Cyber Strategy
Cyber Secure
Cyber Operations
Cyber Response
Cyber ResilienceFor decades, the security model protecting industrial operations rested on a single, comfortable assumption: if a device or user was inside the network perimeter, it could be trusted. Air gaps, isolated control networks, and the sheer physical complexity of industrial environments served as a kind of implicit defence. Security teams focused on keeping adversaries out. What happened inside the fence was, largely, trusted by default.
That assumption is now officially dead.
On April 29, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), alongside the Department of War, Department of Energy, FBI, and Department of State, published a landmark 28-page joint guide: Adapting Zero Trust Principles to Operational Technology. It is the most authoritative statement yet from the U.S. government that perimeter-based defences are insufficient for modern OT environments – and that the industry must fundamentally change how it thinks about trust.
CISA, April 29 2026 “CISA has observed threat actors like Volt Typhoon targeting OT systems to compromise, escalate, and maintain access within operational environments. Zero Trust architecture is critical to preventing cyber incidents that could cause operators to lose visibility or control of essential systems.” – Chris Butera, CISA Acting Executive Assistant Director for Cybersecurity |
This is not a theoretical concern. Volt Typhoon – a Chinese state-sponsored threat group – has been actively compromising small-office routers at electric utilities and telecommunications providers, establishing relay networks, and exfiltrating OT network diagrams and operational instructions. The group’s 2025 reconnaissance is now expected to transition into operational disruption in 2026. The guide names them explicitly. The threat is here.
What is Zero Trust - and why does it matter for OT?
Zero Trust is not a product. It is a security philosophy built on a single principle: never trust, always verify. Rather than granting access based on network location (being “inside the firewall”), Zero Trust requires every access request – from a person, device, or system – to be continuously validated based on identity, context, and risk, regardless of where it originates.
In IT environments, Zero Trust has been mainstream for years. Cloud workloads, remote workers, and SaaS-heavy architectures made perimeter-based security impractical long ago. But OT environments have been largely exempted from this conversation, on the grounds that they are “isolated” or “air-gapped.” The problem is that air gaps are increasingly a myth.
According to Palo Alto Networks’ 2026 OT security research, analysing 16 million samples, internet-exposed OT devices have increased by 332% in a short period. The drivers are familiar: remote monitoring, predictive maintenance, IIoT connectivity, supply chain integration. Every efficiency gain that connects OT systems to the broader network creates a potential entry point. And once an adversary is inside the IT environment, lateral movement into OT is often only a matter of exploiting shared credentials or misconfigured trust relationships.
Key finding – TXOne Networks / Frost & Sullivan, 2026 96% of OT security incidents in 2025 originated from IT-level compromises. 60% of organisations surveyed experienced at least one OT security incident. 88% increased their OT security spending by more than 10% in response. |
Zero Trust addresses this structural weakness directly. By eliminating implicit trust – assuming a breach has already occurred and designing controls accordingly – it limits how far an adversary can move even if they gain an initial foothold. In OT terms, it is the difference between an attacker who compromises one vendor’s laptop and pivots all the way to a SCADA controller, versus one who is stopped at the boundary of the OT network because every access request must be explicitly authorised.
Why Zero Trust is harder in OT - and why that’s not an excuse
CISA’s April 2026 guide makes a critical acknowledgement that many IT-centric security vendors gloss over: the blanket application of traditional IT-focused Zero Trust capabilities to OT is “neither reasonable nor feasible.” This is not a get-out-of-jail-free card. It is an honest recognition that OT environments have genuine constraints that require a different approach.
The three core constraints
- Legacy systems that predate modern security: PLCs, SCADA systems, and DCS platforms can have operational lifespans exceeding 20 years. Many were designed before cybersecurity was a consideration at all. They may have no capacity for authentication, logging, encrypted communications, or software updates. You cannot install an agent on a 1998 PLC.
- Uptime is not optional: A misconfigured Zero Trust policy that blocks a legitimate control command does not cause a service desk ticket. It can halt a production line, disrupt an energy grid, or trigger a safety system response. The consequence of a false positive in OT is qualitatively different from IT. Implementations must be phased, tested, and validated before enforcement.
