted communications can introduce latency that disrupts real-time control loops. Firewalls configured without understanding industrial protocols can block legitimate operational traffic. And logging on embedded systems may simply not be possible due to hardware constraints.
In organizations where IT and OT remain operationally distinct, what we call non-converged environments, the friction became cultural as well as technical. IT cybersecurity teams, accustomed to enforcing Zero Trust controls across the enterprise, met resistance from OT practitioners who pointed out that the same controls could trigger downtime, safety incidents, or equipment damage. The IT side often interpreted this as resistance to security. The OT side saw it as protecting operational integrity and human safety.
Both were right. And I personally struggled on both sides of this fence, as my 30+ years of practicing cybersecurity mind tells me Zero Trust is a good thing, while the 10+ years of OT cybersecurity mind said otherwise. Since then, I’ve come around and today know that pushing Zero Trust concepts to OT is a good thing.
The Collaboration: Raising the Bar Without Breaking Operations
Over the past several years, some of the sharpest minds in OT security have worked to resolve this tension. Industry leaders like Daryl Haegley and Randy Resnick from the Department of War, standards bodies like the ISA Global Cybersecurity Alliance (ISAGCA), cross-sector initiatives like the Operational Technology Cybersecurity Coalition (OTCC), and government agencies including CISA, DoD, and the Department of Energy have been tackling the same core questions:
- How do we raise the cybersecurity bar in OT to reflect the rigor IT security teams are accustomed to?
- How do we adapt IT-centric Zero Trust controls so they don't disrupt 24/7 operations or introduce new failure modes?
- How do we prevent Zero Trust from becoming a new source of risk rather than a solution?
- What happens if we don't act?
These conversations have played out in standards committees, working groups, conference panels, roundtables, and yes, restaurants and geeky social gatherings where Zero Trust in OT has become the topic everyone wants to debate.
What I see emerging from this multi-year collaboration is a maturing consensus. Multiple groups have published their own guidance, opinions, and frameworks on how to expand Zero Trust programs into OT safely and effectively. The ISA published "Zero Trust Outcomes Using ISA/IEC 62443 Standards" in August 2024, mapping how existing industrial security standards can achieve Zero Trust objectives. The OTCC released its own Zero Trust for OT guidance, addressing implementation pathways for critical infrastructure operators. And the main topic of this blog, in April 2026, CISA released its joint guide, "Adapting Zero Trust Principles to Operational Technology," developed with the Department of War, Department of Energy, FBI, and Department of State.
Why This Guidance Matters Now
The CISA guide and the broader body of work from ISA, OTCC, and others does something critical: it removes ambiguity and validates OT realities.
For years, OT practitioners implementing Zero Trust faced analysis paralysis. Should we apply IT frameworks directly, or adapt them? If we adapt them, how far? What's negotiable and what's not? Which controls are essential, and which create unacceptable operational risk?
The new guidance documents help establish common ground on the points of contention typically raised by both IT and OT teams. They acknowledge that:
- Safety, availability, and reliability must come first in OT environments, not as an excuse to avoid security, but as a design constraint that shapes how security is implemented.
- Legacy infrastructure and decades-long asset lifecycles are operational facts, not security failures, and Zero Trust strategies must account for them.
- Passive monitoring, protocol-aware visibility, and operationally-aware segmentation are the foundation of OT Zero Trust, not active scanning and dynamic isolation.
- Security controls must never become new sources of operational or safety risk.
By clearing up ambiguities and highlighting best practices, the recent CISA guidance helps Zero Trust practitioners with limited OT experience understand the unique constraints of industrial environments. It also helps OT owners and operators see that Zero Trust, when adapted properly, isn't a threat to uptime, it's a framework for improving resilience without sacrificing operational integrity.
The more defining documents we can put together using aligned, credible, and grounded in real-world OT constraints…the easier the journey for Zero Trust in OT will be for everyone.
A Maturing Policy Landscape for OT Security
What we're witnessing is federal cybersecurity policy maturing beyond IT-only assumptions. OT security is now treated as a national resilience issue, not just a compliance checkbox. This guidance acknowledges that physics, engineering, and safety are as important as cyber risk when securing critical infrastructure.
Without OT-specific guidance like the CISA document, Zero Trust in OT often protects data while endangering operations. It creates the illusion of security at the IT layer while leaving control systems vulnerable, or worse, introduces new risks by deploying controls that disrupt real-time processes or override safety mechanisms.
The collaboration we've seen across industry, standards bodies and government signals a turning point. After years of sitting on the edge of OT, Zero Trust is no longer an IT-only concept being forced onto OT. It's becoming an OT-safe strategy that respects operational realities, adapts to legacy constraints, and prioritizes the twin goals of security and safety. Of course, there’s still a long way to go and room for improvement.
Moving Forward with Zero Trust
Zero Trust succeeded in IT because it raised the bar using tools we already had, organized around better principles. Zero Trust in OT will succeed for the same reason, not by inventing new controls, but by adapting existing ones to respect the physics and operational demands of industrial systems.
The guidance now available from CISA, ISA, OTCC, and others gives the community a shared foundation to build on. It won't eliminate every debate or solve every implementation challenge, but it provides something critically important: clarity on what works, what doesn't, and why.
For OT operators, security leaders, and policymakers alike, the message is clear: Zero Trust in OT is achievable, but only if we do it right. That means listening to the practitioners who've been solving these problems, respecting the operational constraints that make OT different, and recognizing that the goal isn't just stronger cybersecurity, it's resilient, safe, and uninterrupted critical infrastructure.
Read the memorandum: M-22-09 Federal Zero Trust Strategy
.webp)
