Critical Infrastructure Operators Implementing Zero Trust in OT Environments

A survey commissioned by cybersecurity company Xage shows that zero trust is on track to being implemented in many operational technology (OT) environments, particularly in critical infrastructure organizations.

Private companies and governments have come to realize the importance of a zero trust cybersecurity model, where nothing is trusted by default, and users or devices are verified before being given access to a requested resource.

A recent survey by the Cloud Security Alliance (CSA) showed that 80% of C-level executives consider zero trust a priority for their organization and a vast majority are in the process of implementing zero trust strategies.

The new Xage report — based on a survey of cybersecurity professionals working in critical infrastructure organizations in the United States — shows that zero trust is also widely being implemented in OT environments.

Xage says there has been “heavy skepticism” regarding the practicality of implementing zero trust in industrial environments, which host a mix of modern and old equipment and where any disruptions could be very costly.

However, more than half of respondents determined that an equipment overhaul is not required to implement zero trust, with some strategies not requiring any updates to existing technology.

The survey found that 41% of critical infrastructure operators are in the early stages of zero trust implementation and 88% have taken some steps towards zero trust. All respondents said they have plans to adopt zero trust at some point.

[ Read: The History and Evolution of Zero Trust ]

Roughly two-thirds of critical infrastructure operators have shifted to a proactive security approach.

Organizations that have already started implementing zero trust strategies believe this approach helps them accelerate digital transformation, provides improved user experience, leads to more efficient operations, and helps them save time or money.

On the other hand, many organizations still find it difficult to adopt zero trust, and the challenges cited by many respondents include the lack of knowledge and resources, as well as “conflicting direction from leadership.”

While nearly half of respondents believe it will take more than three years to complete their zero trust objectives for OT, some have found ways to overcome the associated challenges, including by integrating zero trust into their culture, setting a formal process for defining goals, assessing weaknesses in their existing security architecture, and incorporating identity and access management (IAM) practices and tools.

Related: The Need for Resilient Zero Trust

Related: Zero Trust, We Must

Related: Demystifying Zero Trust