- Visibility gaps are the norm, not the exception: Most OT environments have limited or no visibility into their own asset inventory. The Dragos 2026 OT Cybersecurity Year in Review found that the majority of organisations lack the visibility needed to detect adversary reconnaissance, lateral movement, or data exfiltration before operational impact occurs. You cannot apply Zero Trust controls to assets you cannot see.
The table below maps the most common OT constraints to their Zero Trust challenge and practical mitigation approach:
OT constraint | Zero Trust challenge | Practical approach |
|---|---|---|
Legacy PLCs & SCADA | Cannot authenticate or log natively | Compensating controls: network segmentation, conduits, passive monitoring |
Continuous uptime requirements | Misconfigured policies risk production shutdown | Phased rollout; test policies in parallel before enforcement |
Flat network architecture | Lateral movement unchecked once inside | Zone and conduit model aligned to IEC 62443 |
Shared IT/OT credentials | AD credentials stolen in IT pivot to OT | Separate AD forests; MFA enforced at jump hosts only |
Third-party vendor access | Trusted VPN paths bypass all controls | Time-limited, monitored, least-privilege remote sessions |
The key insight from the CISA guidance is that OT does not need to implement Zero Trust in the same way as cloud-native IT. Compensating controls, passive monitoring, and phased enforcement are all explicitly endorsed. What is not acceptable is maintaining the status quo of implicit trust in an environment that is increasingly connected and actively targeted.
For decades, the security model protecting industrial operations rested on a single, comfortable assumption: if a device or user was inside the network perimeter, it could be trusted. Air gaps, isolated control networks, and the sheer physical complexity of industrial environments served as a kind of implicit defence. Security teams focused on keeping adversaries out. What happened inside the fence was, largely, trusted by default.
That assumption is now officially dead.
On April 29, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), alongside the Department of War, Department of Energy, FBI, and Department of State, published a landmark 28-page joint guide: Adapting Zero Trust Principles to Operational Technology. It is the most authoritative statement yet from the U.S. government that perimeter-based defences are insufficient for modern OT environments – and that the industry must fundamentally change how it thinks about trust.
CISA, April 29 2026 “CISA has observed threat actors like Volt Typhoon targeting OT systems to compromise, escalate, and maintain access within operational environments. Zero Trust architecture is critical to preventing cyber incidents that could cause operators to lose visibility or control of essential systems.” – Chris Butera, CISA Acting Executive Assistant Director for Cybersecurity |
This is not a theoretical concern. Volt Typhoon – a Chinese state-sponsored threat group – has been actively compromising small-office routers at electric utilities and telecommunications providers, establishing relay networks, and exfiltrating OT network diagrams and operational instructions. The group’s 2025 reconnaissance is now expected to transition into operational disruption in 2026. The guide names them explicitly. The threat is here.
What is Zero Trust - and why does it matter for OT?
Zero Trust is not a product. It is a security philosophy built on a single principle: never trust, always verify. Rather than granting access based on network location (being “inside the firewall”), Zero Trust requires every access request – from a person, device, or system – to be continuously validated based on identity, context, and risk, regardless of where it originates.
In IT environments, Zero Trust has been mainstream for years. Cloud workloads, remote workers, and SaaS-heavy architectures made perimeter-based security impractical long ago. But OT environments have been largely exempted from this conversation, on the grounds that they are “isolated” or “air-gapped.” The problem is that air gaps are increasingly a myth.
According to Palo Alto Networks’ 2026 OT security research, analysing 16 million samples, internet-exposed OT devices have increased by 332% in a short period. The drivers are familiar: remote monitoring, predictive maintenance, IIoT connectivity, supply chain integration. Every efficiency gain that connects OT systems to the broader network creates a potential entry point. And once an adversary is inside the IT environment, lateral movement into OT is often only a matter of exploiting shared credentials or misconfigured trust relationships.
