TroutTrout
Back to Glossary
zero trust OTOT securityindustrial cybersecuritynetwork segmentation

Zero Trust for OT

3 min read

Zero Trust for OT is the application of Zero Trust architecture principles to operational technology networks. It means no connection to an industrial asset is trusted by default. Every user, device, and session must be authenticated and authorized before accessing PLCs, HMIs, SCADA systems, or any other OT resource.

Zero Trust in OT vs IT

IT Zero Trust and OT Zero Trust share the principle but diverge almost entirely in implementation. The table below summarizes the structural differences.

| Dimension | IT Zero Trust | OT Zero Trust | |-----------|---------------|---------------| | Enforcement point | Endpoint agent + identity-aware proxy | Network proxy only (no agents on assets) | | Identity source | Cloud IdP (Entra, Okta, Google) | On-prem IdP, often sovereign (Keycloak, PIV) | | Session posture | Device health signals from agent | Device role + source segment + flow pattern | | Latency tolerance | Hundreds of ms acceptable | Single-digit ms required on control loops | | Failure mode | Block access, retry | Must fail open for safety-critical flows | | Update cadence | Continuous, automated | Change-controlled, maintenance-window only | | Typical deployment | SaaS or inline | Non-inline overlay, on-premise |

OT Zero Trust cannot use endpoint agents, cannot depend on cloud identity, and cannot tolerate inline enforcement that fails closed. Every mechanism moves to the network layer, and every deployment has to survive the operational-technology reality that a dropped packet can cost a shift.

See the comparison pages for how this plays out against specific vendors: Access Gate vs Claroty, vs Nozomi, vs Forescout, and vs Zscaler.

Key Capabilities

  • Identity-based access control: Every session authenticated with MFA before reaching the OT asset
  • Network segmentation: Overlay networking creates microsegments without VLAN reconfiguration
  • Session logging: Every connection logged with user identity, timestamp, protocol, and payload
  • Encryption: TLS on CUI paths between user and proxy
  • Deny by default: Only explicitly authorized connections are allowed

Compliance Alignment

Zero Trust for OT maps to multiple compliance frameworks:

  • CMMC Level 2: Addresses AC, AU, IA, and SC control families
  • NIS2: Satisfies Article 21 network segmentation and access control requirements
  • IEC 62443: Aligns with zone and conduit security architecture
  • DoD DTM 25-003: Addresses all 7 OT-ZT pillars at Target Level

Related Terms

Other Terms

Air-gapped networkPhysical isolation

Air-gapped Network

An air-gapped network is a network that is physically isolated from the public internet and all external networks, with no wired or wireless connectivity path between the isolated environment and outside systems.

CMMC shared responsibility matrixCMMC compliance

CMMC Shared Responsibility Matrix

A CMMC shared responsibility matrix maps every NIST 800-171 control to the party responsible for enforcing it, showing which controls are handled by a security tool, which are customer-owned, and which require compensating controls for OT assets.

NIST 800-82OT security

NIST SP 800-82

NIST Special Publication 800-82 is the NIST guide to Operational Technology security — the ICS-specific companion to NIST SP 800-53 and 800-171, covering SCADA, DCS, PLCs, and safety instrumented systems.

News & Insights

Resources & Insights.

Securing Modbus whitepaper
WhitepaperWhitepaper

Securing Modbus in Modern Industrial Environments

Zero Trust OT webinar
WebinarWebinar

Zero Trust for OT Networks

OT network architecture diagram
ArchitectureGuide

Reference Architectures for OT Security

All articles