Skip to content

CISA and U.S. Government Partners Unveil Guide to Accelerate Zero Trust Adoption in Operational Technology

Chimera readability score 86 out of 100, Specialist reading level.

WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA), along with the Department of War (DoW), Department of Energy (DOE), Federal Bureau of Investigation (FBI) and Department of State (DOS) today published a joint guide to assist organizations with operational technology (OT) systems - including government systems – with applying Zero Trust principles. The guide, Adapting Zero Trust Principles to Operational Technology, provides OT owners and operators and Zero Trust practitioners with practical insights on overcoming unique constraints, addressing potential challenges, and prioritizing key areas for integrating Zero Trust into OT environments.

New attack vectors, expanded attack surface and magnified cybersecurity risks are more prevalent because OT systems are becoming increasingly interconnected, digitally monitored, and remotely operated. Improperly secured pathways create opportunities for threat actors to gain access to information technology (IT) and OT networks. Adapting and applying Zero Trust principles to fit the operational realities of the OT environment can help owners and operators close cyber risk gaps, however, it must be done carefully without disrupting their own systems in the process. Zero Trust strategies can prevent adversaries from compromising, manipulating, degrading, and disrupting the critical physical processes these systems control.

“CISA has observed threat actors like Volt Typhoon targeting OT systems to compromise, escalate, and maintain access within operational environments. Zero Trust architecture is critical to preventing cyber incidents that could cause operators to lose visibility or control of essential systems,” said CISA Acting Executive Assistant Director for Cybersecurity Chris Butera. “This guide equips organizations to methodically navigate the complexities of adopting Zero Trust principles in OT environments. Together with our partners, CISA urges OT owners, operators, and integrators to use this resource to make informed decisions that reduce exposure and strengthen resilience—without jeopardizing mission-critical operations.”

"The Department of War is driving Zero Trust for operational technology at an accelerated pace," said Honorable Kirsten A. Davies, DoW Chief Information Officer. "In lockstep with our federal and industry partners, we are fortifying the infrastructure and interconnected weapon systems our Warfighters demand to fight and win. This is how we deliver peace through technical strength."

"Operational technology underpins the systems Americans rely on every day, and adversaries know it,” said FBI Cyber Division Assistant Director Brett Leatherman. "Nation-state actors are pre-positioning on these networks because OT controls critical physical processes, and because these environments often lack the visibility to detect them early. This guide moves owners and operators from reactive to proactive. Resilience in OT isn't achieved through any single control; it requires layered defenses that raise the cost for adversaries at every stage. Alongside our partners, we're putting practical steps in the hands of the people who need them most."

“Operational technology sits at the intersection of cybersecurity and physical consequence. That reality demands dedicated attention. In line with this joint guide, the State Department prioritizes sustained collaboration to establish shared discipline and systematically address concerns raised by OT engineers, network architects, and cybersecurity professionals,” said U.S. Department of State’s Diplomatic Security Service, Deputy Assistant Secretary for Cyber and Technology Security Gharun S. Lacy. “These integrated efforts combine multiple skillsets and put personnel onsite to safeguard critical infrastructure across U.S. missions worldwide.”

This guide helps organizations overcome the unique challenges such as technology gaps from legacy infrastructure, operational constraints, and the safety requirements that come from the critical link between cybersecurity and physical processes. Key focus areas in this guide include establishing zones and conduits, proactively addressing supply chain risks, and implementing robust identity and access management.

CISA offers a variety of resources—including guidance, services, tools, and training—applicable to zero trust and OT stakeholders and organizations at all levels of cybersecurity maturity. For more information, please visit Industrial Control Systems or Zero Trust on CISA.gov.

###

About CISA

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to manage, uncover, and reduce risk to our digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on X, Facebook, LinkedIn, Instagram.