Key finding – TXOne Networks / Frost & Sullivan, 2026 96% of OT security incidents in 2025 originated from IT-level compromises. 60% of organisations surveyed experienced at least one OT security incident. 88% increased their OT security spending by more than 10% in response. |
Zero Trust addresses this structural weakness directly. By eliminating implicit trust – assuming a breach has already occurred and designing controls accordingly – it limits how far an adversary can move even if they gain an initial foothold. In OT terms, it is the difference between an attacker who compromises one vendor’s laptop and pivots all the way to a SCADA controller, versus one who is stopped at the boundary of the OT network because every access request must be explicitly authorised.
Why Zero Trust is harder in OT - and why that’s not an excuse
CISA’s April 2026 guide makes a critical acknowledgement that many IT-centric security vendors gloss over: the blanket application of traditional IT-focused Zero Trust capabilities to OT is “neither reasonable nor feasible.” This is not a get-out-of-jail-free card. It is an honest recognition that OT environments have genuine constraints that require a different approach.
The three core constraints
- Legacy systems that predate modern security: PLCs, SCADA systems, and DCS platforms can have operational lifespans exceeding 20 years. Many were designed before cybersecurity was a consideration at all. They may have no capacity for authentication, logging, encrypted communications, or software updates. You cannot install an agent on a 1998 PLC.
- Uptime is not optional: A misconfigured Zero Trust policy that blocks a legitimate control command does not cause a service desk ticket. It can halt a production line, disrupt an energy grid, or trigger a safety system response. The consequence of a false positive in OT is qualitatively different from IT. Implementations must be phased, tested, and validated before enforcement.
- Visibility gaps are the norm, not the exception: Most OT environments have limited or no visibility into their own asset inventory. The Dragos 2026 OT Cybersecurity Year in Review found that the majority of organisations lack the visibility needed to detect adversary reconnaissance, lateral movement, or data exfiltration before operational impact occurs. You cannot apply Zero Trust controls to assets you cannot see.
The table below maps the most common OT constraints to their Zero Trust challenge and practical mitigation approach:
OT constraint | Zero Trust challenge | Practical approach |
|---|---|---|
Legacy PLCs & SCADA | Cannot authenticate or log natively | Compensating controls: network segmentation, conduits, passive monitoring |
Continuous uptime requirements | Misconfigured policies risk production shutdown | Phased rollout; test policies in parallel before enforcement |
Flat network architecture | Lateral movement unchecked once inside | Zone and conduit model aligned to IEC 62443 |
Shared IT/OT credentials | AD credentials stolen in IT pivot to OT | Separate AD forests; MFA enforced at jump hosts only |
Third-party vendor access | Trusted VPN paths bypass all controls | Time-limited, monitored, least-privilege remote sessions |
The key insight from the CISA guidance is that OT does not need to implement Zero Trust in the same way as cloud-native IT. Compensating controls, passive monitoring, and phased enforcement are all explicitly endorsed. What is not acceptable is maintaining the status quo of implicit trust in an environment that is increasingly connected and actively targeted.
The CISA roadmap: five Zero Trust priorities for OT operators
The April 2026 joint guidance is structured around the six functions of NIST Cybersecurity Framework 2.0: Govern, Identify, Protect, Detect, Respond, and Recover. It also aligns with NIST SP 800-82 Rev. 3, the DoD Zero Trust Reference Architecture v2.0, and the international ISA/IEC 62443 standard series. For practitioners, this means the guidance is not a standalone exercise – it plugs into the compliance frameworks most OT organisations are already working with.
Here are the five most actionable priorities the guidance identifies:
- Comprehensive asset visibility
You cannot apply Zero Trust to assets you cannot enumerate. The guidance makes passive asset discovery the foundational first step. Using SPAN ports or network TAPs, OT teams can fingerprint every device on the network from observed traffic – capturing device type, vendor, firmware version, protocols in use, and communication patterns – without injecting a single packet that could disrupt operations.
CISA specifically endorses Malcolm, its open-source SIEM tool, which includes Zeek parsers built for common OT protocols and supports deep traffic analysis. This is a practical, cost-accessible starting point for organisations without dedicated OT security tooling.
