News
Federal Zero Trust Guide Puts OT Security Under IT Scrutiny
Cybersecurity and Infrastructure Security Agency (CISA), the Department of War, Department of Energy, FBI and Department of State released a joint guide April 29 to help organizations apply zero trust principles to operational technology environments.
The guide, "Adapting Zero Trust Principles to Operational Technology," is aimed at OT owners and operators, government systems and zero trust practitioners. CISA said OT systems are becoming more interconnected, digitally monitored and remotely operated, increasing attack surfaces and cyber risk.
Physical Systems Change the Security Equation
The guidance focuses on comprehensive asset visibility, secure supply chains, robust identity and access controls, zones and conduits, and supply chain risk. It also stresses that zero trust must be applied carefully in OT environments because security changes can affect physical processes and mission-critical operations.
"CISA has observed threat actors like Volt Typhoon targeting OT systems to compromise, escalate, and maintain access within operational environments," said CISA Acting Executive Assistant Director for Cybersecurity Chris Butera.
The DoW-hosted OT zero trust guidance says standard IT security approaches can be ineffective and potentially dangerous in OT environments because of legacy infrastructure, operational constraints, safety requirements and specialized industrial systems.
The takeaway for infrastructure and security teams is straightforward: zero trust controls are extending into OT, but implementation must account for uptime, safety, identity, asset visibility and supply chain exposure.
About the Author
David Ramel is an editor and writer at Converge 360.