Bridging the gap by integrating zero trust strategies in IT and OT environments for enhanced cybersecurity


Integrating zero trust strategies across IT and OT (operational technology) environments calls for sensitive handling to transcend the traditional cultural and operational silos that have been positioned between these domains. Integration of these two domains within a homogenous security posture turns out both important and challenging. It requires absolute knowledge of the different domains where cybersecurity policies can be applied cohesively without affecting critical operations. Such perspectives enable organizations to adopt zero trust strategies, thereby creating a cohesive defense against cyber threats.

Compliance plays a significant role in shaping zero trust strategies within IT/OT environments. Regulatory requirements often dictate specific security measures, influencing how organizations implement zero trust principles. Adhering to these regulations ensures that security practices meet industry standards, but it can also complicate the integration process, especially when dealing with legacy systems and specialized protocols inherent in OT environments. Handling these technical challenges requires innovative solutions that can accommodate existing infrastructure while advancing security objectives.

In addition to ensuring compliance, regulation will shape the pace and scale of zero trust adoption. In IT and OT environments alike, organizations must balance regulatory requirements with the desire for flexible, scalable solutions that can keep pace with changes in threats. That is integral in controlling the cost associated with implementation across IT and OT environments. All these costs notwithstanding, the long-term value of a robust security framework is thus bigger, as it offers improved organizational protection and operational resilience.

Above all, the methods through which a well-structured Zero Trust strategy bridges the gap between IT and OT result in better security since it encompasses regulatory expectations and cost considerations. The challenges identified here make it possible for organizations to obtain a safer, compliant, and more efficient operations landscape.

Unifying IT-OT for zero trust and security policy alignment

Industrial Cyber consulted industrial cybersecurity experts to examine how cultural and operational silos between IT and OT teams affect zero trust strategy adoption. They also highlight common organizational obstacles in harmonizing security policies across these environments.

Traditionally IT and OT environments have been separate systems with different processes, technologies, and people that operate them, Imran Umar, a cyber leader spearheading Booz Allen Hamilton’s zero trust initiatives, told Industrial Cyber. “In addition, IT has the tendency to change quickly, but the opposite is true for OT systems, which have longer life cycles.” 

Umar observed that with the convergence of IT and OT, the increase in sophisticated attacks, and the desire to move toward a zero trust architecture, these silos have to be overcome. 

“The most common organizational obstacle is that of cultural change and reluctance to shift to this new mindset,” Umar added. “For example, IT and OT are different and require different training and skill sets. This is often overlooked inside of organizations. From an operations standpoint, organizations need to address common challenges in OT threat detection. Today, few OT systems have advanced cybersecurity monitoring in place. Zero trust, meanwhile, prioritizes continuous monitoring. Fortunately, organizations can address cultural and operational challenges step by step.”

Richard Springer, director of OT solutions marketing at Fortinet, told Industrial Cyber that culturally, there are wide chasms between experienced zero-trust practitioners in IT and OT operators that work on a default principle of implied trust. “Harmonizing security policies can be difficult if inherent priority conflicts exist, such as IT business continuity versus OT personnel and production safety. Resetting priorities to reach common ground and mitigating cyber risk and limiting production risk can be achieved by applying zero trust in OT networks by limiting personnel, applications, and communications to vital production networks.”

Zero trust is an IT agenda, but most legacy OT environments with strong maturity arguably originated the concept, Sandeep Lota, global field CTO at Nozomi Networks, told Industrial Cyber. “These networks have historically been segmented from the rest of the world and isolated from other networks and shared services. They truly didn’t trust anyone.”

Lota mentioned that only recently when IT began pushing the ‘trust us with Zero Trust’ agenda did the reality and scariness of what convergence and digital transformation had wrought become apparent. “OT is being asked to break their ‘trust no one’ rule to trust a team that represents the threat vector of most OT breaches. On the plus side, network and asset visibility have long been ignored in industrial settings, even though they are foundational to any cybersecurity program.” 