- Zones and conduits
Once assets are visible, they must be grouped by criticality and security requirements. The IEC 62443 zone and conduit model – explicitly referenced in the CISA guidance – provides the architectural backbone. Zones group assets with similar security levels; conduits are the controlled communication pathways between zones. Every conduit must be documented, controlled, and protected.
In practice, this typically means a safety layer (SIS/ESD systems at minimum Security Level 3, fully isolated), a basic process control layer, an operations and monitoring layer, and a DMZ that mediates all communication between OT and IT. No direct IT-to-OT communication paths should exist.
- Identity and access controls
Shared credentials between IT and OT environments are one of the primary vectors Volt Typhoon and similar actors exploit. The guidance is specific: OT Active Directory should be separated into a distinct forest or domain with no direct trust relationships to the IT AD. Multi-factor authentication should be enforced at the jump host level – the last controlled point before OT access – even where legacy OT assets cannot support MFA natively.
Third-party and vendor remote access is a particular priority. Time-limited, least-privilege, fully monitored remote sessions should replace always-on VPN tunnels that provide persistent, broad access to OT networks.
- Supply chain risk management
CISA’s guidance notes that compromised trusted third-party vendor software is a well-documented attack vector against OT environments. Procurement decisions should now incorporate security requirements: Software Bills of Materials (SBOMs) for OT components, vendor security posture assessments, and contract terms that mandate timely vulnerability disclosure.
The “secure by design” imperative is closely linked here. When procuring new OT components, organisations should require that security capabilities – logging, encrypted communications, identity support – are built in by default, not treated as optional extras.
- Continuous monitoring and detection
Zero Trust does not end at access control. Continuous monitoring is what makes the model adaptive. Critically, OT environments’ relatively static nature is an advantage here: normal behaviour is predictable, which means anomalies are detectable. Unexpected commands to a PLC, unusual protocol traffic on an OT segment, or a device communicating with an unfamiliar external IP – all of these stand out sharply against the baseline.
The highest-risk monitoring points are the junctions where OT connects to IT or to external systems. Passive monitoring through TAPs keeps observation completely load-free, with no risk of disrupting time-sensitive control traffic. CISA’s Malcolm/Zeek tooling provides OT protocol-aware analysis that generic SIEM solutions cannot replicate.
The CISA roadmap: five Zero Trust priorities for OT operators
The April 2026 joint guidance is structured around the six functions of NIST Cybersecurity Framework 2.0: Govern, Identify, Protect, Detect, Respond, and Recover. It also aligns with NIST SP 800-82 Rev. 3, the DoD Zero Trust Reference Architecture v2.0, and the international ISA/IEC 62443 standard series. For practitioners, this means the guidance is not a standalone exercise – it plugs into the compliance frameworks most OT organisations are already working with.
Here are the five most actionable priorities the guidance identifies:
- Comprehensive asset visibility
You cannot apply Zero Trust to assets you cannot enumerate. The guidance makes passive asset discovery the foundational first step. Using SPAN ports or network TAPs, OT teams can fingerprint every device on the network from observed traffic – capturing device type, vendor, firmware version, protocols in use, and communication patterns – without injecting a single packet that could disrupt operations.
CISA specifically endorses Malcolm, its open-source SIEM tool, which includes Zeek parsers built for common OT protocols and supports deep traffic analysis. This is a practical, cost-accessible starting point for organisations without dedicated OT security tooling.
- Zones and conduits
Once assets are visible, they must be grouped by criticality and security requirements. The IEC 62443 zone and conduit model – explicitly referenced in the CISA guidance – provides the architectural backbone. Zones group assets with similar security levels; conduits are the controlled communication pathways between zones. Every conduit must be documented, controlled, and protected.
In practice, this typically means a safety layer (SIS/ESD systems at minimum Security Level 3, fully isolated), a basic process control layer, an operations and monitoring layer, and a DMZ that mediates all communication between OT and IT. No direct IT-to-OT communication paths should exist.
