CISA's New Zero Trust Guidance for OT: Modernizing the 'Air Gap' and Designing for DDIL with AppGate ZTNA

Critical infrastructure teams know their OT networks can't stay sealed off forever—but every new connection into those systems raises the stakes. This piece looks at what CISA's latest guidance really means for securing OT connectivity and how a Zero Trust Network Access (ZTNA) approach from AppGate can enforce strict, identity-based entry points without disrupting critical operations. By the end, you'll see how AppGate ZTNA can help you keep high-value OT assets hidden from adversaries while still giving operators and partners the precise access and visibility they need to keep critical services running.

For years, operators of critical infrastructure have relied on air-gapped operational technology (OT) networks to keep adversaries away from the systems that run power, water, transportation and manufacturing. CISA's new guide on accelerating Zero Trust adoption in OT environments acknowledges that this reality has changed: connectivity is now unavoidable, and network security must assume that paths into OT exist and design around that fact.

The guide emphasizes network segmentation, secure remote connectivity and identity-centric access as the foundation for protecting OT in environments with legacy systems, converged IT/OT and increasingly aggressive threat actors. CISA notes that "network segmentation remains one of the most foundational and effective security controls in OT environments, often serving as the primary line of defense." AppGate ZTNA is built for exactly this scenario, giving critical-infrastructure teams a way to preserve the spirit of the air gap without forcing risky changes on the operational constraints of OT.

The 'Air Gap' Was Never Just a Diagram

CISA's OT-focused guidance reinforces that separation between IT and OT remains essential, but it also details how remote vendor access, cloud-connected interfaces and corporate integrations have eroded the purity of the traditional air gap. The guide warns that "air gaps can be bridged, VLANs can be misconfigured, and overly permissive access rules can undermine intended isolation. Well-segmented environments remain vulnerable without continuous validation, strong access control policies, and proper network monitoring."

It flags insecure OT connectivity as a major risk—specifically noting that "improperly secured pathways create opportunities for threat actors to gain access to IT and OT networks"—and calls for secure connectivity designs that combine segmentation with strong identity, access control and monitoring.

The OT Zero Trust roadmap goes further, stating that "organizations should treat segmentation as a dynamic, enforceable security policy instead of a one-time architectural decision" and that organizations must adopt an "assume breach" mindset, layering identity-aware access and continuous evaluation on top of network boundaries. CISA notes that "ZT principles assume a breach has already occurred and are designed to limit threat-actor movement and potential damage." In practice, preserving the air gap now means ensuring that any necessary route into OT is tightly scoped, identity-gated and continuously verified—not pretending those routes don't exist.

How AppGate ZTNA Modernizes the OT Air Gap

AppGate ZTNA implements this modern air-gap model by combining identity-centric enforcement at Layer 3 with infrastructure cloaking and a direct-routed architecture. Instead of exposing OT networks to flat VPN access or cloud-brokered ZTNA, AppGate ZTNA:

  • Enables infrastructure cloaking via Single Packet Authorization (SPA) to make OT systems invisible on the network until a user's identity and device posture are verified, delivering the continuous validation and strong access controls CISA calls for.
  • Applies segment-of-one access so each user session is individually encrypted and isolated, granting reach only to specific OT assets required for their role rather than broad subnet access. CISA emphasizes that "microsegmentation adds another layer of defense, encompassing specific assets, protocols, and users by enabling more granular trust boundaries while preserving operational integrity."
  • Establishes direct-routed, point-to-point connections between the user and the authorized OT resource, without routing traffic through a vendor-controlled cloud broker, which reduces latency and third-party infrastructure risk while preserving control over access paths.

Because enforcement happens at the network layer and is identity-driven, security teams can deploy AppGate ZTNA in front of existing OT zones and conduits without re-architecting control networks. OT assets stay hidden by default, and connectivity is created and torn down dynamically under policy, which lines up with CISA's call for robust segmentation plus strong identity-centric access controls.