With zero trust, Lota explained that there’s no choice. “You must understand your environment, including traffic patterns before you can implement policy decisions and enforcement points. Once OT operators see what’s on their network, including inefficient processes that have built up over time, they start to appreciate their IT counterparts and their network knowledge.”

Roman Arutyunov, co-founder and senior vice president of products at Xage Security, told Industrial Cyber that cultural and operational silos between IT and OT teams create significant barriers to zero trust adoption. “IT teams prioritize data and system protection, while OT focuses on maintaining availability, safety, and longevity, leading to different security approaches. Bridging this gap requires fostering cross-functional collaboration and finding shared goals.” 

For instance, he added that OT teams will accept that zero trust strategies could help overcome the significant risk that cyberattacks pose, like halting operations and causing safety issues, but IT teams also need to show an understanding of OT priorities by presenting solutions that aren’t in conflict with operational KPIs, like requiring cloud connectivity or constant upgrades and patches.

Evaluating compliance impact on zero trust in IT/OT

The executives assess how compliance mandates and industry-specific regulations influence the implementation of zero trust principles across IT and OT environments. 

Umar said that compliance and industry regulations have accelerated the adoption of zero trust by providing increased awareness and better collaboration between the public and private sectors. “For example, the DoD CIO has called for all DoD organizations to implement Target Level ZT activities by FY27. Both CISA and DoD CIO have put out extensive guidance on Zero Trust architectures and use cases. This guidance is further supported by the 2022 NDAA which calls for strengthening DoD cybersecurity through the development of a zero-trust strategy.” 

In addition, he noted that “the Australian Signals Directorate’s Australian Cyber Security Centre, in cooperation with the U.S. government and other international partners, recently published principles for OT cybersecurity to help business leaders make smart decisions when designing, implementing, and managing OT environments.”

Springer identified that in-house or compliance-driven zero-trust policies will need to be modified to be applicable, measurable, and effective in OT networks.

“In the U.S., the DoD Zero Trust Strategy (for defense and intelligence agencies) and Zero Trust Maturity Model (for executive branch agencies) mandate Zero Trust adoption across the federal government, but both documents focus on IT environments, with only a nod to OT and IoT security,” Lota remarked. “If there’s any doubt that Zero Trust for industrial environments is different, the National Cybersecurity Center of Excellence (NCCoE) recently settled the question. Its much-anticipated companion to NIST SP 800-207 ‘Zero Trust Architecture,’ NIST SP 1800-35 ‘Implementing a Zero Trust Architecture’ (now in its fourth draft), excludes OT and ICS from the paper’s scope. The introduction clearly states, ‘Application of ZTA principles to these environments would be part of a separate project.’”

As of yet, Lota highlighted that no regulations around the world, including industry-specific regulations, explicitly mandate the adoption of zero trust principles for OT, industrial, or critical infrastructure environments, but alignment is already there. “Many directives, standards and frameworks increasingly emphasize proactive security measures and risk mitigations, which align well with Zero Trust.” 

He added that the recent ISAGCA whitepaper on zero trust for industrial cybersecurity environments does a fantastic job of illustrating how Zero Trust and the widely adopted IEC 62443 standards go hand in hand, especially regarding the use of zones and conduits for segmentation.

“Compliance mandates and industry regulations often drive security advancements in both IT and OT,” according to Arutyunov. “While these requirements may initially seem restrictive, they encourage organizations to adopt Zero Trust principles, especially as regulations evolve to address the cybersecurity convergence of IT and OT. Implementing Zero Trust helps organizations meet compliance goals by ensuring continuous verification and strict access controls, and identity-enabled logging, which align well with regulatory demands.”

Exploring regulatory influence on zero trust adoption 

The executives look into the role government regulations and industry standards play in promoting the adoption of zero trust principles to counter nation-state cyber threats. 

