The Zero Trust (ZT) working group, comprised of the Cybersecurity and Infrastructure Security Agency (CISA), Department of Defense (DoD), Department of Energy (DOE), Department of State (DOS), and Federal Bureau of Investigation (FBI), recently released guidance on how to adapt ZT principles for Operational Technology (OT). This comes on the heels of the DoD’s guidance, released in late 2025, with both documents aiming to help OT system owners apply ZT principles to OT systems.
Zero Trust assumes breach, meaning system owners should assume an adversary is already in the environment, and ZT principles are designed to limit threat actor movement and contain potential damage. Applying traditional information technology (IT) ZT principles to OT systems, however, is aspirational at best, and widely considered impossible given the fundamental differences between traditional IT and OT. Even so, this new federal guidance aims to remedy this problem by providing a set of ZT principles specifically designed for OT systems.
Why this matters today #
Cyber attacks on OT systems are not new, but they have been increasing. You may have seen that CISA recently urged critical infrastructure operators to “fortify their systems against disruptive cyberattacks,” due to increased geopolitical tensions.
It’s easy to see why international adversaries find OT as an attractive target:
OT is typically legacy-by-design; OT systems are often 20 or more years in active service.
Modernizing OT is fantastically expensive; replacing one OT component often requires replacing many upstream and downstream components for compatibility.
OT and IT are converging; like it or not, we’re seeing OT creep into traditional IT networks, sometimes by design, sometimes by accident, creating pathways from the internet to the industrial floor.
Attacking OT is typically easier: traditional IT attackers usually have a goal of arbitrary code execution or user privilege escalation, often with stealth and persistence in mind. OT attackers, on the other hand, usually end up disabling the target with Denial of Service (DoS) effects with obvious real-world results.
Successful cyberattacks against OT have direct, kinetic consequences by disrupting utilities, damaging the environment, causing loss of life, and more.
These factors all conflate to create a target environment that is often old, stationary, and fragile.
What can we do right now? #
While, of course, we agree that Zero Trust as a design principle could go a long way to shore up OT defenses, and the guidance is definitely worth a read, the above reasons of “why OT is the way it is” are all fundamentally working against active change in OT buildouts. Any pivot in design among the Rockwells and Siemens (and all the other OT suppliers worldwide) will take years, if not decades to become common in the field, which doesn’t do us a ton of good today for all of the existing OT infrastructure.
But, before we move on. The guidance includes one point we’d like to specifically mention. It basically says you can use active scanning, but immediately follows with a note about having deep awareness of your systems before attempting it. We really don’t want OT operators to use this as a reason not to conduct active scanning! There are safe scanning solutions, like runZero, which are proven to not negatively impact system performance (according to an evaluation conducted by the U.S. Department of Energy’s National Renewable Energy Laboratory).
So, circling back to what to do now. We'd recommend taking the first step first: get ahead of attackers by actually mapping out what your OT attack surface looks like from an attacker’s perspective. You may have heard that we just released runZero 4.9, which brings just a ton of OT-specific smarts to the table, as well as some really fun attack path mapping visualizations and insights. Give it a whirl in your test lab today for free, and you’ll see what we mean.
But even with our new capabilities, runZero can’t go it alone: as an industry, we need to get over this idea that OT is so fragile you literally cannot look at it without causing problems. Yes, of course, be careful, thoughtful, and precise, but with today’s threat landscape, the belief that OT is so incredibly fragile that you cannot take steps to protect your environment beyond air-gaps and segmentation, isn’t based in reality. We’re taking steps to create and ship powerful capabilities that can actually help spot where bad guys are likely to turn their attention, so that you can instrument those points with surveillance and extra protections.