- Identity and access controls
Shared credentials between IT and OT environments are one of the primary vectors Volt Typhoon and similar actors exploit. The guidance is specific: OT Active Directory should be separated into a distinct forest or domain with no direct trust relationships to the IT AD. Multi-factor authentication should be enforced at the jump host level – the last controlled point before OT access – even where legacy OT assets cannot support MFA natively.
Third-party and vendor remote access is a particular priority. Time-limited, least-privilege, fully monitored remote sessions should replace always-on VPN tunnels that provide persistent, broad access to OT networks.
- Supply chain risk management
CISA’s guidance notes that compromised trusted third-party vendor software is a well-documented attack vector against OT environments. Procurement decisions should now incorporate security requirements: Software Bills of Materials (SBOMs) for OT components, vendor security posture assessments, and contract terms that mandate timely vulnerability disclosure.
The “secure by design” imperative is closely linked here. When procuring new OT components, organisations should require that security capabilities – logging, encrypted communications, identity support – are built in by default, not treated as optional extras.
- Continuous monitoring and detection
Zero Trust does not end at access control. Continuous monitoring is what makes the model adaptive. Critically, OT environments’ relatively static nature is an advantage here: normal behaviour is predictable, which means anomalies are detectable. Unexpected commands to a PLC, unusual protocol traffic on an OT segment, or a device communicating with an unfamiliar external IP – all of these stand out sharply against the baseline.
The highest-risk monitoring points are the junctions where OT connects to IT or to external systems. Passive monitoring through TAPs keeps observation completely load-free, with no risk of disrupting time-sensitive control traffic. CISA’s Malcolm/Zeek tooling provides OT protocol-aware analysis that generic SIEM solutions cannot replicate.
Why the timing matters: act before the adversary does
The regulatory environment is hardening rapidly. In the U.S., CISA’s Cross-Sector Cybersecurity Performance Goals 2.0 and TSA security directives are creating compliance expectations for critical infrastructure operators in energy, transportation, and manufacturing. In Europe, the NIS2 Directive imposes binding security obligations on operators of essential services, with IEC 62443 as the recognised technical standard for what “appropriate measures” means in OT contexts.
Cyber insurance is following. Insurers are increasingly requiring evidence of OT-specific security controls – asset inventories, network segmentation, access management – as conditions of coverage. Organisations that cannot demonstrate a baseline OT security programme will face higher premiums or exclusions.
The Dragos 2026 Year in Review documented that three new OT-focused threat groups emerged in 2025, established groups expanded globally, and ransomware caused significant operational disruptions across the sector. The VOLTZITE group – linked to Volt Typhoon – has already moved beyond reconnaissance into actively mapping control loops and understanding how to manipulate physical processes. The window for proactive action is narrowing.
The business case in plain terms 88% of organisations increased OT security spending by more than 10% in 2025 – most of it reactive, post-incident. Proactive Zero Trust implementation, starting with visibility and segmentation, costs significantly less than an operational shutdown, regulatory penalty, or insurance claim. And unlike reactive spending, it produces a measurable, auditable security posture that regulators and insurers can verify. |
How DTS Solution helps you get there
The CISA guidance is clear that applying Zero Trust to OT requires “cross-disciplinary fluency” – people who understand both the security architecture and the operational constraints of industrial environments. IT security teams often lack OT context. OT engineering teams often lack cybersecurity depth. Bridging that gap is where engagements fail or succeed.
DTS Solution brings both. Our OT security practice is built around the specific realities of industrial environments: the constraints of legacy assets, the non-negotiability of uptime, the complexity of IT/OT convergence, and the compliance frameworks – IEC 62443, NIST SP 800-82, NIS2 – that are increasingly governing what “good” looks like.
We help organisations work through the Zero Trust journey in practical, phased terms:
- OT security assessments: establishing a complete asset inventory using passive discovery methods, with no disruption to live operations. This is the foundational step the CISA guidance identifies – and the step most organisations have not yet taken.
- Network segmentation design: architecting zones and conduits aligned to IEC 62443, creating defensible boundaries between safety systems, process control, operations, and IT without disrupting existing workflows.