“Modifications are necessary in OT networks where OT devices may be more than 20 years old and have little to no security features,” Springer said. “Device zero-trust capabilities may not exist, but personnel and application of zero trust principles can still be applied.”

Lota noted that nation-state cyber threats require the kind of stringent cyber defenses that zero trust provides, whether the government or industry standards specifically promote their adoption. “Nation-state actors are highly skilled and use ever-evolving techniques that can evade traditional security measures. For example, they may establish persistence for long-term espionage or to learn your environment and cause disruption. The threat of physical damage and possible harm to the environment or loss of life underscores the importance of resilience and recovery.”

He pointed out that zero trust is an effective counter-strategy, but the most important aspect of any nation-state cyber defense is integrated threat intelligence. “You want a variety of sensors continuously monitoring your environment that can detect the most sophisticated threats based on a live threat intelligence feed.”

Arutyunov mentioned that government regulations and industry standards are pivotal in advancing zero trust, especially given the rise of nation-state cyber threats targeting critical infrastructure. “Regulations often mandate stronger controls, encouraging organizations to adopt Zero Trust as a proactive, resilient defense model. As more regulatory bodies recognize the unique security requirements for OT systems, Zero Trust can provide a framework that aligns with these standards, enhancing national security and resilience.”

Tackling IT/OT integration challenges with legacy systems and protocols

The executives examine technical hurdles organizations face when implementing zero trust strategies across IT/OT environments, especially considering legacy systems and specialized protocols.

Umar said that with the convergence of IT/OT systems, modern Zero Trust technologies such as ZTNA (Zero Trust Network Access) that implement conditional access have seen accelerated adoption. “However, organizations need to carefully look at their legacy systems such as programmable logic controllers (PLCs) to see how they would integrate into a zero trust environment. For reasons such as this, asset owners should take a common sense approach to implementing zero trust on OT networks.” 

“Agencies should conduct a comprehensive zero trust assessment of IT and OT systems and develop trailed blueprints for implementation fitting their organizational needs,” he added.

In addition, Umar mentioned that organizations need to overcome technical hurdles to improve OT threat detection. “For instance, legacy equipment and vendor restrictions limit endpoint tool coverage. In addition, OT environments are so sensitive that many tools need to be passive to avoid the risk of accidentally causing disruptions. With a thoughtful, common-sense approach, organizations can work through these challenges.”

Simplified personnel access and proper multi-factor authentication (MFA) can go a long way to raise the common denominator of security in previous air-gapped and implied-trust OT environments, according to Springer. “These basic steps are necessary either by regulation or as part of a corporate security policy. Nobody should be waiting to establish an MFA.” 

He added that once basic zero-trust solutions are in place, more focus can be placed on mitigating the risk associated with legacy OT devices and OT-specific protocol network traffic and applications.

“Owing to widespread cloud migration, on the IT side Zero Trust strategies have moved to identify management. That’s not practical in industrial environments where cloud adoption still lags and where devices, including critical devices, don’t always have a user,” Lota evaluated. “Endpoint security agents purpose-built for OT devices are also under-deployed, even though they’re safe and have reached maturity.” 

Moreover, Lota said that because patching is infrequent or unavailable, OT devices don’t always have healthy security postures. “The upshot is that segmentation remains the most practical compensating control. It’s largely based on the Purdue Model, which is a whole other conversation when it comes to zero trust segmentation.”

Regarding specialized protocols, Lota said that many OT and IoT protocols don’t have embedded authentication and authorization, and if they do it’s very basic. “Worse still, we know operators often log in with shared accounts.”

“Technical challenges in implementing Zero Trust across IT/OT include integrating legacy systems that lack modern security capabilities and managing specialized OT protocols that aren’t compatible with Zero Trust,” according to Arutyunov. “These systems often lack authentication mechanisms, complicating access control efforts. Overcoming these issues requires an overlay approach that builds an identity for the assets and enforces granular access controls using a proxy, filtering capabilities, and when possible account/credential management. This approach delivers Zero Trust without requiring any asset changes.”

