Operators across critical infrastructure sectors are treating CISA's recent wave of operational technology (OT) cybersecurity guidance as a foundational reference. However, practitioners widely report that translating high-level directives into measurable, sector-specific controls remains an unresolved challenge.
Background
CISA and government partners released a guide titled Adapting Zero Trust Principles to Operational Technology, outlining practical steps for applying zero trust in environments constrained by legacy systems, limited visibility, and uptime requirements. That publication followed two companion releases: Secure Connectivity Principles for Operational Technology, developed with the UK National Cyber Security Centre and international partners, which outlines eight principles for designing, securing, and managing connectivity into OT environments; and Foundations for OT Cybersecurity: Asset Inventory Guidance, which establishes that an OT asset inventory supplemented by a taxonomy is essential for owners and operators across all critical infrastructure sectors to identify assets, structure defenses, and reduce risk to mission and service continuity.
The regulatory environment has simultaneously hardened. Despite broader deregulatory signals in 2025, mandatory OT cybersecurity requirements remained in place. The Transportation Security Administration renewed and updated its pipeline cybersecurity directive effective May 3, 2025, and CISA's CIRCIA rulemaking continued on a path toward a late-2025 final rule and 2026 effective date.
Details
The guidance has drawn engagement across sectors, but practitioners point to persistent structural obstacles. CISA's research, drawn from interviews with OT asset owners and operators in the water and wastewater, transportation, chemical, energy, and food and agriculture sectors, found strong demand for secure, authenticated communications alongside persistent barriers tied to cost, complexity, and the legacy design of industrial protocols. The agency acknowledged that widespread adoption of secure communications is hindered not by a lack of technical solutions but by real-world barriers in cost, complexity, and operational risk. According to CISA, "cost is driven by high procurement costs and licensing fees for secure-capable components and then exacerbated by complex solutions driving operators towards external assistance to deploy and maintain secure infrastructure."
Operational exposure concerns compound operator hesitation. CISA found that operators are reluctant to adopt secure communications if they believe doing so could disrupt normal engineering or business operations. Concerns fall into three areas: reduced observability when encrypted traffic is harder to inspect, potential latency and bandwidth constraints on legacy infrastructure, and uncertainty about how secure communications will function in practice. While newer systems can mitigate performance issues and selective encryption can preserve visibility, many operators remain cautious-particularly in brownfield environments-with security teams often prioritizing northbound traffic and field operators showing greater risk aversion.
The zero trust guidance directly confronts this tension. The CISA guide supports OT owners and operators in addressing the unique challenges of transitioning to a zero trust architecture, accounting for technology gaps from legacy infrastructure, operational constraints, and safety requirements. It focuses on comprehensive asset visibility, proactive supply chain risk management, and robust identity and access management, while stressing layered security measures including network segmentation, secure communication protocols, and vulnerability management. Strong collaboration between IT, OT, and cybersecurity teams is cited as critical to effective implementation, requiring organizations to break down silos, foster mutual understanding, and tailor zero trust principles to each OT environment's characteristics and operational requirements.
Asset inventory work has taken on new urgency as a prerequisite for any risk-based control program. Creating an asset inventory is listed among CISA's Cybersecurity Performance Goals and is foundational to designing a modern defensible architecture-without one, organizations do not know what they have or what should be secured. CISA created sector-specific taxonomies through eight collaborative working sessions held in early 2025, incorporating feedback from approximately 14 organizations and 33 participants, including representatives from U.S. federal agencies and the private sector. CISA noted these are not authoritative instructions but guidance for organizations that lack widely adopted asset classification methods.
A recurring gap involves vendor and supply chain risk. In September, CISA, working with the National Security Agency and 19 international partners, issued a Software Bill of Materials (SBOM) for Cybersecurity Guide to help organizations identify software components, assess supply chain risk, and take informed steps to protect critical systems-particularly as reliance on third-party and open-source code grows. Despite this effort, CISA noted that secure versions of industrial protocols remain underused across OT environments, even though they have been available for decades.
Outlook
Growing IT/OT convergence has fundamentally altered the threat landscape. Systems once isolated or manually operated are now digitally integrated and remotely managed, rendering traditional perimeter-based defenses and implicit trust models inadequate for protecting critical processes. Regulators and industry groups are pressing for more prescriptive, field-tested guidance and common data-sharing standards.
In December, CISA introduced Cross-Sector Cybersecurity Performance Goals 2.0, updating its guidance to reflect current adversary tactics and the latest NIST Cybersecurity Framework. The update provides critical infrastructure owners and operators with practical steps to prioritize investments, address security gaps, and strengthen defenses. Whether those performance goals bridge the gap between policy intent and plant-floor execution will depend on the degree to which sector-specific playbooks and real-world telemetry inform the next iteration of OT security standards.
