CISA

A coalition of U.S. government agencies, led by the Cybersecurity and Infrastructure Security Agency (CISA), has released a new guide aimed at strengthening cybersecurity practices in operational technology (OT) environments.

The joint publication, titled Adapting Zero Trust Principles to Operational Technology, was developed in collaboration with the Department of Defense, the Department of Energy, the Federal Bureau of Investigation, and the Department of State. It is designed to help OT owners adopt zero trust principles in systems that control physical processes, such as energy grids, manufacturing plants, and transportation networks.

According to CISA officials, advancements in technology have transformed OT systems that were once isolated or manually operated into environments that are increasingly interconnected, digitally monitored, and remotely controlled. This convergence of IT and OT introduces new cybersecurity risks, rendering perimeter-based defenses and implicit trust models insufficient to safeguard critical systems.

Chris Butera, acting executive assistant director for cybersecurity at CISA, highlighted recent activity by groups such as Volt Typhoon, “targeting OT systems to compromise, escalate, and maintain access within operational environments.”

“Zero trust architecture is critical to preventing cyber incidents that could cause operators to lose visibility or control of essential systems,” Butera said in a statement.

Given these challenges, the 28-page guide organizes cybersecurity outcomes around six core functions: govern, identify, protect, detect, respond, and recover.

The guidance also emphasizes a shift from reactive cybersecurity measures to a proactive, layered defense. It outlines strategies, including improving asset visibility, segmenting networks into secure zones, strengthening supply chain security, and implementing robust identity and access controls.

A central challenge addressed in the guide is enhancing security without disrupting mission-critical operations. OT systems often rely on legacy technologies and must meet strict safety requirements, making rapid changes difficult.

The guide underscored the importance of business continuity planning for these systems. It advises organizations to regularly review and update business continuity plans to ensure effectiveness.

At a minimum, the agencies said plans should identify critical processes, define recovery time objectives, and establish clear procedures to maintain essential services during disruptions.

“Integrating cybersecurity considerations into the [plan] is vital for ascertaining that recovery efforts account for potential cyber incidents. This integration enhances the organization’s ability to successfully maintain operations and swiftly recover in the face of cyber threats,” the guidance states, adding that with “comprehensive backups, rigorous restoration testing, and a well-integrated [plan], organizations can strengthen their cyber resilience and help ensure the continuity of critical industrial operations.”

The agencies are urging OT owners, operators, and integrators to use the guide as a roadmap for strengthening resilience against evolving cyber threats.

“This guide equips organizations to methodically navigate the complexities of adopting Zero Trust principles in OT environments,” Butera said. “Together with our partners, CISA urges OT owners, operators, and integrators to use this resource to make informed decisions that reduce exposure and strengthen resilience – without jeopardizing mission-critical operations.”

Read More About
CIO Briefing Room
Zero Trust
Recent
More Topics

Categories

About
Lisbeth Perez
Lisbeth Perez is a MeriTalk Senior Technology Reporter covering the intersection of government and technology.
Tags