A survey commissioned by cybersecurity company Xage shows that zero trust is on track to being implemented in many operational technology (OT) environments, particularly in critical infrastructure organizations.
Private companies and governments have come to realize the importance of a zero trust cybersecurity model, where nothing is trusted by default, and users or devices are verified before being given access to a requested resource.
A recent survey by the Cloud Security Alliance (CSA) showed that 80% of C-level executives consider zero trust a priority for their organization and a vast majority are in the process of implementing zero trust strategies.
The new Xage report — based on a survey of cybersecurity professionals working in critical infrastructure organizations in the United States — shows that zero trust is also widely being implemented in OT environments.
Xage says there has been “heavy skepticism” regarding the practicality of implementing zero trust in industrial environments, which host a mix of modern and old equipment and where any disruptions could be very costly.
However, more than half of respondents determined that an equipment overhaul is not required to implement zero trust, with some strategies not requiring any updates to existing technology.
The survey found that 41% of critical infrastructure operators are in the early stages of zero trust implementation and 88% have taken some steps towards zero trust. All respondents said they have plans to adopt zero trust at some point.
[ Read: The History and Evolution of Zero Trust ]
Roughly two-thirds of critical infrastructure operators have shifted to a proactive security approach.
Organizations that have already started implementing zero trust strategies believe this approach helps them accelerate digital transformation, provides improved user experience, leads to more efficient operations, and helps them save time or money.
On the other hand, many organizations still find it difficult to adopt zero trust, and the challenges cited by many respondents include the lack of knowledge and resources, as well as “conflicting direction from leadership.”
While nearly half of respondents believe it will take more than three years to complete their zero trust objectives for OT, some have found ways to overcome the associated challenges, including by integrating zero trust into their culture, setting a formal process for defining goals, assessing weaknesses in their existing security architecture, and incorporating identity and access management (IAM) practices and tools.
Related: The Need for Resilient Zero Trust
Related: Zero Trust, We Must
Related: Demystifying Zero Trust

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Siemens License Manager Vulnerabilities Allow ICS Hacking
- CISA Releases Open Source Recovery Tool for ESXiArgs Ransomware
- ICS Cybersecurity Firm Opscura Launches With $9.4 Million in Series A Funding
- Patch Released for Actively Exploited GoAnywhere MFT Zero-Day
- VMware Says No Evidence of Zero-Day Exploitation in ESXiArgs Ransomware Attacks
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability
Latest News
- Minister: Cybercrimes Now 20% of Spain’s Registered Offenses
- Skybox Security Raises $50M, Hires New CEO
- Spies, Hackers, Informants: How China Snoops on the US
- Australian Man Sentenced for Scam Related to Optus Hack
- Chrome 110 Patches 15 Vulnerabilities
- Application Security Protection for the Masses
- Tor Network Under DDoS Pressure for 7 Months
- Siemens License Manager Vulnerabilities Allow ICS Hacking