Balancing zero trust costs in IT and OT environments 

The executives discuss the cost-related challenges organizations face when implementing zero trust strategies across IT and OT environments. They also examine how businesses can balance investments in zero trust with other essential cybersecurity priorities in industrial settings.

“Zero Trust is a security framework and an architecture and when implemented correctly, will reduce overall cost,” according to Umar. “For example, by implementing a modern ZTNA capability, you can reduce complexity, deprecate legacy systems, and secure and improve end-user experience. Agencies need to look at existing tools and capabilities across all the ZT pillars and determine which tools can be repurposed or sunset.” 

Adding that zero trust can enable more stable cybersecurity investments, Umar noted that rather than spending more year after year to sustain outdated approaches, organizations can create consistent, aligned, effectively resourced zero trust capabilities for advanced cybersecurity operations.

Springer remarked that adding security comes with costs, but there are exponentially more costs associated with being hacked, ransomed, or having production or utility services interrupted or stopped.

“Parallel security solutions like implementing a proper next-generation firewall with an OT-protocol based OT security service, along with proper segmentation has a dramatic immediate impact on OT network security while instituting zero trust in OT,” according to Springer. “Because legacy OT devices are often the weakest links in zero-trust implementation, additional compensating controls such as micro-segmentation, virtual patching or shielding, and even deception, can greatly mitigate OT device risk and buy time while these devices are waiting to be patched against known vulnerabilities.”

Strategically, he added that owners should be looking into OT security platforms where vendors have integrated solutions across a single consolidated platform that can also support third-party integrations. Organizations should consider their long-term OT security operations plan as the culmination of zero trust, segmentation, OT device compensating controls. and a platform approach to OT security.

“Scaling Zero Trust across IT and OT environments isn’t practical, even if your IT zero trust implementation is already well underway,” according to Lota. “You can do it in tandem or, more likely, OT can lag, but as NCCoE makes clear, It’s going to be two separate projects. Yes, CISOs may now be responsible for lowering enterprise risk across all environments, but the tactics are going to be very different, as are the budgets.”

He added that considering the OT environment costs separately, which really depends on the starting point. Hopefully, by now, industrial organizations have an automated asset inventory and continuous network monitoring that gives them visibility into their environment. If they’re already aligned with IEC 62443, the cost will be incremental for things like adding more sensors such as endpoint and wireless to protect more parts of their network, adding a live threat intelligence feed, and so on. 

“Moreso than technology costs, Zero Trust requires dedicated resources, either internal or external, to carefully craft your policies, design your segmentation, and fine-tune your alerts to ensure you’re not going to block legitimate communications or stop essential processes,” according to Lota. “Otherwise, the number of alerts generated by a ‘never trust, always verify’ security model will crush your operators.”

Lota cautioned that “you don’t have to (and probably can’t) take on Zero Trust all at once. Do a crown jewels analysis to decide what you most need to protect, start there and roll out incrementally, across plants. We have energy companies and airlines working towards implementing Zero Trust on their OT networks. As for competing with other priorities, Zero Trust isn’t an overlay, it’s an all-encompassing approach to cybersecurity that will likely pull your critical priorities into sharp focus and drive your investment decisions going forward,” he added.

Arutyunov said that one major cost challenge in scaling zero trust across IT and OT environments is the inability of traditional IT tools to scale effectively to OT environments, often resulting in redundant tools and higher expenses. Organizations should prioritize solutions that can first address OT use cases while extending into IT, which typically presents fewer complexities. 

Additionally, Arutyunov noted that adopting a platform approach can be more cost-effective and easier to deploy compared to point solutions that deliver only a subset of zero trust capabilities in specific environments. “By converging IT and OT tooling on a unified platform, businesses can streamline security management, reduce redundancy, and simplify Zero Trust implementation across the enterprise,” he concluded.

Comments