Skip to main content
Explore our brands An Informa TechTarget Publication
close search
site logo

US agencies promote zero-trust practices for operational technology networks

Many zero-trust defenses work differently in industrial environments than in traditional business networks, five federal agencies said in newly published guidance.

Published April 30, 2026
Eric Geller's headshot
Senior Reporter
Chris Skipworth, Passpack, password management, operational technology, connected building systems
Getty Images

A group of U.S. government agencies on Wednesday offered advice for critical infrastructure organizations on applying zero-trust (ZT) principles to their operational technology (OT) environments.

Taking a zero-trust approach to these industrial systems requires careful consideration, the new government publication says, “because OT systems interact with the physical environment and are constrained by availability and safety requirements, as well as legacy technology with long lifespans.”

The document — co-authored by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the departments of Defense, Energy and State — describes the unique challenges that OT environments pose, the importance of clear governance frameworks and supply-chain oversight, and the steps that infrastructure operators should take to implement zero trust.

The government advice comes as hackers increasingly turn their attention to OT operators, many of which use insecure legacy technology, lack adequate cybersecurity budgets and cannot tolerate significant downtime.

“This guide moves owners and operators from reactive to proactive,” Brett Leatherman, the assistant director of the FBI’s Cyber Division, said in a statement. “Resilience in OT isn’t achieved through any single control; it requires layered defenses that raise the cost for adversaries at every stage.

Organizations should begin by establishing governance structures, the publication says, including “shared accountability” between stakeholders and the use of supply-chain risk management tools such as software bills of materials. Next, they must identify and analyze their assets, implement processes for tracking changes to those assets and evaluate the threats the assets face.

The document then recommends specific zero-trust security practices, such as network segmentation, identity management, secure remote access, vulnerability management and data encryption. But it warns that most of these practices will work differently in OT environments than in traditional IT environments.

In particular, ideal access controls may not be possible in OT environments due to operational needs, the document says, so organizations should stack a series of compensating controls on top of each other to make it harder for hackers to exploit access-control weaknesses. The document also contrasts how IT and OT environments can implement network segmentation, highlighting the difficulties that exist in the OT world.

The document also includes sections on threat detection, response and recovery, with guidance and recommendations about the OT-specific considerations for each of those activities. For example, it notes that endpoint detection and response (EDR) software is sometimes difficult to run on the embedded systems prevalent in OT environments, and it offers advice for how to deal with those challenges. It also suggests ways for incident responders to contain attacks on OT systems.

Shared organizational responsibility is a major theme of the publication, which warns that “tools and technologies alone are insufficient” to implement zero-trust principles.

“Strong collaboration between IT, OT, and cybersecurity teams is critical to achieving effective and sustainable implementation of technology and processes,” the publication says. “This collaboration requires breaking down organizational silos, fostering mutual understanding, and tailoring ZT principles to the unique characteristics and operational requirements of each OT environment.”

Filed Under: Strategy, Threats

Editors' picks

Company Announcements

View all | Post a press release
The Pitstop Releases “The AI Agent Liability Gap” White Paper on Security, Insurance, and Acco…
From thepitstop.ai
April 29, 2026
thepitstop.ai logo
360 Privacy Expands Executive Team to Grow Digital Exposure Reduction
From 360 Privacy
April 29, 2026
360 Privacy logo
Akto Announces Partnerships with LangChain, Portkey, TrueFoundry, Arcade, and LiteLLM to expan…
From Akto Io Inc
April 23, 2026
Akto Io Inc logo
Naot Footwear Strengthens Global Brand Protection Through Partnership with BrandShield
From BrandShield
April 13, 2026
BrandShield logo
Editors' picks
Latest in Strategy
This website is owned and operated by Informa TechTarget, a global network that informs, influences and connects the world's technology buyers and sellers.

© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. An Informa PLC company.
Privacy policy | Terms of use | Take down policy | Cookie Preferences / Do Not Sell