Skip to content

Zero-Trust in OT Environments: 90-Day Plan for CISO Communication

Bottom line: Zero-Trust in OT succeeds better through concrete functional principles than abstract architecture models, and through focused measures at IT-OT interfaces such as jump hosts and remote access paths.

An operational technology specialist at a pipeline operator describes how CISOs can implement Zero-Trust architectures in operational technology environments and communicate them to the board. The approach combines regulatory requirements (TSA directives, NERC CIP-013) with practical steps in the convergence area between IT and OT.

Since the Colonial Pipeline ransomware attack in 2021, the operator industry has increasingly faced the question of Zero-Trust implementations. This is evident in audit requirements, TSA security directives, and control objectives of projects. Regulation demands binding positions: TSA Directive 2021-02C obligates pipeline operators to implement network segmentation and Zero-Trust architectures; NERC CIP-013 similarly governs supply chain security and vendor management.

The problem often lies in the formulation. While NIST SP 800-207 describes Zero-Trust as a model that bases access decisions on strong identity, policies, and context rather than network, this appears too abstract in OT environments with 24/7 operations and legacy equipment. Regulators and executives hear “Zero-Trust: yes or no?” – the answer comes standardized as “yes,” without concrete measures following until an incident occurs.

A reformulation helps: instead of discussing architecture models, security leaders should communicate Zero-Trust as a functional principle: “Every user and every system must prove who it is and why it needs access.” This aligns with NIST and CISA without unnecessary jargon and creates better acceptance among OT teams.

Critical are the convergence points between IT and OT: jump hosts, historian connections, remote access paths, and shared identity stores. At these bottlenecks, Zero-Trust controls such as stronger authentication, least-privilege access, and detailed logging can be introduced with minimal operational disruption. This leads to quick wins without dependency on legacy OT equipment.

Decisive for upward communication: all measures should be explicitly linked to existing regulatory requirements. The question then shifts from “Why are we changing this?” to “How do we do this right?” – and directly connects this to TSA, CISA alerts, or NERC compliance.


Source: www.csoonline.com · Published June 26, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.

Share on: