The Cybersecurity and Infrastructure Security Agency (CISA) in coordination with the Department of War, Department of Energy, Federal Bureau of Investigation, and Department of State, released this Joint Guidance for organizations applying zero trust (ZT) principles to operational technology (OT). Zero trust is a modern, adaptive approach to cybersecurity that eliminates implicit trust and requires continuously validating access based on identity, context, and risk.

This Joint Guidance provides considerations for applying ZT principles to OT systems and environments to system owners, operators, and security personnel. It addresses the unique challenges of transitioning to a ZT architecture within OT, considering technology gaps from legacy infrastructure, operational constraints, and the safety requirements that come from the critical link between cybersecurity and physical processes.

Key focus areas include establishing comprehensive asset visibility, proactively addressing supply chain risks, and implementing robust identity and access management. The guidance emphasizes layered security controls—encompassing network segmentation, secure communication protocols and vulnerability management—alongside a fundamental shift in security philosophy that assumes a breach occurred and prioritizes uninterrupted operations, safety, and reliability. The guidance aligns with the National Institute of Standards and Technology (NIST) Cyber Security Framework 2.0 functions of Govern, Identify, Protect, Detect, Respond, and Recover.

Successful implementation requires a holistic approach, adaptation of ZT principles to the specific characteristics of each OT environment, and strong collaboration between IT, OT, and cybersecurity teams. By applying ZT to OT, organizations can significantly enhance the security and resilience of their OT environments, from industrial control systems to facility automation, helping ensure a more secure and reliable future for both critical infrastructure and mission operations.