FBI and CISA release Zero Trust guide for OT environments
7 min. read 
Published on
The FBI, CISA, the Department of Energy, the Department of State, and the Department of War have released new joint guidance to help organizations apply Zero Trust principles to operational technology environments. The guide focuses on industrial systems, critical infrastructure, facility automation, and other physical systems where downtime can create safety and reliability risks.
The document, titled Adapting Zero Trust Principles to Operational Technology, urges OT owners and operators to move away from implicit trust. Instead, organizations should continuously validate users, devices, access, and activity based on identity, context, and risk.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The guidance matters because OT networks are no longer as isolated as they once were. Industrial systems now connect to enterprise IT networks, remote monitoring tools, cloud services, vendors, and digital control systems. That wider connectivity creates more entry points for attackers.
Federal agencies want OT teams to assume breach
The guide says Zero Trust can help limit attacker movement and reduce damage when a breach occurs. In OT, this approach must support the main mission: keeping physical processes safe, reliable, and available.
The agencies make one point clear. OT teams cannot simply copy IT-focused Zero Trust controls and place them inside a plant, substation, factory, or transportation system. Legacy devices, safety controls, limited patch windows, and uptime requirements change how security controls must work.
That is why the guide frames Zero Trust as a careful, risk-informed program. It calls for collaboration between OT engineers, IT architects, security teams, procurement teams, and system owners.
At a glance
| Item | Details |
|---|---|
| Guide name | Adapting Zero Trust Principles to Operational Technology |
| Publication date | April 29, 2026 |
| Authoring agencies | CISA, Department of War, Department of Energy, FBI, and Department of State |
| Main audience | OT owners, operators, security teams, and Zero Trust practitioners |
| Main goal | Apply Zero Trust to OT without disrupting safety, uptime, or reliability |
| Framework alignment | NIST CSF 2.0: Govern, Identify, Protect, Detect, Respond, and Recover |
What Zero Trust means for OT systems
Zero Trust removes the idea that anything inside a network should automatically be trusted. Every user, device, service, and connection must prove that it should access a resource.
In operational technology, this becomes more complex. OT systems include industrial control systems, building automation systems, transportation systems, physical access systems, and sensors that interact with the physical environment.
A mistake in IT can take down an app or expose data. A mistake in OT can affect equipment, plant safety, water systems, energy operations, production lines, or transportation services. That makes planning more important than speed.
Key priorities in the guide
- Asset visibility: Build and maintain a clear inventory of OT devices, software, network paths, and dependencies.
- Identity and access control: Validate users, service accounts, vendors, and machine identities before granting access.
- Least privilege: Give people and systems only the access they need for their specific role.
- Network segmentation: Divide OT environments into controlled zones to reduce lateral movement.
- Secure communications: Protect remote access and data flows between IT, OT, vendors, and cloud systems.
- Vulnerability management: Manage weaknesses without creating unsafe disruption to industrial processes.
- Supply chain risk management: Review vendor software, update paths, SBOMs, and third-party access.
- Continuous monitoring: Use OT-aware detection to identify abnormal behavior before physical processes suffer.
The guide also stresses the need for layered defenses. Segmentation, access controls, monitoring, incident response, backup planning, and vendor governance all need to work together.
This approach helps reduce the blast radius when attackers compromise one account, one vendor connection, or one workstation.
Why OT needs a different Zero Trust plan
Many OT devices run for decades. Some use older operating systems, proprietary protocols, or equipment that cannot handle standard security agents. Others cannot be scanned aggressively because testing could interrupt production or safety systems.
The guide also points to limited logging as a challenge. Many OT environments do not collect the same level of endpoint, application, and network data that IT teams expect. That makes threat detection and forensic analysis harder.
Because of these limits, agencies recommend compensating controls where traditional Zero Trust mechanisms could disrupt operations. Examples include stronger segmentation, out-of-band anomaly detection, strict remote access controls, and carefully planned exception handling.
Threat actors are increasing pressure on OT networks
The guidance links the Zero Trust push to a changing threat landscape. Agencies warn that OT systems are becoming more interconnected, digitally monitored, and remotely operated, which expands the attack surface.
The document also points to risks from compromised vendor software, insecure remote access, shared IT and OT credentials, and living-off-the-land techniques. These methods can help attackers move quietly before they reach industrial systems.
The agencies mention threat activity such as Volt Typhoon and past OT-focused malware families, including CrashOverride, Havex, BlackEnergy, Trisis, and Incontroller. These examples show why defenders need controls that limit movement after an initial compromise.
How the guide maps to NIST CSF 2.0
| NIST CSF function | What it means for OT Zero Trust |
|---|---|
| Govern | Define ownership, risk tolerance, vendor rules, safety requirements, and decision-making authority. |
| Identify | Inventory assets, map data flows, understand dependencies, and identify high-impact processes. |
| Protect | Use least privilege, segmentation, secure remote access, and stronger identity controls. |
| Detect | Monitor OT-specific protocols, unusual device behavior, account misuse, and process anomalies. |
| Respond | Create incident playbooks that balance cyber containment with safe physical operations. |
| Recover | Maintain tested backups, engineering logic, software licenses, and restoration procedures. |
This structure helps organizations turn Zero Trust from a broad security idea into practical OT actions. It also gives operators a way to prioritize improvements instead of trying to modernize everything at once.
The Recover function deserves special attention in OT. Restoring an industrial process may require engineering software, device configurations, application logic, licenses, and tested backup files.
What critical infrastructure operators should do now
Operators should start with visibility. Teams need to know which devices exist, which vendors can access them, which accounts hold privileges, and which systems support critical physical processes.
Next, teams should review remote access. Vendor connections, shared accounts, and unmanaged remote tools often create high-risk paths into OT environments.
Finally, organizations should bring OT engineers into every Zero Trust planning decision. Security controls that look strong on paper can create safety problems if they interrupt process control, monitoring, or emergency operations.
Practical first steps
- Create an OT asset inventory that includes devices, software, firmware, vendors, and network connections.
- Separate critical OT zones from enterprise IT networks with strict communication rules.
- Review all remote access paths used by employees, contractors, vendors, and managed service providers.
- Apply multi-factor authentication where the environment can support it safely.
- Replace shared accounts with named accounts where possible.
- Limit privileged access through just-in-time or just-enough-access models.
- Collect OT-specific logs, engineering workstation activity, and process data.
- Test incident response plans with operations staff before a real crisis occurs.
- Keep backups of configurations, engineering logic, and critical application software.
The guide does not treat Zero Trust as a quick project. It presents it as a staged security shift that must fit each OT environment’s physical, technical, and operational realities.
For critical infrastructure operators, that staged approach may prove more useful than a large security redesign. It lets teams reduce risk while keeping essential systems running.
FAQ
The FBI, CISA, and partner agencies released joint guidance called Adapting Zero Trust Principles to Operational Technology. It explains how organizations can apply Zero Trust principles to OT environments.
OT owners, operators, plant managers, security teams, IT architects, procurement teams, and Zero Trust practitioners should read it.
Zero Trust can limit attacker movement after a breach. In OT, this helps protect physical processes, safety systems, industrial equipment, and critical infrastructure operations.
Not always. OT teams must adapt controls to account for legacy equipment, uptime requirements, safety risks, limited logging, and physical process constraints.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages