Back to blog
Security Architecture

Zero Trust in OT: Less Slogan, More Control Over Identity, Sessions, and Attack Paths

Zero Trust in industrial environments is not an IT copy-paste exercise. It is a practical model for verifying every critical access request, reducing implicit trust, and stopping credential abuse from becoming a process-level incident.

Roger
#zero trust#OT security#ICS#security architecture#continuous verification

If your plant security model in 2026 is still “strong perimeter, trusted inside,” your assumptions are outdated.

Perimeters are no longer stable boundaries. Industrial environments now depend on vendor remote access, continuous IT/OT exchange, cloud analytics, digital maintenance workflows, and legacy assets that were never designed for this level of exposure.

In that reality, Zero Trust is not a trend. It is a corrective architecture.

In OT, though, we need precision: Zero Trust is not a product category. It is a disciplined way to grant, verify, and revoke access in environments where mistakes can affect production, safety, and public trust.

Why OT needs Zero Trust now

The evidence has been available for years:

  • Oldsmar (2021) exposed what weak remote access governance can do in critical utilities.
  • TRITON/TRISIS demonstrated adversary intent and capability against Safety Instrumented Systems.
  • Stuxnet proved compromise of engineering and control pathways can produce intentional physical effects.
  • Colonial Pipeline showed an IT-origin incident can trigger high-impact operational decisions.

The common denominator is not a specific exploit chain. It is implicit trust and excessive internal freedom after initial access.

In OT, that freedom is not an inconvenience. It is systemic risk.

Operational definition of Zero Trust in industrial settings

In OT, Zero Trust means no critical access is granted because someone is “on the network.” Access is granted based on current evidence.

Every high-impact session should answer five questions:

  1. Who is requesting access?
  2. From which asset and with what device posture?
  3. To which specific resource, with what minimum privilege?
  4. Under what operational context (shift, plant state, approved window)?
  5. Is behavior consistent with expected process activity?

If you cannot answer these with telemetry and policy records, you do not have Zero Trust. You have inherited trust.

NIST SP 800-207 in OT: what to adapt

NIST SP 800-207 gives a solid Zero Trust model, but OT implementation requires adaptation:

  • Policy enforcement is often distributed across bastions, industrial firewalls, remote access brokers, and PAM controls.
  • Many OT assets cannot run modern agents, so posture and trust decisions rely heavily on network controls and mediated access.
  • Enforcement actions must account for process impact; aggressive automation without context can create operational risk.

What does not change: explicit verification, least privilege, and assumption of breach.

Zero Trust without segmentation is branding

Directly: if segmentation is weak, your OT Zero Trust program is mostly vocabulary.

Required base layer:

  • Zone-and-conduit architecture aligned with IEC 62443.
  • Hardened IT/OT boundary through an Industrial DMZ.
  • Separation of engineering, operations, and process-cell control paths.
  • Explicit, auditable, minimal inter-zone routes.

If a compromised station can still traverse broad parts of the plant network, policy language will not save you.

Pillar 1: Strong identity and short-lived privilege

Common failure modes remain widespread:

  • Generic vendor accounts.
  • Shared engineering credentials.
  • Static privileged secrets.

These are incompatible with Zero Trust.

Minimum controls:

  • MFA for all remote and privileged pathways.
  • Named individual accounts for critical operations.
  • Just-in-time privilege elevation with automatic expiry.
  • Two-party approvals for sensitive third-party windows.
  • Privileged secret vaulting and rotation.

Goal: every high-impact action has clear identity, clear purpose, clear time boundary.

Pillar 2: Session control, not just authentication

Strong authentication followed by uncontrolled session behavior is still weak control.

Privileged OT sessions should include:

  • Bastion-mediated access.
  • Session recording and replay.
  • Activity-level audit trails.
  • Aggressive idle and absolute session timeouts.
  • Immediate revocation on anomaly triggers.

Example: vendor attempts PLC logic change outside approved window. Control success is not “valid credentials.” Control success is session termination, evidence capture, and escalation to OT runbook.

Pillar 3: Protocol-aware policy with process context

This is where many IT-led Zero Trust programs fail in industrial environments.