Designing for DDIL: Why Resilience Matters for Critical Infrastructure

Modernizing the air gap addresses how to secure OT connectivity, but CISA's guidance also emphasizes a second critical dimension: resilience under stress. The guide states that "CI owners and operators must fortify their systems to allow vital services in the United States to sustain essential operations during a geopolitical conflict. Investing in isolation and recovery capabilities today is essential to maintaining service delivery during a future crisis, when an adversary may disrupt communications and manipulate control systems."

This language maps directly to what the federal government and DOW have long called DDIL—disconnected, degraded, intermittent and limited-bandwidth conditions. For critical infrastructure operators, these conditions are no longer theoretical:

  • Remote substations, treatment plants or compressor stations that depend on unreliable links back to central monitoring
  • Incident-response scenarios where IT-to-OT connectivity must be reduced or severed to contain a threat while keeping local operations safe
  • Sites where bandwidth and power constraints make heavyweight, cloud-dependent security controls impractical

CISA acknowledges these operational realities throughout the guidance, noting that OT systems "are engineered for high availability, reliability, and safety, making them less tolerant of disruptions or reconfiguration" and that "near-constant availability requirements limit opportunities for routine patching, security testing, system upgrades, and maintenance." The guide dedicates an entire section to "Business Continuity and Cyber Resilience in Industrial Systems," reinforcing that Zero Trust for OT must support operations even when connectivity is compromised.

Why Federal DDIL Success Matters for Critical Infrastructure

AppGate didn't just design for DDIL conditions in theory—we've been proving it works in the most demanding environments for years. AppGate ZTNA is trusted by DOW, US Cyber Command, Army, Air Force, and defense contractors to securely connect thousands of users across global, distributed networks where DDIL conditions are the norm, not the exception. AppGate ZTNA is the most widely deployed Zero Trust Network Access solution in the DoW, supporting mission-critical operations with continuous, context-aware access controls that maintain security without compromising network performance or user experience.

That track record isn't just a credential—it's proof that the architecture works when connectivity fails and operations can't stop. And it translates directly to critical infrastructure. Through its Federal Division, AppGate has demonstrated how identity-centric, policy-driven access can support operations in the most demanding distributed environments.

AppGate ZTNA's DDIL-ready design delivers:

  • Local, distributed enforcement: Access decisions are enforced at each AppGate gateway, not in a single central broker, so OT sites can continue to apply policy even if connectivity to a central control plane is degraded. This distributed model eliminates single points of failure and improves resilience across regionally distributed OT environments.
  • Efficient use of limited links: The direct-routed model avoids backhauling OT traffic through vendor clouds, minimizing bandwidth consumption and latency across already constrained links—critical for remote sites with intermittent or low-bandwidth connectivity.
  • Graceful isolation during incidents: Because AppGate ZTNA creates per-resource, per-session tunnels, security teams can precisely cut or constrain individual OT access paths during an incident without taking down entire networks. That supports the kind of controlled isolation and staged recovery CISA recommends for OT environments facing cyber events.

The same principles that keep federal operations secure and running in contested, bandwidth-limited environments also apply to civilian critical infrastructure. With CISA explicitly calling for isolation and recovery capabilities that sustain operations during crisis, AppGate Federal Division experience becomes a blueprint—and a proven solution—for critical infrastructure operators.

Why This Matters Now

CISA's latest OT guidance reflects a dual reality: attackers are targeting critical infrastructure with increasing sophistication, and at the same time, digital transformation and remote operations mean OT can no longer remain physically isolated. Security strategies that lean on an idealized air gap or perimeter-only defenses are out of step with how these systems actually work.

By using CISA's recommendations as a blueprint, critical-infrastructure operators can preserve a modern, logical air gap, maintain resilience under stress, and meet the realities of converged IT/OT environments without sacrificing the access modern operations require. AppGate ZTNA supports this model with direct-routed connectivity, infrastructure cloaking, distributed enforcement and DDIL-ready architecture.

Learn how AppGate ZTNA aligns with CISA's OT Zero Trust guidance.