The so-called divide between IT and OT isn't a crack in the floor—it's a trench, dug deep by decades of misaligned priorities, misunderstood risks, and clashing mentalities. Manufacturers have historically treated their operational technology environments as sanctuaries—stable, isolated, untouched by the relentless chaos of IT change cycles.
But the fortress is crumbling. IIoT devices, remote access, and digital transformation mandates have punched holes through the perimeter. Attackers aren’t asking for permission before they enter. They don’t need to. The bridge between IT and OT has already been built—it just wasn’t built by us. It’s time to take it back with a Zero Trust model tailored to industrial control systems.
It's Not a Technical Problem, It's a Political One
For the most part, the IT/OT divide is cultural before it’s technical. On one side, you’ve got agile updates, aggressive patching and cloud-native everything. On the other, stability, consistency, and hardware lifecycles measured in decades. That’s not a misunderstanding—it’s a clash of survival instincts. And it creates operational silos so entrenched that even shared vocabulary feels foreign.
Zero Trust forces both sides to renegotiate. It demands collaboration not as a gesture, but as a precondition for success. Security policies can’t just be handed down from IT and rubber-stamped by operations. They have to be co-authored. That’s how you build policies that don’t get bypassed the minute they threaten uptime. That’s how you make Zero Trust something that protects production instead of interrupting it.
You cannot secure what you do not understand. ICS environments often operate with a high degree of undocumented complexity—shadow systems, unmanaged assets, outdated firmware. The typical plant floor is a spaghetti of field devices, control systems, and vendor-installed black boxes that no one has dared to touch in years. That’s not a network. That’s a liability map.
You don’t start Zero Trust with enforcement. You start with observation. Baseline every asset, every communication flow, every behavioral pattern. Watch first. Enforce later. The temptation to rush into segmentation and access controls is understandable—but if you don’t know what’s actually happening in your environment, you’re segmenting blindfolded. You’re more likely to break things than protect them.
Identity Has to Evolve Beyond Humans
The concept of identity in IT is user-centric: you authenticate people. In ICS, you authenticate everything. Devices talk to other devices without human input. Controllers push instructions on deterministic schedules, machine-to-machine trust is foundational, and yet it’s almost entirely unauthenticated in many environments.
Zero Trust reframes identity as something fluid and contextual. A PLC doesn’t get to talk to a historian just because it always has. It gets to talk to it because the communication fits a known pattern, within a known time window, using an expected protocol. And if it deviates—if it starts behaving like a beachhead—you shut it down, not because it’s definitively compromised, but because it’s no longer trustworthy.
This isn’t about layering MFA on top of badge readers. It’s about behavioral fingerprinting. About using communication patterns as identity markers. About treating devices as actors with reputations, not as fixed-function lumps of metal.
Legacy Systems Aren’t an Excuse, They’re the Reason
Yes, you have systems from 2003 that can’t be patched without triggering a month-long compliance review. That doesn’t mean they get a free pass. It means they get isolated, monitored, and wrapped in compensating controls. Virtual patching isn’t a silver bullet, but it’s a lifeline. Deep protocol inspection isn’t perfect, but it beats trusting that a compromised RTU will sit quietly and behave.
Zero Trust doesn't force you to modernize every device or upend every cloud automation workflow there is. It forces you to acknowledge the risk those devices pose, and to contain them accordingly. If your argument against Zero Trust is "we can’t patch," you’ve already missed the point. It was never about patching. It’s about trust, and what happens when it’s abused.
You’re not going to manually enforce trust decisions in a plant with thousands of endpoints and real-time operational requirements. You need machine-speed enforcement. That means automating responses to deviations, integrating AI to detect anomalies, and building playbooks that can quarantine without permission.
But automation only works when it’s grounded in operational context. You can’t just dump a generic IT security platform into a refinery and expect results. You need tooling that understands Modbus, not just TLS. You need detection logic that knows the difference between a scheduled firmware update and a lateral move.
AI isn’t magic. It’s math. And it needs proper data extraction and analysis—clean, contextual, and continuous. Otherwise, your Zero Trust enforcement becomes just another blind control.
Governance Cannot Be Assumed
If no one owns it, it doesn’t exist. That applies to both assets and policies. ICS security governance is often vague, fragmented, or nonexistent. Who owns a vendor-installed device that communicates with both IT and OT networks? Who defines acceptable use for a legacy HMI that no one has logged into since 2016?
Without governance, Zero Trust becomes a patchwork of fiefdoms. With it, it becomes a framework for decision-making. You need unified oversight, cross-domain accountability, and metrics that matter. Not just “threats blocked,” but “incidents avoided without production impact.”
But make no mistake—The goal isn’t to make IT and OT indistinguishable. It’s to make them interoperable under a single security strategy. Zero Trust doesn’t erase domain expertise—it makes it more relevant. OT needs to understand the implications of trust decisions. IT needs to understand the fragility of certain workflows. Security becomes the common language.
The real transformation is psychological. IT has to stop assuming it can dictate strategy from above. OT has to stop treating every change as a threat. Both have to accept that in a modern industrial environment, trust is the scarcest and most abused resource.
Manufacturers who drag their feet on Zero Trust aren’t buying time—they’re buying risk. The convergence of IT and OT is happening, whether your architecture is ready or not. Threat actors aren’t sitting around waiting for your patch schedule. They’re already in, living off the land, exploiting outdated trust models.
Zero Trust isn’t a reaction. It’s a re-foundation. For ICS environments, it’s the difference between fragile uptime and resilient operations. Between trusting what you hope is safe and knowing what actually is.
The wall is down. Build the bridge.