- Identity and access architecture: separating OT and IT identity systems, enforcing MFA at jump host boundaries, and replacing persistent vendor VPN access with controlled, monitored, time-limited remote sessions.
- Continuous OT monitoring: deploying passive, protocol-aware monitoring at critical IT/OT junctions, with detection tuned to OT-specific threat behaviours including those documented in the MITRE ATT&CK for ICS framework.
- Compliance alignment: mapping your OT security programme to NIST SP 800-82 Rev. 3, IEC 62443, and relevant regulatory obligations, producing audit-ready evidence of your security posture.
The adversaries targeting OT environments are patient, well-resourced, and have already done their reconnaissance. The CISA guidance is a signal that the U.S. government considers this a national security priority. The question for operators is not whether to act, but how to begin.
Why the timing matters: act before the adversary does
The regulatory environment is hardening rapidly. In the U.S., CISA’s Cross-Sector Cybersecurity Performance Goals 2.0 and TSA security directives are creating compliance expectations for critical infrastructure operators in energy, transportation, and manufacturing. In Europe, the NIS2 Directive imposes binding security obligations on operators of essential services, with IEC 62443 as the recognised technical standard for what “appropriate measures” means in OT contexts.
Cyber insurance is following. Insurers are increasingly requiring evidence of OT-specific security controls – asset inventories, network segmentation, access management – as conditions of coverage. Organisations that cannot demonstrate a baseline OT security programme will face higher premiums or exclusions.
The Dragos 2026 Year in Review documented that three new OT-focused threat groups emerged in 2025, established groups expanded globally, and ransomware caused significant operational disruptions across the sector. The VOLTZITE group – linked to Volt Typhoon – has already moved beyond reconnaissance into actively mapping control loops and understanding how to manipulate physical processes. The window for proactive action is narrowing.
The business case in plain terms 88% of organisations increased OT security spending by more than 10% in 2025 – most of it reactive, post-incident. Proactive Zero Trust implementation, starting with visibility and segmentation, costs significantly less than an operational shutdown, regulatory penalty, or insurance claim. And unlike reactive spending, it produces a measurable, auditable security posture that regulators and insurers can verify. |
How DTS Solution helps you get there
The CISA guidance is clear that applying Zero Trust to OT requires “cross-disciplinary fluency” – people who understand both the security architecture and the operational constraints of industrial environments. IT security teams often lack OT context. OT engineering teams often lack cybersecurity depth. Bridging that gap is where engagements fail or succeed.
DTS Solution brings both. Our OT security practice is built around the specific realities of industrial environments: the constraints of legacy assets, the non-negotiability of uptime, the complexity of IT/OT convergence, and the compliance frameworks – IEC 62443, NIST SP 800-82, NIS2 – that are increasingly governing what “good” looks like.
We help organisations work through the Zero Trust journey in practical, phased terms:
- OT security assessments: establishing a complete asset inventory using passive discovery methods, with no disruption to live operations. This is the foundational step the CISA guidance identifies – and the step most organisations have not yet taken.
- Network segmentation design: architecting zones and conduits aligned to IEC 62443, creating defensible boundaries between safety systems, process control, operations, and IT without disrupting existing workflows.
- Identity and access architecture: separating OT and IT identity systems, enforcing MFA at jump host boundaries, and replacing persistent vendor VPN access with controlled, monitored, time-limited remote sessions.
- Continuous OT monitoring: deploying passive, protocol-aware monitoring at critical IT/OT junctions, with detection tuned to OT-specific threat behaviours including those documented in the MITRE ATT&CK for ICS framework.
- Compliance alignment: mapping your OT security programme to NIST SP 800-82 Rev. 3, IEC 62443, and relevant regulatory obligations, producing audit-ready evidence of your security posture.
The adversaries targeting OT environments are patient, well-resourced, and have already done their reconnaissance. The CISA guidance is a signal that the U.S. government considers this a national security priority. The question for operators is not whether to act, but how to begin.
See also:
Dubai