New CISA guide pushes zero trust for OT systems

What Happened

CISA, in collaboration with the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and international partners including the UK’s NCSC and Australia’s ASD, released a comprehensive guide titled Accelerating Zero Trust Adoption in Operational Technology. Published on January 27, 2026, the document provides a phased framework for transitioning industrial control systems (ICS) and operational technology (OT) networks from perimeter-based security models to a zero trust architecture (ZTA). The guide targets OT owners and operators across critical infrastructure sectors, including energy, water, transportation, and manufacturing.

This initiative follows years of increasing cyberattacks against OT environments, from the Colonial Pipeline disruption to more recent compromises at water treatment facilities and energy grids. Unlike previous theoretical zero trust frameworks for IT, this guide offers specific, actionable steps tailored to the unique constraints of OT systems, such as legacy protocol dependencies, real-time performance requirements, and safety-critical operations.

Why It Matters

OT environments have long operated under the assumption that internal networks are trusted. This mindset is increasingly untenable as OT systems become more interconnected with IT networks and exposed to internet-accessible interfaces. A recent CISA advisory highlighted that over 60% of critical infrastructure organizations reported at least one OT-related breach in the past two years. Without segmentation and continuous verification, a single compromised device or credential can cascade to disrupt industrial processes, causing physical damage, safety incidents, or environmental harm.

This guide matters because it acknowledges that OT zero trust is not a one-size-fits-all IT transplant. It offers a risk-prioritized pathway, allowing organizations to start with high-impact controls like micro-segmentation and asset inventory, while deferring more complex capabilities like dynamic policy enforcement until they are feasible. For security teams, this provides a credible, government-endorsed roadmap to justify budget and personnel investment.

Technical Details

The guide is built around the five pillars of zero trust defined by NIST SP 800-207 - identity, devices, networks, applications/workloads, and data - but adapts each to OT realities:

• Identity: Use hardware-anchored authentication for programmable logic controllers (PLCs) and remote terminal units (RTUs), but avoid per-packet authentication that could disrupt deterministic timing.
• Devices: Maintain a real-time asset inventory of all OT devices, including those not IP-addressable, using passive scanning and network traffic analysis.
• Networks: Implement micro-segmentation at the Layer 3 boundary between IT/OT zones, using unidirectional gateways or industrial firewalls to enforce least-privilege communication.
• Applications/Workloads: Verify all executable code against a whitelist before deployment to ICS endpoints, using application control tools that support legacy operating systems.
• Data: Encrypt OT data in transit where possible, but acknowledge that many legacy protocols (Modbus, DNP3) lack native encryption - recommend secure tunneling or data diodes.

Attack vectors addressed include lateral movement from IT to OT, rogue device insertion, unauthorized access via VPNs, and supply chain compromise of ICS firmware. The guide also provides sample policies, architecture diagrams, and a maturity model to track progress.

Immediate Risk

The risk level is MEDIUM, as no active exploitation or emergency CVE is linked to this publication. However, the urgency is real: threat actors - from ransomware groups like LockBit to nation-state actors such as Sandworm and APT28 - have demonstrated capabilities to breach OT environments. Without a structured transition to zero trust, organizations remain exposed to credential theft, unpatched legacy vulnerabilities, and insider threats. The guide itself is not a vulnerability, but its recommendations close critical attack paths.

Organizations should prioritize this as a strategic planning resource, not an overnight mandate. The immediate risk is that teams may misinterpret the guidance as requiring immediate network redesign, leading to downtime or safety violations. Instead, start with the high-priority, low-disruption controls outlined in the guide’s Phase 1: asset discovery, basic segmentation, and identity hardening.

Security Insight

This guide’s most non-obvious takeaway is that zero trust in OT is fundamentally about operational resilience, not just cybersecurity. A truly zero trust OT architecture must be able to function safely even when all external connectivity is lost - a condition that directly contradicts ZTA’s reliance on continuous authentication and policy verification. The guide implicitly acknowledges this by recommending “fallback states” and “safety overrides” that allow critical processes to continue in degraded mode. This is a critical departure from IT zero trust, which assumes connectivity is always available. For security teams, this means designing OT zero trust should start with a failure mode analysis, not a threat model. If your system fails closed (blocking all traffic), can the plant still shut down safely? If not, you need deliberate “break-glass” procedures that are tested in a lab environment before deployment to production.

Further Reading

• Latest Security News
• CVE Advisories
• Data Breach Reports