Facts Only

* CISA, DoW, DOE, FBI, and DOS published a joint guide on applying Zero Trust principles to Operational Technology (OT).
* The guide assists organizations with OT systems, including government systems.
* The guide provides insights on overcoming unique constraints, addressing challenges, and prioritizing Zero Trust integration in OT environments.
* OT systems are becoming increasingly interconnected, digitally monitored, and remotely operated.
* Improperly secured pathways create opportunities for threat actors to access IT and OT networks.
* Zero Trust strategies can prevent adversaries from compromising, manipulating, degrading, and disrupting critical physical processes.
* CISA observed threat actors like Volt Typhoon targeting OT systems.
* The guide addresses unique challenges such as legacy infrastructure, operational constraints, and safety requirements.
* Key focus areas include establishing zones and conduits, proactively addressing supply chain risks, and implementing identity and access management.
* The guide stresses the need for layered defenses to achieve resilience in OT.

Executive Summary

The Cybersecurity and Infrastructure Security Agency (CISA), along with the Department of War (DoW), Department of Energy (DOE), Federal Bureau of Investigation (FBI), and the Department of State (DOS) published a joint guide focusing on applying Zero Trust principles to Operational Technology (OT) systems. The guide is designed to provide practical insights for OT owners, operators, and Zero Trust practitioners on integrating these principles within OT environments, addressing unique constraints, challenges, and safety requirements.
This initiative addresses the heightened risk posed by interconnected and remotely operated OT systems, which are increasingly targeted by threat actors. The guide emphasizes that adapting Zero Trust must consider the operational realities of the OT environment to prevent disruption while mitigating cyber risk. Key focus areas for integration include establishing zones and conduits, addressing supply chain risks, and implementing robust identity and access management, all while navigating legacy infrastructure and operational constraints. The collaboration highlights the recognition that operational technology sits at the intersection of cybersecurity and physical consequence, necessitating a layered approach to resilience.

Full Take

The collaboration between multiple federal agencies signals a recognition that cyber risk in Operational Technology is not merely an IT problem but a fundamental threat to physical safety and national security. The core tension lies in attempting to overlay a modern, highly restrictive security philosophy (Zero Trust) onto an environment defined by physical constraints, legacy infrastructure, and real-time operational demands.
The narrative seeks to bridge the gap between high-level security strategy and ground-level operational reality. The challenge is not just technical implementation, but reconciling the need for granular, zero-trust access control with the imperative to maintain continuous, uninterrupted physical process control. The request for OT owners to implement Zero Trust "without disrupting their own systems" is a critical constraint that highlights the gap between theoretical security models and physical system constraints.
This coordinated effort demonstrates a systemic pattern: when critical infrastructure is exposed, the response involves broad, multi-agency mandates to enforce change. The success of this adoption will depend on how effectively the technical guidance translates into operational protocols that prioritize safety and continuity over pure security enforcement. The unspoken question is whether the process of adopting Zero Trust in OT creates new, unforeseen operational risks, or if the collaborative framework can successfully manage the inherent conflict between digital security mandates and physical operational imperatives.

Sentinel — Human

Confidence

The text displays the formal, coordinated tone of official government communication, characterized by specific attribution and policy focus, making it highly likely to be human-authored or officially sourced material.

Signals Detected
low severity: Varied sentence structure and complex subordination observed, mixed with direct, high-impact quotes. Not exhibiting the monotonous rhythm typical of pure LLM generation.
low severity: The text successfully transitions between technical policy (Zero Trust, OT) and high-level political messaging (Warfighters, peace), demonstrating a unified, albeit formal, voice.
low severity: The structure mimics a high-level joint statement or press release, coordinating multiple agencies' goals effectively. Attribution is specific (names and roles), avoiding vague 'expert say' framing.
low severity: The claims are highly specific to a real, complex governmental initiative (CISA partnerships), making generalized LLM confabulation less likely. The language is typical of official government communications.
Human Indicators
The use of multiple, distinct, high-level agency quotes with specific, authoritative roles (e.g., CISA Acting Executive Assistant Director, DoW CIO, FBI Assistant Director) suggests direct sourcing from official channels, typical of human beat reporting or official releases.
The density of specific, interlocking policy terms (OT, Zero Trust, zones and conduits, supply chain risks) requires a deep, domain-specific knowledge base often present in human policy writing, rather than general synthesis.