Opening a port does not equal granting safe protocol use.

  • Modbus/TCP exposes write capability without native authentication.
  • S7comm and similar legacy protocols assume trusted internal transport.
  • Heterogeneous OT stacks make intent hard to infer without process context.

What works:

  • Endpoint-pair allowlists.
  • Route and direction constraints.
  • Strict engineering traffic separation.
  • Inspection/containment on critical conduits.
  • Progressive migration to properly configured OPC UA (certificates, encryption, policy enforcement).

Real Zero Trust in OT limits effective capability, not just network presence.

Pillar 4: Process-aware visibility and detection

Because many OT assets are agentless by design, visibility must be network-centric and passive.

High-value use cases include:

  • PLC logic downloads outside approved maintenance windows.
  • Writes to critical setpoints from unauthorized engineering hosts.
  • New zone-to-zone communication paths not present in the approved matrix.
  • Privileged credential reuse from unusual origins.

In OT, useful alerts are process-relevant deviations, not generic anomaly noise.

Pillar 5: Response tiers that protect uptime and safety

Concerns about automated response in OT are valid. The answer is tiered enforcement:

  1. Step-up verification or session suspension.
  2. Asset isolation into quarantine segment.
  3. Conduit-level blocking for imminent risk.
  4. Human-approved high-impact actions through OT-specific runbooks.

Automate low-risk reversible actions. Keep human authority where process safety and continuity are involved.

A 12-month implementation path

Months 0-3: Foundation

  • Build and validate living asset/flow inventory.
  • Identify crown-jewel systems.
  • Enforce unified remote access policy with MFA.
  • Begin shared-account elimination.

Months 3-6: Boundary and privilege controls

  • Harden Industrial DMZ.
  • Deploy bastions with session accountability.
  • Implement JIT privileged access for OT tasks.
  • Segment engineering, operations, and control layers.

Months 6-9: Continuous verification

  • Integrate passive OT visibility into SOC workflows.
  • Deploy process-aware detection scenarios.
  • Enforce automatic expiry for access exceptions.
  • Run IT-to-OT pivot tabletop exercises.

Months 9-12: Maturity and scale

  • Expand microsegmentation across critical process cells.
  • Refine containment playbooks jointly with operations.
  • Report effectiveness metrics to leadership.
  • Launch multi-year legacy modernization planning.

Perfection is not required in year one. Measurable trust reduction is.

Metrics that prove execution

  • Percentage of privileged sessions with MFA and recorded audit trail.
  • Remaining shared accounts in critical OT zones.
  • Percentage of critical assets protected by dedicated policy-enforced segments.
  • Mean time to close temporary access exceptions.
  • Number of blocked lateral movement attempts in OT domains.
  • Mean time to detect anomalous engineering/control behavior.

If you cannot produce these metrics, your program is intent, not implementation.

What to stop doing immediately

  1. Buying “Zero Trust tools” before defining access model and governance.
  2. Copy-pasting IT controls into OT without process adaptation.
  3. Designing security controls without operations and maintenance ownership.
  4. Allowing indefinite temporary exceptions.
  5. Measuring ticket volume instead of risk reduction.

Actions for the next four weeks

  • Inventory all third-party remote access pathways and remove unjustified ones.
  • Enforce MFA and named accounts for every privileged jump path.
  • Define crown-jewel list and review current reachability.
  • Block at least one non-essential IT/OT conduit and measure operational impact.
  • Introduce automatic expiry for all new exceptions.

Five actions, immediate impact, minimal strategic ambiguity.

Bottom line

Zero Trust in OT is not about adding friction for its own sake. It is about removing unearned trust before attackers monetize it.

The real question is not whether to adopt Zero Trust. The real question is how long you are willing to keep defending inherited access paths that no one can justify technically.

Start with segmentation, strong identity, session control, and process-aware continuous verification. Execute in phases with operations embedded in design and evidence-based metrics guiding decisions.

Less slogan. More enforced control. That is Zero Trust that actually works in industrial environments.

Want to talk about your industrial security?

Free initial assessment, no commitment.

Contact us
See all articles