United States
Australia
United Kingdom
Europe
New Zealand
Canada
Federal cyber and national security agencies on Tuesday released a joint guide aimed at helping operators of operational technology apply Zero Trust security concepts without disrupting critical processes.
CISA, working with the Department of War, Department of Energy, FBI and the State Department, said the resource is designed for organizations that run industrial control systems and other OT, including in government environments. The publication, Adapting Zero Trust Principles to Operational Technology, lays out practical steps for integrating Zero Trust amid the realities of legacy equipment, safety requirements and continuous operations. It highlights priorities such as defining zones and conduits on industrial networks, shoring up supply chain risks, and strengthening identity and access management.
“CISA has observed threat actors like Volt Typhoon targeting OT systems to compromise, escalate, and maintain access within operational environments. Zero Trust architecture is critical to preventing cyber incidents that could cause operators to lose visibility or control of essential systems,” said CISA Acting Executive Assistant Director for Cybersecurity Chris Butera. “This guide equips organizations to methodically navigate the complexities of adopting Zero Trust principles in OT environments. Together with our partners, CISA urges OT owners, operators, and integrators to use this resource to make informed decisions that reduce exposure and strengthen resilience—without jeopardizing mission-critical operations.”
The guide arrives as industrial networks become more connected, remotely managed and digitally monitored, trends that increase pathways for intrusions from IT into OT and expand the potential impact on physical systems.
“The Department of War is driving Zero Trust for operational technology at an accelerated pace,” said Honorable Kirsten A. Davies, DoW Chief Information Officer. “In lockstep with our federal and industry partners, we are fortifying the infrastructure and interconnected weapon systems our Warfighters demand to fight and win. This is how we deliver peace through technical strength.”
“Operational technology underpins the systems Americans rely on every day, and adversaries know it,” said FBI Cyber Division Assistant Director Brett Leatherman. “Nation-state actors are pre-positioning on these networks because OT controls critical physical processes, and because these environments often lack the visibility to detect them early. This guide moves owners and operators from reactive to proactive. Resilience in OT isn’t achieved through any single control; it requires layered defenses that raise the cost for adversaries at every stage. Alongside our partners, we’re putting practical steps in the hands of the people who need them most.”
“Operational technology sits at the intersection of cybersecurity and physical consequence. That reality demands dedicated attention. In line with this joint guide, the State Department prioritizes sustained collaboration to establish shared discipline and systematically address concerns raised by OT engineers, network architects, and cybersecurity professionals,” said U.S. Department of State’s Diplomatic Security Service, Deputy Assistant Secretary for Cyber and Technology Security Gharun S. Lacy. “These integrated efforts combine multiple skillsets and put personnel onsite to safeguard critical infrastructure across U.S. missions worldwide.”
The agencies said the document is intended to move operators from ad hoc defenses to structured, layered protections that reduce the blast radius of attacks while preserving safety and uptime. The guide is available on CISA’s website.
