Dismantle implicit trust in OT networks, CISA tells critical infrastructure operators

Five federal agencies map zero trust to OT's legacy systems, safety constraints, and Volt Typhoon threat.

The US Cybersecurity and Infrastructure Security Agency (CISA) has asked owners and operators of operational technology to stop assuming their networks are safe, and has released joint guidance to adapt zero trust principles for industrial systems that support US power, water, transportation, building automation, and weapons-support infrastructure.

OT owners should design controls on the assumption that adversaries are already inside the network, and validate every access request based on identity, context, and risk rather than network location, CISA and four partner agencies wrote in a 28-page document titled Adapting Zero Trust Principles to Operational Technology.

The guide was developed with the Department of War, the Department of Energy, the FBI, and the Department of State, with technical contributions from the National Institute of Standards and Technology.

The agencies were direct about the threat driving the publication.

“CISA has observed threat actors like Volt Typhoon targeting OT systems to compromise, escalate, and maintain access within operational environments,” CISA Acting Executive Assistant Director for Cybersecurity Chris Butera said in a statement accompanying the release. “Zero Trust architecture is critical to preventing cyber incidents that could cause operators to lose visibility or control of essential systems.”

CISA, the FBI, and the National Security Agency first warned in February 2024 that the Chinese state-sponsored group was prepositioning on US IT networks to enable lateral movement to OT assets in the event of geopolitical conflict. The group has since resurfaced with renewed botnet activity exploiting end-of-life routers and exploited a Versa Director zero-day to harvest credentials from US ISPs.

Pete Luban, field CISO at cybersecurity firm AttackIQ, said the convergence of IT and OT was the structural reason the guidance was needed. “Systems that were once isolated are now increasingly connected to enterprise networks and third-party services, and attackers are taking full advantage,” Luban said. “Adversaries aren’t just looking for data to steal, but for the weak seams between business and operational systems that can be used to move laterally across networks.” In OT, a successful intrusion can escalate quickly from a cybersecurity issue to an operational, safety, and public trust issue, he added.

A reference architecture built for the plant floor

It is precisely those weak seams that the new guide tries to close. The document is structured around the six functions of NIST Cybersecurity Framework 2.0 — Govern, Identify, Protect, Detect, Respond, and Recover — and aligns with CISA’s Cross-Sector Cybersecurity Performance Goals 2.0, the DoD Zero Trust Reference Architecture v2.0, NIST SP 800-82r3, and the international ISA/IEC 62443 series.

But the agencies wrote that none of those frameworks could be applied to OT unmodified.

“The blanket application of traditional information technology (IT)-focused ZT capabilities to OT is neither reasonable nor feasible,” the document stated, calling instead for continuous collaboration between OT engineers, IT architects, and cybersecurity professionals.

The guidance directs operators to segment Active Directory used in OT into a “separate forest or domain, avoid direct trust relationships between IT and OT identity systems, and enforce multi-factor authentication at the jump host level” where the underlying device cannot support it. Privileged sessions should be vaulted, recorded, and time-bound, with just-in-time access used to restrict remote vendor connections to narrowly defined maintenance windows, the document advised.

On encryption, the document distinguished confidentiality and integrity. Integrity and authentication through digital signing are typically more critical than confidentiality in OT, the agencies wrote, because expired certificates will not halt operations if communications remain in the clear. At the same time, encryption can introduce latency that disrupts safety-critical systems.

That kind of nuance is precisely why the model cannot be transplanted wholesale, said Nick Tausek, lead security automation architect at Swimlane. “OT teams cannot simply lift and shift an IT security model into environments where downtime, latency, and safety risks carry real-world consequences,” Tausek said. “Zero trust has to be implemented with precision, operational awareness, and automation that can enforce policy without creating more friction for the people keeping critical systems running.”

What it means for security teams

The publication closes a gap that CISA’s Zero Trust Maturity Model 2.0 acknowledged, having stated it did not address challenges specific to operational technology. It follows February’s Barriers to Secure OT Communications and earlier CISA warnings that exposed VPNs, firewalls, and legacy edge devices remain the dominant entry points for critical infrastructure attacks.

The document told buyers that strategic procurement is how operators escape the legacy trap, and pointed them to the Secure by Demand guide for contracting criteria and to its open-source SIEM tool, Malcolm, for OT protocol parsing.