Security Experts:

Connect with us

Hi, what are you looking for?



Critical Infrastructure Operators Implementing Zero Trust in OT Environments

A survey commissioned by cybersecurity company Xage shows that zero trust is on track to being implemented in many operational technology (OT) environments, particularly in critical infrastructure organizations.

A survey commissioned by cybersecurity company Xage shows that zero trust is on track to being implemented in many operational technology (OT) environments, particularly in critical infrastructure organizations.

Private companies and governments have come to realize the importance of a zero trust cybersecurity model, where nothing is trusted by default, and users or devices are verified before being given access to a requested resource.

A recent survey by the Cloud Security Alliance (CSA) showed that 80% of C-level executives consider zero trust a priority for their organization and a vast majority are in the process of implementing zero trust strategies.

The new Xage report — based on a survey of cybersecurity professionals working in critical infrastructure organizations in the United States — shows that zero trust is also widely being implemented in OT environments.

Xage says there has been “heavy skepticism” regarding the practicality of implementing zero trust in industrial environments, which host a mix of modern and old equipment and where any disruptions could be very costly.

However, more than half of respondents determined that an equipment overhaul is not required to implement zero trust, with some strategies not requiring any updates to existing technology.

The survey found that 41% of critical infrastructure operators are in the early stages of zero trust implementation and 88% have taken some steps towards zero trust. All respondents said they have plans to adopt zero trust at some point.

[ Read: The History and Evolution of Zero Trust ]

Roughly two-thirds of critical infrastructure operators have shifted to a proactive security approach.

Organizations that have already started implementing zero trust strategies believe this approach helps them accelerate digital transformation, provides improved user experience, leads to more efficient operations, and helps them save time or money.

On the other hand, many organizations still find it difficult to adopt zero trust, and the challenges cited by many respondents include the lack of knowledge and resources, as well as “conflicting direction from leadership.”

While nearly half of respondents believe it will take more than three years to complete their zero trust objectives for OT, some have found ways to overcome the associated challenges, including by integrating zero trust into their culture, setting a formal process for defining goals, assessing weaknesses in their existing security architecture, and incorporating identity and access management (IAM) practices and tools.

Related: The Need for Resilient Zero Trust

Related: Zero Trust, We Must

Related: Demystifying Zero Trust

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...