Recent guidance from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) addressing zero trust security principles in the context of operational technology has drawn mixed reactions from industry executives and experts. While acknowledging that the guidance provides a good foundational approach, many believe it glosses over critical issues that still need addressing.

One of the most significant concerns articulated by Tatyana Bolton, executive director of the Operational Technology Cybersecurity Coalition, is the lack of clarity regarding who will bear the financial burden of implementing these zero trust principles. Bolton pointed out that while the strategic framework is sound, it doesn’t reflect the reality faced by numerous critical infrastructure entities—including water utilities, rural electric cooperatives, and small ports—that often operate with constrained budgets. “The majority of these organizations simply cannot afford to implement such measures,” she asserted.

The zero trust framework operates on a fundamental belief that traditional security perimeters can no longer be relied upon. Instead, it emphasizes protective tactics that involve continuous security monitoring, network segmentation, and restricted user access. By shifting the focus from merely trying to prevent breaches to ensuring systems can effectively detect, contain, and recover from intrusions, the zero trust paradigm aims to create resilient operational environments.

Kate DiEmidio, vice president of public policy and government affairs for Dragos, an OT cybersecurity vendor, elaborated on this approach, stating, “Resilience is about designing systems that can withstand and quickly recover from disruptions.” However, Bolton reiterated that these robust security measures come with considerable costs, especially for organizations already operating below what she described as the “cyber poverty line.” Without substantial federal support aimed at equipping these organizations with the necessary resources to implement zero trust, the guidelines risk becoming nothing more than aspirational documents, she warned.

In a recent statement, CISA representatives, including Chris Butera, acting executive assistant director for cybersecurity, emphasized that the guidance serves as a critical resource for OT owners and operators. They encouraged these stakeholders to utilize the framework to diminish exposure and enhance resilience. Sean Tufts, the field CTO of Claroty, added that while the document accurately defines existing challenges and outlines logical steps toward addressing them, the complexity of coordinating and prioritizing these adjustments remains formidable. Given the extended lifecycles of equipment in the OT sector, meaningful change may take years or even decades.

Moreover, Chris Grove, director of cybersecurity strategy at Nozomi Networks, raised additional concerns about implementing continuous authentication principles within OT environments, highlighting challenges related to emergency protocols. For instance, he pointed out that requiring a login process for emergency stop functions on production lines could be impractical and potentially hazardous. Instead, he suggested that alternative security mechanisms, like physical keys or access controls, may be more suitable for such high-stakes scenarios. Yet, he reaffirmed that zero trust remains a valid strategy that could substantially aid in overcoming existing resistance to more robust cybersecurity measures in the OT sector.

Patrick Miller, CEO of Ampyx Cyber, underscored a critical perspective within the guidance: the intertwining of procurement and security controls. For Miller, every procurement decision is inherently a security decision, marking a significant cultural shift in how organizations view investments in technology. He argued that recognizing procurement as a pivotal security mechanism is vital for long-term success in any cybersecurity strategy.

Alison King, vice president of government affairs at Forescout, highlighted the overarching imperative to adopt more dynamic security solutions in light of rapidly evolving threat environments. She noted that the guidance’s focus on continuous monitoring and enforcement is particularly crucial for mitigating severe risks posed by advanced exploits, which can evolve rapidly due to modern AI capabilities. King urged the OT sector to embrace automation in security measures, stressing that the pace of modern threats far exceeds the capabilities of human operators.

In contrast, Dale Peterson, CEO of Digital Bond, characterized the guidance as underwhelming and lacking specificity, arguing that the document does not provide substantial new insights for engaged stakeholders. He described it as overly broad and argued that the content fails to contribute meaningfully to the ongoing discussions about security in operational technology.