SECURE NETWORK ACCESS

Paul CampanielloAugust 14, 2025 3 minute read

Zero Trust for Operational Technology: A Practical Path Forward

As digital transformation accelerates across critical infrastructure sectors, the attack surface for operational technology (OT) environments continues to expand. What were once isolated, purpose-built systems now connect with IT networks, cloud services, and remote users—introducing a new layer of cybersecurity risk. This convergence demands a rethinking of traditional security approaches. In the latest ZTNA Table Talk, “A Zero Trust Blueprint for Operational Technology System Security,” leaders from Appgate and Numberline Security offered a pragmatic, actionable path forward. Instead of relying on legacy defenses or theory-heavy frameworks, they outlined how to apply Zero Trust principles in real OT environments—where uptime, safety, and business continuity are non-negotiable.

Operational technology systems—whether SCADA platforms, PLCs, badge readers, or HVAC controllers—were not designed with modern cybersecurity in mind. Their longevity, protocol diversity, and sensitivity to disruption make securing them uniquely challenging. At the same time, threats are escalating. From ransomware shutting down pipeline infrastructure to unauthorized remote access attempts at water treatment plants, OT is no longer a peripheral concern—it’s a prime target. Traditional approaches like VPNs and static perimeter defenses fall short. They over-provision access, lack granular control, and introduce persistent tunnels that attackers can exploit. Zero Trust, when properly adapted, provides a much-needed alternative.

A Blueprint Designed for OT Realities

Jason Garbis, founder and CEO of Numberline Security, introduced a four-phase Zero Trust blueprint tailored for OT environments. Unlike abstract models, this framework is designed for rapid progress—often in weeks, not months—and focuses on enabling secure operations without disruption.

1.    Assessment: Organizations evaluate their readiness across both technical and cultural dimensions. This includes assessing Zero Trust maturity based on models like CISA’s and identifying OT-specific constraints and business drivers.
2.    Strategy: This phase defines a 12–18-month vision for Zero Trust adoption. It also formalizes the program structure, identifying executive sponsors, stakeholders, and how Zero Trust will be operationalized across OT and IT teams.
3.    Roadmap: A dual-track roadmap is developed: one for implementing specific access policies based on critical assets, workflows, and systems; and a parallel track for deploying or optimizing the technical capabilities required to support those policies (e.g., identity providers, micro-segmentation, protocol-aware controls).
4.    Execution: Execution involves phased rollouts, policy enforcement, and—critically—establishing meaningful metrics. These can range from reductions in help desk tickets to decreases in over-provisioned access or compliance reporting burdens.

Modernizing OT Security Without Disruption

Appgate VP of Product Marketing, Corey O’Connor, and Sales Engineer, Richard Miller, emphasized that not all Zero Trust architectures are built for the demands of OT. Security solutions must meet a distinct set of criteria, including: identity and access flexibility (supporting legacy systems and non-federated environments); localized enforcement (avoiding risky cloud dependencies and maintaining resilience during internet outages); protocol and topology awareness (support for industrial protocols like BACnet or Modbus); high availability and minimal latency (ensuring updates and policy changes don’t interrupt operations); context-aware access control (dynamically scoped and time-bound access); and monitor-before-enforce capabilities (allowing simulation of policies before activation to avoid disruption).


Many OT networks have grown organically over decades—filled with vendor-specific systems, unmonitored access paths, and legacy infrastructure. As Miller pointed out, this has created fragmented environments with significant overexposure. Every unmonitored device or third-party connection represents a potential attack vector. Appgate ZTNA addresses this by cloaking all systems from unauthorized users, enforcing identity-based access, and creating encrypted micro-segments between only those devices and users that need to communicate.  This approach dramatically reduces the attack surface and eliminates the broad, implicit trust that characterizes many legacy architectures.


While technology enables Zero Trust, culture often determines its success. As Garbis emphasized, many organizations still treat security as the “department of no.” Changing this mindset requires security teams to collaborate more closely with OT stakeholders, understand their operational goals, and focus on enabling safe workflows—not blocking them. Zero Trust must be positioned as a business enabler. When security helps reduce complexity, improve auditability, and allow for secure innovation—resistance gives way to adoption.


There is no longer a question of if Zero Trust applies to OT. It does—and it must. But it cannot be approached as an IT hand-me-down. OT systems have distinct requirements that demand tailored architecture, flexible policy enforcement, and organizational buy-in. Appgate ZTNA and Numberline’s Zero Trust Blueprint offer a practical, tested methodology to bridge that gap. It provides the structure, tools, and mindset shift required to modernize security without compromising operations.


To explore this framework in greater detail, download the full white paper: A Zero Trust Blueprint for Operational Technology System Security.

Receive News and Updates From Appgate