A converging wave of regulatory mandates, rising ransomware activity, and IT/OT network integration has pushed zero-trust architecture beyond identity management in operational technology environments. Manufacturers, energy operators, and critical infrastructure owners now face pressure to adopt continuous visibility, micro-segmentation, device posture assessment, and tested resilience plans as core pillars of any credible OT security program.

Background

OT systems once isolated or manually operated are now increasingly interconnected, digitally monitored, and remotely controlled. This IT/OT convergence introduces cybersecurity risks that render perimeter-based defenses and implicit trust models inadequate for safeguarding the critical physical processes those systems control. The policy environment has responded in kind. CISA, along with the Department of Defense, Department of Energy, FBI, and Department of State, published a joint guide, Adapting Zero Trust Principles to Operational Technology, providing OT owners and operators with practical insights on overcoming unique constraints and prioritizing key areas for integrating zero trust into OT environments.

The threat data reinforces the urgency. Dragos tracked 119 ransomware groups targeting industrial organizations in 2025, up from 80 in 2024, with over 3,300 industrial organizations impacted. In Q1 2025 alone, 708 ransomware incidents struck industrial entities, with manufacturing absorbing 68% of those incidents, and manufacturing breaches now average over $5 million per incident.

Details

The central challenge in translating zero-trust principles to OT lies in OT's fundamental operating constraints. Applying standard IT security approaches to OT environments can prove ineffective and potentially dangerous.[1] OT systems prioritize operational availability over confidentiality and integrity, rely on legacy equipment and diverse industrial protocols such as DNP3, Modbus, BACnet, and PROFINET, and face strict safety requirements. Regulators have adjusted accordingly: the DoD's November 2025 guidance, Zero Trust for OT Activities and Outcomes, establishes 105 distinct security activities - 84 designated as mandatory target-level requirements and 21 as advanced-level objectives - organized across seven pillars. A senior Pentagon advisor captured the core distinction: "The reason why OT is different than IT is because the outcomes for OT are different. This is a sensor, this controls water and power - you don't easily shut that down because you're being attacked." Deadlines for target- and advanced-level zero trust in OT are set for the end of fiscal 2030 and fiscal 2033, respectively.

Practitioners operating under both NIST CSF and ISA/IEC 62443 - the two most widely referenced frameworks in industrial sectors - increasingly treat them as complementary rather than competing. NIST CSF 2.0 organizes cybersecurity risk across the entire enterprise, breaking complex programs into six core functions: Govern, Identify, Protect, Detect, Respond, and Recover. The Govern function places risk strategy, supply chain management, and executive oversight at the center of the model. NIST CSF 2.0 provides an enterprise-friendly, board-ready structure for cyber risk, while the IEC 62443 series delivers the deep, OT-specific technical and procedural requirements for industrial automation and control systems. Together, the two build an actionable bridge between high-level business risk, plant-floor reality, and technical engineering controls.

Within that dual-framework approach, visibility functions as the prerequisite for all downstream controls. Every OT security program that has failed did so at this foundational step: organizations cannot protect what they do not know exists, and in OT environments the gap between the documented asset register and what is actually connected to the network is almost always larger than management believes. Micro-segmentation closes that gap operationally. Applying micro-segmentation within the IEC 62443 framework adds a layer of security by limiting lateral threat movement within the OT network, protecting critical applications, and supporting compliance requirements. Operational evidence backs the approach: one multinational manufacturer implementing OT network segmentation across more than a dozen global production facilities achieved a 70% increase in visibility of operational assets and a 60% reduction in potential lateral attack paths, with zero production downtime during rollout.

Resilience planning increasingly requires translating OT threats into business risk metrics that governance and finance teams can act on. Marsh McLennan identifies network segmentation as one of 12 key controls insurers evaluate during underwriting, and a joint Dragos-Marsh McLennan analysis of a decade of insurance claims data found that defensible architecture including segmentation delivers a 17% reduction in financial risk from cyber incidents. Aon's 2025 analysis found that 36.65% of industrial clients were flagged for insufficient OT segmentation during underwriting. Incident response capability is also measurable: research published in the European Journal of Computer Science and Information Technology found that organizations with mature microsegmentation achieve a 71.4% improvement in mean time to contain breaches.

Supply chain exposure remains an under-addressed vector. Key focus areas in the CISA joint guide include establishing zones and conduits, proactively addressing supply chain risks, and implementing robust identity and access management. Strict vendor risk management policies should ensure third-party integrators adhere to IEC 62443-2-4 standards before receiving network access.

Outlook

The surge in volume and sophistication of cyber threats is driving adoption of advanced AI for OT security. OT environments encompass a broad range of devices, from low-resource IoT sensors to high-resource industrial controllers, and agentic AI can transform data into actionable insights while prioritizing and remediating risks in real time. Cloud-connected and edge-deployed OT architectures add further complexity: NIST SP 800-82 Revision 3, published in September 2023, expanded coverage of cloud-connected OT, IIoT, and edge computing architectures not addressed in the prior revision. As CISA and the DoD move toward enforcement-phase guidance, organizations that have not yet completed passive asset discovery and zone-based segmentation face compounding exposure across regulatory compliance, cyber insurance underwriting, and operational resilience metrics.